Trusted Design

The Elastic Botnet

概要

Novetta has collected and shares within this report evidence that suggests multiple actors, possibly working independently while sharing information between themselves, are exploiting the Elasticsearch vulnerability primarily to establish widespread DDoS botnet infrastructures. Using both the Elknot and BillGates DDoS malware, these attackers have continued to infect vulnerable Elasticsearch servers in order to enhance their DDoS capabilities. The continuous scanning and exploitation of Elasticsearch servers is the most visible feature of these actors, and some actors have continued to infect and reinfect servers for weeks on end.

Created: 2026-02-23

Indicators

• hostname - pp.pp1987.com -
• hostname - xuyiwz.f3322.net -
• CVE - CVE-2015-14271 -
• FileHash-SHA256 - edb59ca2fdbf2afb45755fa307f4274b0029b7a80b62fb13895574894bc17205 -
• URL - http://61.176.220.162:111/zlbsr -
• URL - http://122.224.48.28:8000/ruvn -
• FileHash-SHA256 - 62fa123912eaa226babe46a6adef06638432fa2b3758c1e3cc7aca873c947fe6 -
• FileHash-SHA256 - 58d7343dfa554e8847c8d3ff07ef4b2a449c57c426a0ba62584d6deb06992842 -
• URL - http://114.215.115.152:8080/alima -
• URL - http://61.160.232.221:9939/ka -
• hostname - ww1.ccmir.com -
• URL - http://183.61.171.225:8818/down -
• YARA - ea388664d8ad387eb5a3640e8187c5de69ab079b -
• hostname - sbss.f3322.net -
• FileHash-SHA256 - b11a6bd1bcbb759252fb252ee1122b68d44dcc275919cf95af429721767c040a -
• URL - http://117.21.176.64:4899/http -
• FileHash-SHA256 - 0c9107b2742705fa1834fd7e8beaa3778f6f1ba1e38fd3eb30b1aeac30c7a1de -
• FileHash-SHA256 - 6959ff4259f0478f7040fc0233af35a8ae4a24fa2fddadd3893cf95248a9eba6 -
• URL - http://120.24.228.240:6954/PowerEnterABC -
• URL - http://122.224.48.28:8000/tooles -
• hostname - ddd.dj6cc.com -
• FileHash-SHA256 - 185251b437d3935a5d6e92a49e07a3c2f95289156a6bbe54df3cb771d78affa3 -
• domain - wuzu520.com -
• hostname - www.ddoscc.xyz -
• FileHash-SHA256 - 0b95195662f456c816c2729457fe9b430eac191a6d27e6e05e2dae4a4131b6fe -
• hostname - 231.78en.com -
• FileHash-SHA256 - f018976240911e5eb6bb7051fc2a4590a480a61e744f57e69e63880ffc84aea3 -
• URL - http://111.74.239.77:8080/xudp -
• URL - http://xuyiwz.f3322.net:25000 -
• FileHash-SHA256 - 6ee9c50c2b051277258f139ddd9190ad8f395889d0ea2cec2508b2f21857cfec -
• hostname - 816.dj6cc.com -
• CVE - CVE-2012-0056 -
• YARA - feb29c4fdabfd3bad246df4242459be212411c77 -
• URL - http://222.186.31.83:8080/xiaoma -
• hostname - yeyou.t1linux.com -
• YARA - ec2e939ed735f083ad1195cd52978123b6a10c86 -
• CVE - CVE-2010-3081 -

類似Pulses

• ElasticSearch Botnet - Botware Download URLs (score: 0.69)
• MMD-0034-2015 - New ELF Linux/DES.Downloader (score: 0.67)
• ElasticSearch-Botnet C&C-Master DNS-Names (score: 0.60)
• ElasticSearch-Botnet C&C-Master IPs (score: 0.60)
• Octopus-Rex. Evolution of a multi task Botnet (score: 0.55)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る