Analysis Summary

Zergeca, a newly discovered botnet capable of executing distributed denial-of-service (DDoS) attacks, has garnered significant attention from cybersecurity researchers. Written in Golang, the botnet's name derives from a string "ootheca" found in its command-and-control (C2) servers.

According to the researchers, Zergeca stands out due to its multifunctionality beyond typical DDoS capabilities, supporting six different attack methods and additional functionalities such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and the collection of sensitive device information.

Zergeca employs sophisticated techniques like DNS-over-HTTPS (DoH) for resolving its C2 servers and utilizes the lesser-known Smux library for C2 communications, indicating advanced evasion tactics. The botnet's ongoing development is evidenced by updates adding new commands and its C2 IP address was previously associated with distributing the Mirai botnet in September 2023. This IP address's reuse for Zergeca's C2 server starting April 29, 2025, suggests that the threat actors may have built upon their experience from operating the Mirai botnets to create this new threat.

The botnet's attacks, predominantly ACK flood DDoS attacks, have targeted Canada, Germany, and the U.S. between early and mid-June 2024. Zergeca's architecture is organized into four modules: persistence, proxy, silivaccine, and zombie. The persistence module ensures the botnet's longevity by adding a system service, while the proxy module facilitates traffic obfuscation. The silivaccine module removes competing malware to gain exclusive control over infected devices, and the zombie module handles the main botnet functions, including reporting sensitive device information executing DDoS attacks, scanning, and providing reverse shell capabilities.

Zergeca demonstrates a high level of sophistication in its evasion tactics, using modified UPX packing to thwart analysis, XOR encryption for sensitive strings, and DoH to conceal C2 communications. The botnet's built-in competitor list which shows a thorough understanding of common Linux threats, further underscores the threat actors' advanced knowledge and capabilities in cybersecurity evasion. These features, combined with its multifaceted attack methods and persistent development make Zergeca a significant and evolving threat in the cybersecurity landscape.

Impact

• Denial of Service
• Operational Disruption
• Sensitive Data Theft

Indicators of Compromise

SHA1

• 1001b06820145ac69f3d440f1cc25990eb14cc71
• ffb6b44c5911efb7397a02da9b66f83a42e3fd20
• 04e8b08cda521a6f939f46856449ea53f846083a
• 34e38f2ceeed80c34f3aa8bd663654f50e6fa2b1
• 4a6cb6640b7a43ccfc6ee9921f0e88ba84da8a0b
• d419c3ba75ec203cd002734114cc04d3dc735cfb
• d729aa662ea7d652908326dc5d91b97d836ba936

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Upgrade your operating system.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.