Mirai Variant "Gayfemboy" Infecting 15K+ Devices Daily – Mitigation Ideas?
Hey HN,
I’m a pentester and recently came across a new Mirai-based botnet called Gayfemboy (yes, the name sounds like a meme, but the threat is real). It’s currently infecting over 15,000 devices daily, mostly targeting routers and network gear from Cisco, TP-Link, DrayTek, and Raisecom.
What it does:
Launches DDoS attacks (UDP, TCP, ICMP) Mines Monero using XMRig Acts as a proxy for malicious traffic Installs backdoors and evades analysis (e.g., UPX header tampering, nanosecond delays)
Vulnerabilities exploited (At this moment):
CVE-2025-20281 (Cisco ISE) CVE-2023-1389 (TP-Link AX21) CVE-2020-8515 (DrayTek) CVE-2024-7120 (Raisecom MSG)
Mitigation ideas I’m testing:
Scanning client networks for vulnerable firmware Blocking known malicious domains and IPs at the firewall level Writing scripts to detect outbound traffic to those IOCs Recommending disabling remote admin access on routers I’d love to hear what others are doing to detect or contain this botnet. Has anyone seen it in enterprise environments? Any creative or effective mitigation strategies you’d recommend?
This is such a joke... anyway what does this "malware" do?
Haha yeah, the name’s ridiculous — but the malware’s real.
It’s a Mirai variant that infects routers (Cisco, TP-Link, etc.), does DDoS, mines crypto, proxies traffic, and drops backdoors. Spreads via known and zero-day vulns.
its IOT ddos/proxy botnet.
I dont know why its trying to mine crypto on a weak ARM router no way that gets far