Trusted Design

A new IoT Botnet is Spreading over HTTP 81 on a Large Scale

概要

360 Network Security Research Lab recently discovered a new botnet that is scanning the entire Internet on a large scale. Very active, we can now see ~ 50k live scanner IPs daily. Malicious code identified, simple UDP DDoS attacks recorded. Most security vendors fail to identify the malicious code (7/55 on virustotal) This botnet borrows partial code such as port scanning module from the Mirai, but it is completely different from mirai in terms of infect chain, C2 communication protocol, attack module and so on. Although the binary names have mirai mentioned it is probably not wise to treat it just as a mirai variant

Created: 2026-02-23

Indicators

• hostname - ntp.gtpnet.ir -
• hostname - load.gtpnet.ir -
• FileHash-SHA256 - aa443f81cbba72e1692246b5647a9278040400a86afc8e171f54577dc9324f61 -
• FileHash-SHA256 - 35317971e346e5b2a8401b2e66b9e62e371ce9532f816cb313216c3647973c32 -
• FileHash-SHA256 - 4a5d00f91a5bb2b6b89ccdabc6c13eab97ede5848275513ded7dfd5803b1074b -
• URL - http://ntp.gtpnet.ir/mirai.mips -
• FileHash-SHA256 - 264e5a7ce9ca7ce7a495ccb02e8f268290fcb1b3e1b05f87d3214b26b0ea9adc -
• FileHash-SHA256 - ec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f -
• FileHash-SHA256 - e0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c -
• URL - http://ntp.gtpnet.ir/mirai.mpsl -
• FileHash-MD5 - b2b129d84723d0ba2f803a546c8b19ae -
• URL - http://ntp.gtpnet.ir/mirai.arm5n -
• FileHash-SHA256 - 4a5ff1def77deb11ddecd10f96e4a1de69291f2f879cd83186c6b3fc20bb009a -
• URL - http://ntp.gtpnet.ir/mirai.arm -
• FileHash-MD5 - 5ebeff1f005804bb8afef91095aac1d9 -
• FileHash-MD5 - 2f6e964b3f63b13831314c28185bb51a -
• FileHash-SHA256 - d00b79a0b47ae38b2d6fbbf994a2075bc70dc88142536f283e8447ed03917e45 -
• FileHash-SHA256 - 7d7aaa8c9a36324a2c5e9b0a3440344502f28b90776baa6b8dac7ac88a83aef0 -
• FileHash-SHA256 - ff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c -
• FileHash-MD5 - 428111c22627e1d4ee87705251704422 -
• FileHash-SHA256 - f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489 -
• FileHash-MD5 - 9584b6aec418a2af4efac24867a8c7ec -
• URL - http://ntp.gtpnet.ir/mirai.arm7 -
• FileHash-MD5 - cd20dcacf52cfe2b5c2a8950daf9220d -
• FileHash-SHA256 - a58769740a750a8b265df65a5b143a06972af2e7d82c5040d908e71474cbaf92 -
• FileHash-SHA256 - f974695ae560c6f035e089271ee33a84bebeb940be510ab5066ee958932e310a -
• FileHash-SHA256 - 44620a09441305f592fb65d606958611f90e85b62b7ef7149e613d794df3a778 -
• FileHash-SHA256 - af4aa29d6e3fce9206b0d21b09b7bc40c3a2128bc5eb02ff239ed2f3549532bb -

類似Pulses

• Mirai Botnet Controller (and/or infected device) IPs (score: 0.73)
• Mirai Botnet Infrastructure (score: 0.72)
• Mirai IoT botnet (score: 0.70)
• Satori:Mirai-like malware botnet infected via Port 37215 and 52869 (score: 0.70)
• Mirai Botnet Indicators (score: 0.69)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る