In February 2024, multiple U.S. and international government agencies released an advisory on Volt Typhoon botnet attacks. Previously, Avertium's Cyber Threat Intelligence team reported on Volt Typhoon's creation of a botnet using hundreds of SOHO routers across the U.S., using a "living off the land" technique to blend with normal device activity.
The fallout from Volt Typhoon’s botnet impacted several U.S government entities, as well as communication organizations. Botnet attacks can be devastating, impacting even major companies. This week, we will examine two newer botnets, CatDDoS and Zergeca, and discuss how organizations can protect themselves from such threats.
This year, QiAnXin XLab's Cyber Threat Insight Analysis (CTIA) System tracked and monitored active mainstream DDoS botnets. Recently, their system detected that CatDDoS-related groups are highly active, exploiting over 80 vulnerabilities at the time of their report. Also, during that time, the number of daily targets for the botnet exceeded 300. Below are just some of the vulnerabilities CatDDoS-related groups are known to exploit:
The vulnerabilities affect devices from various vendors, including routers and networking gear from Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, Zyxel, and others.
Initially emerging in 2023, CatDDoS-related groups target a global audience, with a primary focus on the U.S, France, Germany, Brazil, and China. These targets span various industries, including cloud services, education, scientific research, information transmission, public administration, and construction.
CatDDoS, a variant of Mirai, is named for the use of "cat" and "meow" in early domain names and samples, indicating the author's fondness for cats. By monitoring Telegram channels, QiAnXin XLab hypothesized that CatDDoS might have ceased operations in December of last year. The Aterna botnet's channel message history has been deleted, and a shutdown notification was posted by the author in the group. However, the sale or leak of the source code led to new variants like RebirthLTD, Komaru, and Cecilio Network emerging after the shutdown – which means that CatDDos has not truly stopped their operations.
The CatDDoS family builds upon the Mirai source code by incorporating the ChaCha20 algorithm to encrypt and store key information. The key and nonce used in the latest version are shown below:
Image 1: Nonce of ChaCha20 Algorithm
Source: NsfocusGlobal
This variant modifies the original Mirai's go-live process, sending go-live data to the server in multiple rounds. The data packets, which contain both plaintext and ChaCha20-encrypted ciphertext, are sent to the server. After an initial sequence is transmitted, subsequent bytes and actual content are sent alternately, generating distinctive traffic patterns.
The CatDDoS variant includes various built-in DDoS attack methods. In actual attacks, ack_flood and grip_flood are predominantly used, accounting for 63% and 29% of attacks, respectively.
While the CatDDoS controller does not create a completely new botnet Trojan from scratch, the concealment of the Trojan is prioritized. In addition to introducing the ChaCha20 algorithm, operators also used OpenNIC domain names, similar to the Fodcha family.
Despite the possibility that different groups manage the various variants, the code, communication design, strings, and decryption methods show little variation. Two recently active variants are v-2.0.4 (CatDDoS) and v-Rebirth (RebirthLTD), both of which use ChaCha20 for data encryption with identical keys and nonces. The main difference is that v-2.0.4 uses OpenNIC domain names for its command and control (C2) servers. RebirthLTD initially developed using the original Mirai code but later switched to the CatDDoS code and has been updated frequently.
Another variant, v-snow_slide, was active for a period but has since gone silent. It has not been publicly disclosed. The variant v-ihateyou is speculated to be related to CatDDoS based on certain characteristics, but its communication mechanism and string decryption align more closely with Mirai. This variant was short-lived and did not gain significant traction.
Once again, the researchers at QiAnXin Lab are at the helm of discovery. In July 2024, the researchers discovered a new Golang-based botnet named Zergeca, capable of executing powerful distributed denial-of-service (DDoS) attacks. This botnet supports six unique attack methods and includes functionalities such as scanning, proxying, persistence, self-upgrades, reverse shell, file transfer, and collecting sensitive device information.
In June 2024, Zergeca launched DDoS attacks on organizations in the U.S, Canada, and Germany. Its primary attack type, ACK flood (atk_4), has targeted victims globally. Zergeca’s functionality is divided into four modules: persistence, proxy, silivaccine, and zombie. The silivaccine module removes competing malware, while the zombie module reports sensitive information to the C2 server and awaits commands.
Zergeca uses DNS-over-HTTPS (DoH) for command and control (C2) resolution and uses the uncommon Smux library for C2 communication, aiding in evading detection. The C2 IP address, previously associated with the Mirai botnet in September 2023, began serving Zergeca in April 2025, suggesting the operators have experience with Mirai.
In July 2024, QiAnXin Lab released findings from their analysis of Zergeca. The researchers analyzed five Zergeca samples and found that, despite their similar functions, there were significant differences in their detection rates by antivirus software.
Most antivirus vendors identified the sample 23ca4ab1518ff76f5037ea12f367a469 as Generic Malware. The researchers hypothesize that antivirus software relies on file hash for detection. Thus, any change in the hash reduces detection effectiveness. To test this, they appended the 4-byte string "Xlab" to the end of the file and re-uploaded it to VirusTotal. The detection rate dropped to 9 out of 67, supporting their hypothesis.
Technical sophistication is evident in Zergeca’s use of modified UPX packing, XOR encryption for sensitive strings, and DoH for C2 resolution. These tactics demonstrate a strong understanding of evasion techniques. Zergeca continues to be actively developed and updated to support new commands, making it a versatile and dangerous tool for cybercriminals.
The primary methods used by the botnet to distribute samples are exploiting Telnet weak passwords and specific known vulnerabilities. The relevant vulnerabilities include:
To gain exclusive control over a device, Zergeca maintains a list of competitor threats, including miners, backdoor trojans, and other botnets. Notable names on this list include Mozi, Kinsing, and various mining pools. Zergeca actively monitors the system, terminating any process whose name or runtime parameters match those on the list and deleting the associated binary files.
Effective defense strategies against botnets are important for protecting organizational networks and data integrity. Organizations can be vulnerable to botnets like Zergeca and CatDDoS due to several factors:
Botnets like Zergeca and CatDDoS display advanced capabilities, from executing powerful DDoS attacks and evading detection through sophisticated encryption and evasion tactics, to actively targeting global networks across diverse industries.
Zergeca, for instance, demonstrates its adaptability with features like DNS-over-HTTPS for C2 communication and a robust toolkit that includes scanning, proxying, and collecting sensitive information.
For cybersecurity professionals and organizations, vigilance against botnet threats is necessary. Botnets not only disrupt services and compromise sensitive data but also operate undercover, often leveraging known vulnerabilities and weak security practices to infiltrate systems.
Detecting and mitigating botnet activities requires proactive monitoring, robust cybersecurity measures, and timely patching of vulnerabilities. Heightened awareness and continuous threat intelligence gathering is vital if organizations are going to combat the evolving tactics of botnet operators.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe:
Zergeca
MD5
SHA1
SHA256
IPs
Domains
CatDDoS
IPs
Domains
Please note, this list is just a sample of the IoCs for CatDDos. See Qianxin Lab’s analysis for a complete list of IoCs.
New Threat: A Deep Dive Into the Zergeca Botnet (qianxin.com)
Zergeca: A new Golang botnet with advanced capabilities (broadcom.com)
New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks (thehackernews.com)
New Threat: A Deep Dive Into the Zergeca Botnet (qianxin.com)
Zergeca Botnet Poses DDoS Threat - Spiceworks
New Threat: A Deep Dive Into the Zergeca Botnet - LevelBlue - Open Threat Exchange (alienvault.com)
Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique (thehackernews.com)
CatDDoS-Related Gangs Have Seen a Recent Surge in Activity (qianxin.com)
CatDDoS botnet attacks surge, DNSBomb DDoS attack technique emerges | SC Media (scmagazine.com)
CatDDOS Threat Groups Sharply Ramp Up DDoS Attacks (darkreading.com)
New Golang Zergeca Botnet appeared in the threat landscape (securityaffairs.com)
An In-Depth Look at Mirai & HinataBot (avertium.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.