Gayfemboy | |
---|---|
Type | Botnet |
Family | Mirai |
Cyberattack event | |
Date | February 2024 (first discovered)—Present |
Technical details | |
Platform | Linux [1] |
Gayfemboy is a malware strain that infects corporate electronics including those from DrayTek, TP-Link, Raisecom, and Cisco by utilizing CVEs. It has affected companies in Brazil, France, Germany, Israel, Mexico, the United States, Switzerland, and Vietnam, and is impacting sectors such as construction, manufacturing, technology, and media/communications. [2]
The malware was first discovered in February 2024 by security researchers at Fortinet after a large amount of attacks were done by the Gayfemboy malware in January where the malware used the infected machines as a botnet to launch a wave of DDoS attacks against target websites. [3] Known samples currently were obfuscated with a UPX packer but its header "UPX!" was replaced by non-printable characters in hexadecimal code "10 F0 00 00" making detection harder. Upon execution, the malware investigates the paths of each process located in "/proc/[PID]/exe" to gather information regarding active processes and their respective locations within the file system. It loads 47 command strings into memory and reviews all entries in "/proc/[PID]/cmdline". If a match is found, it terminates the corresponding process. These commands encompass "ls -l", "reboot", "wget", among others. The Monitor is employed for self-preservation and to detect sandboxes. If Gayfemboy identifies that the malware process has been terminated, it initiates a restart. Due to a delay of 50 nanoseconds, the malware is capable of detecting a sandbox, which is unable to manage such a finely tuned delay, resulting in the failure of the invoked function and leading the malware to "misinterpret" the outcome, subsequently triggering a 27-hour dormant state for the malware. [4]
The infections and targeting mirror that of the malware strain Mirai and targets various system architectures, including ARM, AArch64, MIPS R3000, PowerPC, and Intel 80386. The Gayfemboy malware tracks threads and processes while incorporating persistence and sandbox evasion techniques, bind to UDP port 47272, launches DDoS attacks using UDP, TCP, and ICMP protocols, and enables backdoor access by connecting to a remote server to receive commands, it also terminates itself if it receives the command from the server or detects sandbox manipulation. The attack primarily consists of searching for unauthenticated Redis servers operating on port 6379. This is followed by the execution of legitimate CONFIG, SET, and SAVE commands to initiate a harmful cron job intended to execute a shell script. This script is designed to disable SELinux, implement defense evasion measures, block external access to the Redis port to prevent rival entities from exploiting the initial access route, and terminate competing mining processes (such as Kinsing). [5]
The Gayfemboy botnet, first detected in February 2024, has been utilizing sophisticated strategies, such as exploiting zero-day vulnerabilities to infiltrate devices. By November 2024, the botnet had broadened its scope, focusing on industrial routers and smart home devices, boasting more than 15,000 active nodes. [6] The individuals operating Gayfemboy have also initiated DDoS attacks against researchers monitoring their operations. The malware incorporates unique file naming and obfuscation methods to evade detection, featuring four primary modules designed for various malicious purposes. [7]
In July 2025, FortiGuard Labs discovered a Gayfemboy payload that exploited various vulnerabilities in devices. The attacks were traced back to IP addresses 87.121.84.34 and 220.158.234.135. Experts identified downloader scripts aimed at several devices targeted by the bot, which included Asus, Vivo, Zyxel, and Realtek. The malicious code retrieved malware and Monero miners, with product names being sent as parameters to Gayfemboy for execution. [8]
By August 2025, Fortinet implemented multi-layered protection against the Gayfemboy campaign through FortiGuard services with web filtering services actively block identified C2 domains, while IPS signatures provide protection against all exploited vulnerabilities. These domains include cross-compiling.org, i-kiss-boys.com, furry-femboys.top, twinkfinder.nl, and 3gipcam.com. [9]