Meris // Mikrotik-based Botnets

  • size: 10.000 - 200.00

The Meris botnet first emerged in mid-2021 as a highly potent Distributed Denial of Service (DDoS) threat. It is considered a successor to the infamous Mirai botnet, which gained notoriety for hijacking Internet of Things (IoT) devices to launch large-scale DDoS attacks. Meris, however, is more sophisticated and capable of launching record-breaking attacks with extreme bandwidth by exploiting compromised devices, primarily MikroTik routers.

Meris can generate massive volumes of HTTP requests, overwhelming targets with floods of traffic. In contrast to Mirai, which mainly utilized IoT devices, Meris targets higher-powered network equipment, allowing it to unleash more devastating attacks. Over the last years, Meris was accounted for several record-breaking attacks against providers like cloudflare or OVH.

What we know so far:

The Meris botnet is a powerful and notorious distributed denial-of-service (DDoS) botnet that emerged in mid-2021 and quickly gained attention for its record-breaking attack capabilities. Named "Mēris," which means "plague" in Latvian, it leverages a vast network of compromised devices—primarily MikroTik routers—to launch massive volumetric DDoS attacks, focusing on application-layer (Layer 7) assaults measured in requests per second (RPS) rather than bandwidth (Gbps). It’s been responsible for some of the largest DDoS attacks ever recorded, including a 21.8 million RPS attack against Yandex in September 2021 and a 17.2 million RPS attack mitigated by Cloudflare earlier that summer.What I Know About the Meris Botnet:

  • Scale and Composition: Meris is estimated to control around 250,000 infected devices, mostly MikroTik routers exploited via a patched vulnerability (CVE-2018-14847) from 2018. This vulnerability allowed attackers to gain remote access to unpatched or misconfigured routers, even after the fix, if passwords weren’t changed or firewalls weren’t updated. Unlike IoT-based botnets like Mirai, Meris uses professional-grade networking equipment, giving it significant processing power and high-speed connectivity.
  • Attack Method: It employs HTTP pipelining, a technique that sends multiple requests over a single connection without waiting for responses, amplifying its RPS capacity. This makes it particularly effective at overwhelming server resources (CPU and memory) rather than just clogging bandwidth. Estimates suggest its maximum capacity could reach 110 million RPS, meaning past attacks may have only scratched the surface of its potential.
  • Targets: Meris has hit a wide range of victims, including financial institutions, ISPs, e-commerce platforms, and media outlets like KrebsOnSecurity. Notable attacks include those against Yandex (Russia), Google (suspected in 2022 at 46 million RPS), and various companies in the US, New Zealand, and beyond. It’s particularly known for targeting the banking, financial services, and insurance (BFSI) sector.
  • Evolution: Researchers have noted that Meris might be linked to earlier botnets like U6, which targeted MikroTik devices for cryptomining, suggesting a possible shift in purpose or ownership. Some attacks in 2022 also embedded ransomware-style notes (e.g., from "REvil"), though it’s unclear if this was genuine or a copycat tactic.

Who Is Operating It?

The exact operators behind Meris remain unidentified, a common challenge with botnets due to their decentralized nature and the anonymity of their command-and-control (C2) infrastructure. Here’s what’s known or speculated:

  • No Definitive Attribution: Unlike some botnets tied to specific groups (e.g., Mirai’s creators were eventually caught), Meris’s operators have stayed in the shadows. Researchers from Qrator Labs, Cloudflare, and others haven’t pinpointed a specific individual or organization.
  • Possible Russian Connection: Given the scale of attacks against Russian targets like Yandex and the botnet’s sophistication, some speculate involvement of cybercriminals from Eastern Europe or Russia, where DDoS-for-hire services have historically thrived. However, this is circumstantial—attack origins don’t necessarily reflect operator location.
  • Botnet-as-a-Service (BaaS) Model: Evidence suggests Meris operates as a rentable botnet. Cybersecurity firms like Qrator Labs and Kela have reported that its operators offer it as a service, implying a professional criminal enterprise rather than a lone actor. The operators likely maintain and expand the botnet, renting its firepower to clients for specific attacks.
  • Speculative Links: There’s a theory that Meris could be tied to earlier MikroTik-targeting campaigns (e.g., U6) or even broader cybercrime ecosystems like TrickBot or Glupteba, as suggested by Avast research in 2022. However, these connections are unproven and based on shared infrastructure patterns rather than hard evidence.

Where Can an Attacker Rent It?

Meris is believed to be available for hire through underground channels, typical of the DDoS-for-hire ecosystem. Specific details on access points are scarce due to the illicit nature of these services, but here’s what’s known:

  • Telegram Channels: In 2021, Qrator Labs’ Alexander Lyamin noted that Meris could be rented via Telegram, a popular platform for cybercrime marketplaces. These channels are private, invite-only, or advertised discreetly on dark web forums. Pricing reportedly started at around 1500$/day and discounts for longer engagements, making it accessible to mid-tier attackers.
  • Dark Web Marketplaces: Beyond Telegram, botnet rental services like Meris are often brokered on dark web markets (e.g., successors to AlphaBay or Silk Road-style sites). These platforms offer DDoS services with pricing based on attack duration, target size, and intensity (e.g., RPS volume). Meris’s high capacity likely commands a premium compared to smaller botnets.
  • Access Process: Renting typically involves contacting a seller via encrypted messaging (Telegram, Jabber, or Wickr), negotiating terms, and paying in cryptocurrency (usually Bitcoin). The renter provides the target IP or domain, and the operator unleashes the botnet. The client doesn’t control the botnet directly—operators handle execution to protect their infrastructure.
  • Evidence of Availability: In September 2021, Kela reported that the admin of the LockBit ransomware group was seeking Meris’s operators, suggesting its reputation had spread in cybercrime circles. This implies it’s marketed to serious players, not just script kiddies.

Challenges in Tracking:

  • Proxy Domains: Meris uses HTTPS proxies on seemingly legitimate domains to mask its C2 servers, complicating efforts to trace operators. Cybernews researchers linked some domains to past botnets, but the trail often ends there.
  • Rotation Tactics: The botnet rotates devices and keeps attacks short, avoiding full exposure of its capabilities or operator identity. This suggests a cautious, professional outfit.

Conclusion:The Meris botnet is a top-tier DDoS tool, likely run by a sophisticated group operating it as a rentable service. While its operators’ identities remain unknown, they’re accessible through Telegram and dark web channels, with rental starting at $80/hour as of 2021 reports. Its reliance on MikroTik routers and massive scale make it a persistent threat, though its activity has reportedly declined since late 2021—possibly due to mitigation efforts or a strategic pivot. Without law enforcement breakthroughs or operator missteps, pinning down "who" and "where" remains speculative, but its availability for hire is well-documented in cybercrime ecosystems.

DDoSia by Noname57

  • size: 5000 - 9000

DDoSia is a malware toolkit developed by NoName, a pro-Russian hacking group.
The toolkit has gained notoriety for its involvement in hacktivist campaigns, particularly during the conflict between Russia and Ukraine, where it has been used to target websites and infrastructure in nations aligned with Ukraine or supporting sanctions against Russia.

DDoSia is capable of sophisticated Layer-7-Attacks (pseudo-browsers) and direct path tcp-floods, see also our article "Comparison of DDoS-Frameworks".

Noname057/DDoSia are active since mid-2022 and had been analyzed a couple of times:

what we know so far

The NoName057(16) group, often referred to simply as "NoName," is a pro-Russian hacktivist collective that operates the DDoSia botnet, a tool designed for launching distributed denial-of-service (DDoS) attacks. Emerging in March 2022 amid the Russia-Ukraine conflict, NoName has targeted entities perceived as anti-Russian, particularly in Ukraine and NATO countries, with a focus on disrupting critical infrastructure like government websites, financial institutions, and transportation services. The DDoSia botnet, unlike traditional botnets such as Meris that rely on compromised devices like MikroTik routers, operates on a volunteer-based model, where participants willingly download and run the DDoSia software to contribute attack power.What I Know About the NoName/DDoSia Botnet:

  • Scale and Composition: The DDoSia botnet doesn’t rely on infected devices but instead uses a crowdsourced network of volunteers who install the DDoSia tool—written initially in Python and later in Golang—on their own systems (Windows, Linux, macOS, or even Android). By 2023, its Telegram channels boasted over 10,000 participants in the DDoSia project and 50,000 subscribers to the main NoName channel, though active attackers are likely fewer.
  • Attack Method: DDoSia executes Layer 7 (application-layer) DDoS attacks, primarily HTTPS floods, overwhelming targets with junk requests to exhaust server resources rather than bandwidth. Its multi-threaded design allows high request-per-second (RPS) rates, with attacks often short-lived (e.g., 10-minute bursts) but occasionally sustained for hours or a day.
  • Targets: NoName focuses on Ukraine and NATO-aligned nations (e.g., Poland, Lithuania, Czechia, Germany), hitting sectors like finance, government, media, and transport. Notable campaigns include attacks on Polish banks, Czech election sites, and Lithuanian infrastructure as "revenge for Kaliningrad" in 2022. It claimed over 1,174 attacks in 32 countries in the first half of 2023 alone.
  • Evolution: DDoSia replaced the earlier Bobik botnet (a rented RedLine Stealer sub-botnet taken down in September 2022) after NoName shifted to a public, volunteer-driven model. The tool has evolved with features like encrypted C2 communication (AES-GCM), IP blocklisting, and an update mechanism to enhance resilience and secrecy.

Who Is Operating It?

  • No Definitive Attribution: The core operators of NoName/DDoSia remain anonymous, typical of hacktivist groups leveraging Telegram’s privacy. Researchers speculate a small, disciplined team—possibly a "lone wolf" entity—manages the operation, distinct from larger collectives like Killnet, with whom NoName avoids collaboration despite shared pro-Russian goals.
  • Russian Alignment: While not officially state-sponsored, NoName’s patriotic motives and targeting of Russia’s adversaries suggest ideological alignment with Russian interests. Its tolerance of Russian volunteers operating without VPNs (unlike the "foreign VPN" recommendation) hints at potential tacit state approval or collaboration, though this is unproven.
  • Volunteer-Driven Service: The botnet’s strength comes from volunteers motivated by ideology, financial rewards, or both. NoName gamifies participation, offering cryptocurrency payouts (initially Bitcoin, later TON and dCoin) based on attack success, managed via Telegram bots like @DDosiabot and @CryptoBot.

Where Can an Attacker Rent It?

  • Not a Traditional Rental: Unlike Meris, DDoSia isn’t rented out as a botnet-as-a-service in the conventional sense. Instead, NoName distributes the DDoSia tool for free to volunteers via Telegram, encouraging participation rather than leasing infrastructure. Access is semi-closed, requiring registration through the @DDosiabot Telegram bot, which provides a download link and unique ID.
  • Telegram Channels: The primary distribution hub is the DDoSia project’s Telegram ecosystem (e.g., hxxps://t[.]me/+fiTz615tQ6BhZWFi), with channels for manuals, updates, and community chat. Volunteers join via invite links, download the executable (e.g., a ZIP with binaries for different platforms), and contribute attack power in exchange for crypto rewards—up to 80,000 rubles (~$1,200 USD) for top performers, though payouts have been inconsistent.
  • Dark Web Absence: Unlike Meris, there’s no clear evidence of DDoSia being brokered on dark web marketplaces. Its model relies on public recruitment through Telegram, targeting ideologically aligned individuals rather than professional cybercriminals seeking a rental service.

Challenges in Tracking:

  • C2 Instability: NoName frequently rotates command-and-control (C2) servers (e.g., hosted via Neterra in Bulgaria or No-IP Dynamic DNS), with dozens of changes in 2024 alone, forcing constant software updates for volunteers. This hampers stability but obscures tracking.
  • Volunteer Model: The reliance on willing participants rather than silently infected devices makes it harder to dismantle, as there’s no malware to clean up—just a community to disrupt. However, its success depends on volunteer engagement, which can wane.

Conclusion:NoName’s DDoSia botnet is a unique, volunteer-fueled DDoS tool operated by an elusive, pro-Russian hacktivist group. Likely managed by a small, disciplined team, it’s distributed via Telegram to ideologically driven participants rather than rented like Meris. With rewards starting at modest crypto payouts, it’s accessible through NoName’s Telegram channels (e.g., @noname05716, DDoSia project groups), not dark web markets. Its focus on short, targeted disruptions and evolving software keeps it a persistent nuisance, though its impact remains limited compared to botnets like Meris, lacking the latter’s raw scale and professional polish.

Gorilla Botnet

The Gorilla DDoS botnet is a relatively recent botnet that was observed engaging in distributed denial-of-service (DDoS) attacks from late 2023. It is a part of a growing trend of IoT-based botnets, similar in nature to botnets like Mirai, but with advanced capabilities to overwhelm targets through high-volume and multi-vector DDoS attacks.

It has been observed in campaigns by most likely russian hacktivists groups against government and finanzial services in US, IE, CH and FR.

what we know so far

The Gorilla Botnet, also known as GorillaBot, is a sophisticated distributed denial-of-service (DDoS) botnet that emerged as a significant threat in 2023, with a notable surge in activity in September 2024. Built on the leaked source code of the Mirai botnet, Gorilla has executed over 300,000 DDoS attack commands across more than 100 countries, averaging 20,000 attacks daily during its peak from September 4 to September 27, 2024. It targets a wide range of sectors, including universities, government websites, telecommunications, banks, gaming, and gambling industries, with China (20%), the U.S. (19%), Canada (16%), and Germany (6%) being the most affected.What I Know About the Gorilla Botnet:

  • Scale and Composition: Gorilla compromises IoT devices and cloud hosts, supporting multiple CPU architectures (ARM, MIPS, x86, x86_64), which broadens its infection scope. It exploits vulnerabilities like an old Apache Hadoop YARN RPC flaw for remote code execution and uses persistence mechanisms (e.g., creating "custom.service" files and modifying system startup files like /etc/profile) to maintain control.
  • Attack Method: It employs various Layer 7 DDoS techniques, including UDP Flood (41%), ACK BYPASS Flood (24%), VSE Flood (12%), SYN Flood, and ACK Flood, leveraging UDP’s connectionless nature for IP spoofing and high traffic volume. It connects to one of five predefined command-and-control (C2) servers to receive attack instructions.
  • Targets: The botnet has hit over 20,000 unique targets, including critical infrastructure (e.g., over 40 organizations in September 2024), with a focus on disrupting services rather than data theft. Its attacks are continuous, evenly distributed over 24-hour periods.
  • Evolution: Gorilla enhances Mirai’s capabilities with 19 attack vectors, encryption algorithms (possibly linked to the KekSec group), and anti-honeypot measures (e.g., checking for /proc filesystem). Its sophistication suggests a high level of counter-detection awareness.
Who Is Operating It?
  • No Definitive Attribution: The operators remain unidentified, a common trait of botnet campaigns due to their use of encrypted C2 communication and anonymity tools. Researchers speculate involvement of a skilled group, possibly tied to the KekSec collective, based on encryption and naming conventions (e.g., “lol.sh” scripts), but this is unconfirmed.
  • DDoS-as-a-Service Model: Gorilla operates as a rentable “DDoS-as-a-service” platform, advertised on Telegram under names like “Gorilla Services.” The Swiss NCSC reported its use against critical infrastructure in September 2024, leading to the takedown of its Telegram channel via a complaint, though the botnet persists.
  • Possible Motives: While not explicitly ideological, its broad targeting and rental model suggest a profit-driven operation, distinct from hacktivist groups like NoName. The lack of Russian targets in some reports has fueled speculation of Eastern European origins, but this is inconclusive.
Where Can an Attacker Rent It?
  • Telegram Channels: Gorilla is primarily offered as a DDoS-as-a-service on Telegram, where attackers can rent its capabilities for a fee (exact pricing isn’t widely documented but aligns with typical botnet rental rates, e.g., starting around $50-$100/hour based on similar services). Access involves joining private or invite-only channels (e.g., “Gorilla Services”), which distribute attack tools or coordinate strikes.
  • Dark Web Potential: While Telegram is the confirmed hub, similar botnets are often brokered on dark web marketplaces. There’s no specific evidence of Gorilla on these platforms, but its professional operation suggests it could be available there under aliases.
  • Access Process: Renters likely contact operators via Telegram, pay in cryptocurrency (e.g., Bitcoin), and specify targets, with the operators executing attacks to protect the botnet’s infrastructure. The Swiss NCSC’s intervention in 2024 disrupted one channel, but new ones may have emerged.
Challenges in Tracking:
  • Evasion Tactics: Gorilla uses encrypted C2 communication, random server selection, and anti-detection features (e.g., avoiding honeypots), making it hard to trace. Its C2 domains (e.g., gorillafirewall[.]su) and frequent infrastructure shifts add complexity.
  • Scale and Persistence: With over 300,000 commands and persistent infection methods, it’s a resilient threat, even as mitigation efforts (e.g., patching IoT devices) reduce its pool of vulnerable targets.

Conclusion:The Gorilla Botnet is a Mirai-derived, highly adaptable DDoS tool operated by an anonymous, likely profit-driven group. It’s rentable via Telegram as a DDoS-as-a-service, with fees enabling attackers to target global infrastructure. Its operators remain elusive, possibly linked to KekSec, and its activity spiked in 2024, marking it as an emerging threat. While not as ideologically driven as NoName’s DDoSia, its technical prowess and scale—potentially exceeding 300,000 attacks—make it a formidable player in the cybercrime landscape.

Mirai

  • size: 20.000 - 200.000

The Mirai botnet is one of the most infamous botnets in the history of cybersecurity, known for its large-scale exploitation of Internet of Things (IoT) devices to launch Distributed Denial of Service (DDoS) attacks. First discovered in 2016, Mirai quickly became notorious for its ability to compromise poorly secured IoT devices—such as routers, cameras, and DVRs—by using a list of hard-coded default credentials. What makes Mirai unique is the release of the sourcecode in late 2016, which lead to a widespread adoption by various actors.

While its been around since 8 years, there is not "THE Mirai" - botnet anymore, but many variants. All have in common the exploitation of IoT - devices.

Misc Reportings

previous art / 2014 - 2021

Since 2007, zeroBS employees have been involved in the investigation, analysis, and monitoring of server-based attacker botnets, specifically in the area of DDoS.

This page provides a list of our R&D activities, talks, and papers that have been published on this topic.