SC-116: IoT Botnet Command & Control¶
Operation SWARM PROTOCOL
Actor type: Financially motivated -- DDoS-for-hire operator Dwell time: 198 days from first infection to public takedown Primary impact: 287,341 IoT devices across 94 countries recruited into a Mirai-family variant. Delivered 41 paid DDoS attacks with peak bandwidth of 2.3 Tbps. Collateral damage included a regional ISP brownout affecting 412,000 residential customers Detection source: Joint operation -- academic honeypot network + ISP flow telemetry + international LEA Status: Takedown successful -- 3 C2 tiers sinkholed, operator indicted
Executive Summary¶
SWARM PROTOCOL is a derivative of the Mirai family, reflecting evolutionary improvements seen across post-2016 IoT botnets. The malware exploits default or weak credentials on internet-exposed Telnet, SSH, and vendor-specific TR-069 / ONVIF / RTSP services. No memory corruption. No zero-days. Just the ongoing failure of the IoT industry to ship secure defaults.
Once infected, devices join a tiered C2 infrastructure:
- Tier 1 (bots) -- infected IoT devices.
- Tier 2 (middle tier) -- compromised VPS nodes, rotated weekly.
- Tier 3 (operator) -- hidden service, accessed via multi-hop.
The operator sold DDoS capacity on closed forums at rates of $25/hour to $400/day. Between 2025-10-02 and 2026-04-01, 41 attacks were delivered against targets including gaming services, small e-commerce sites, and two journalist publications in authoritarian jurisdictions.
Why this scenario matters
Mirai was 2016. Ten years later, default credentials remain the single most exploited IoT entry vector. The problem is not technical complexity -- it is economic (manufacturers externalize security cost) and architectural (no device identity lifecycle). Defense lives at the ISP, enterprise network edge, and device regulation layer.
Environment¶
| Asset | Value |
|---|---|
| Victim ISP (collateral) | regional-isp.example.net |
| Victim campus | campus-edu.example.com |
| Infected device classes | IP cameras, SOHO routers, DVRs, HVAC controllers |
| Typical infected device IP range | 203.0.113.0/24 (residential CPE, RFC 5737) |
| Enterprise-exposed IoT example | cam-lobby-03.campus-edu.example.com (10.34.50.77) |
| Default creds attempted | testuser/REDACTED across 146 vendor-default tuples |
| Tier 2 VPS providers abused | 12 providers via stolen cards |
| Synthetic Tier 2 node | t2-node-07.example (198.51.100.77) |
| Operator hidden service | synthetic onion address (redacted) |
ATT&CK Mapping¶
| Tactic | Technique | ID | Evidence |
|---|---|---|---|
| Initial Access | Valid Accounts: Default Accounts | T1078.001 | Mass credential spraying against Telnet/SSH |
| Resource Development | Acquire Infrastructure: Virtual Private Server | T1583.003 | Tier 2 C2 on rented VPS |
| Resource Development | Acquire Infrastructure: Botnet | T1583.005 | IoT devices as attack infrastructure |
| Impact | Network Denial of Service | T1498 | DDoS against paying-customer targets |
| Impact | Network Denial of Service: Direct Network Flood | T1498.001 | UDP/TCP flood attacks |
| Impact | Network Denial of Service: Reflection Amplification | T1498.002 | DNS, NTP, Memcached reflection |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | HTTPS-based task polling |
| Command and Control | Proxy: Multi-hop Proxy | T1090.003 | Tier 1 -> Tier 2 -> Tier 3 |
| Persistence | Boot or Logon Autostart Execution | T1547 | rc.local injection on infected devices |
Timeline¶
Phase 1 -- Seeding (2025-09-15 to 2025-09-30)¶
- 2025-09-15 -- Operator compiles SWARM PROTOCOL variant. Targets 146 vendor-default credential tuples (admin/admin, root/vizxv, etc.).
- 2025-09-17 -- Initial seed infection from 3 VPS scanners (198.51.100.77, 198.51.100.82, 198.51.100.91) against random /16 slices of the IPv4 internet.
- 2025-09-20 -- First 12,000 devices recruited. Scan rate per bot: 120 IPs/second on port 23, 2323, 22.
- 2025-09-30 -- Bot count crosses 48,000. Tier 2 infrastructure upgraded.
Phase 2 -- Exponential Growth (2025-10-01 to 2025-12-10)¶
How botnets grow
Every infected device becomes a scanner. At 120 scans/second per bot and ~0.4% vulnerability rate on randomly-sampled IPs, recruitment approximately doubles weekly until the population of internet-exposed weak-credential devices is saturated.
| Date | Bot count | Countries | Peak attack Gbps |
|---|---|---|---|
| 2025-10-15 | 84,000 | 61 | 340 |
| 2025-11-01 | 147,000 | 78 | 710 |
| 2025-11-22 | 201,000 | 88 | 1,120 |
| 2025-12-10 | 260,000 | 92 | 1,840 |
Phase 3 -- Monetization (2025-10-02 to 2026-04-01)¶
41 paid attacks were delivered during this window. Representative examples:
| Attack ID | Date | Target class | Duration | Peak | Fee paid |
|---|---|---|---|---|---|
| SP-007 | 2025-11-04 | Gaming server | 47 min | 620 Gbps | $150 |
| SP-018 | 2025-12-22 | E-commerce | 3 hrs | 1.1 Tbps | $400 |
| SP-024 | 2026-01-19 | Journalism site | 9 hrs | 880 Gbps | $1,200 |
| SP-035 | 2026-02-28 | Gaming server | 18 min | 2.3 Tbps | $100 |
Phase 4 -- Collateral ISP Brownout (2026-01-19)¶
- 2026-01-19 14:02 UTC -- SP-024 attack directed at target in regional-isp.example.net customer space.
- 2026-01-19 14:07 UTC -- Upstream transit link saturates at 880 Gbps. ISP emergency routing fails to scrub in time.
- 2026-01-19 14:12 UTC -- 412,000 residential customers experience packet loss exceeding 40%.
- 2026-01-19 17:24 UTC -- Full service restored after BGP blackhole coordination with Tier 1 providers.
Phase 5 -- Takedown (2026-04-01)¶
- 2026-03-15 -- Academic honeypot network at research.university.example correlates infection pattern with specific C2 domain rotation.
- 2026-03-22 -- International LEA joint operation obtains Tier 2 VPS seizure warrants across 4 jurisdictions.
- 2026-04-01 06:00 UTC -- Simultaneous seizure of 17 Tier 2 nodes, Tier 3 operator identified via VPS payment trail.
- 2026-04-01 09:00 UTC -- Sinkhole activated for remaining bots. Operator arrested.
Detection Queries¶
KQL -- Outbound scanning from enterprise IoT VLAN¶
NetworkFlow
| where TimeGenerated > ago(24h)
| where SrcSubnet in ("10.34.50.0/24", "10.34.51.0/24") // IoT VLANs
| where DstPort in (23, 2323, 22, 7547, 5555, 37215, 8080)
| summarize ScanTargets = dcount(DstIp),
FlowCount = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIp, DstPort
| where ScanTargets > 50
| order by ScanTargets desc
KQL -- IoT device contacting known botnet C2 domain patterns¶
DnsQueryLog
| where TimeGenerated > ago(7d)
| where ClientSubnet startswith "10.34.50"
| extend DomainLength = strlen(QueryName)
| extend DigitRatio = todouble(countof(QueryName, @"[0-9]")) / DomainLength
| where DigitRatio > 0.4 or DomainLength > 30
| summarize UniqueClients = dcount(ClientIp),
Queries = count(),
Domains = make_set(QueryName, 10)
by bin(TimeGenerated, 1h)
| where UniqueClients > 5 or Queries > 100
| order by TimeGenerated desc
SPL -- Massive short-lived outbound UDP flood indicator¶
index=netflow
| bin _time span=1m
| stats sum(bytes_out) as bytes_per_min
dc(dest_ip) as unique_dests
values(dest_port) as dest_ports
by src_ip _time
| where bytes_per_min > 100000000 AND unique_dests > 1000
| eval gbps = round(bytes_per_min * 8 / 60 / 1000000000, 2)
| lookup asset_inventory src_ip OUTPUT device_class owner
| where device_class IN ("camera", "dvr", "router", "iot")
| table _time src_ip device_class owner gbps unique_dests dest_ports
| sort - gbps
SPL -- Default credential success on Telnet/SSH¶
index=network sourcetype="stream:tcp" dest_port IN (23, 2323, 22)
direction=inbound
| transaction src_ip dest_ip dest_port maxspan=30s
| where eventcount > 1 AND duration < 10
| eval login_success = if(match(_raw, "(?i)(login successful|welcome|#\\s|\\$\\s)"), 1, 0)
| where login_success == 1
| stats count by src_ip dest_ip dest_port
| where count > 3
| lookup threat_intel src_ip OUTPUT threat_category
| table src_ip dest_ip dest_port count threat_category
Indicators of Compromise¶
IOC inventory
All IOCs below are synthetic per Nexus SecOps safety rules.
Network IOCs¶
| Indicator | Value | Notes |
|---|---|---|
| Tier 2 C2 IPs | 198.51.100.77, .82, .91, .120, .134, .156 | Rented VPS, rotated weekly |
| Tier 2 C2 domains | s1.swarm.example, update.iotcdn.example | Synthetic |
| Scan source ports | 23, 2323, 22, 7547, 5555, 37215 | Telnet, alt-Telnet, SSH, TR-069, ADB, Huawei HG532 |
| DNS TTL anomaly | 60 seconds on C2 domains | Fast-flux indicator |
Host IOCs¶
# Filesystem
/tmp/.swarm
/var/run/.swarm.pid
/etc/rc.local (appended line)
# Process
Process name: [kworker/0:1] (kernel thread impersonation)
Parent: init (PID 1)
# Synthetic binary hash (SHA-256)
a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e
Credential IOCs¶
Common default credential tuples abused (sample):
| Vendor / product class | Username | Password |
|---|---|---|
| Generic admin interface | admin | admin |
| Generic root | root | root |
| Test account pattern | testuser | REDACTED |
| DVR vendor default | root | (vendor-specific -- synthetic) |
| Router vendor default | admin | (vendor-specific -- synthetic) |
Behavioral IOCs¶
- Outbound scanning to port 23/2323/22 from device classes that should never initiate outbound.
- DNS requests to algorithmically-generated domain names from IoT subnets.
- CPU usage near 100% on IP cameras that are otherwise idle.
- Device reboot clears infection (non-persistent variant) -- reinfection typically within 10 minutes.
Containment and Eradication¶
At the enterprise¶
- Network segmentation. IoT devices on isolated VLAN, egress-filtered, unable to initiate outbound to arbitrary destinations.
- Device inventory. Enumerate every internet-exposed or semi-exposed device. Change default credentials. Disable Telnet.
- Firmware patching. Prioritize devices with public vendor patches for known exploits (TR-069, ONVIF).
- Reboot cadence. For non-persistent variants, scheduled reboot can disrupt infection.
At the ISP¶
- BCP 38 enforcement. Source-address validation at CPE to prevent spoofed reflection.
- Customer notification. DHCP-level captive-portal steering for infected customers.
- Port 23 outbound blocking as a default policy for residential subscribers, with opt-out.
At the device level (regulation/industry)¶
- Unique per-device default credentials (UK PSTI, EU RED, US Cyber Trust Mark).
- Mandatory secure-by-default disabling of Telnet.
- Automatic security updates.
Lessons Learned¶
What failed
- IoT device market continues to ship weak defaults despite a decade of incidents.
- Enterprise IoT was deployed on flat networks with unrestricted egress.
- No asset inventory existed for the IoT class.
- ISP flow telemetry detected the traffic but had no automated customer notification pipeline.
What worked
- Academic honeypot network provided long-term visibility into botnet C2 rotation.
- International LEA coordination enabled simultaneous takedown.
- BGP blackhole community tagging worked during the ISP brownout.
Recommendations¶
- Egress default-deny for IoT. Segment, allowlist, inspect.
- IoT asset inventory is a baseline control. You cannot defend what you have not counted.
- DDoS runbook with ISP coordination pre-established. Do not build the relationship during the incident.
- Advocate for regulatory minimums. Participate in industry coalitions promoting secure-by-default.
- Assume defaults. During procurement, budget for credential rotation and Telnet disabling as standard onboarding steps.
Cross-References¶
- Ch34 -- Mobile and IoT Security
- Ch21 -- OT/ICS/SCADA Security
- Ch48 -- Exploit Development Concepts
- Ch31 -- Network Security Architecture -- segmentation patterns
- SC-096 -- Industrial PLC Attack
- SC-101 -- Firmware Supply Chain
- SC-106 -- ICS Water Treatment
Purple Team Exercise Hook¶
Recommended linked exercise: PT-204 "IoT Egress Hunt" -- blue team has 4 hours to enumerate every outbound-capable IoT device and verify egress policy. Red team operates a honeypot C2 and measures which devices successfully phone home.
Scenario classification: Educational -- synthetic botnet. All names, IPs, device classes, and credentials are synthetic per Nexus SecOps safety rules.