By A new botnet variant named “Gayfemboy” is gaining attention in cybersecurity circles for breaking away from the usual short-lived lifecycle of Mirai-based threats. First discovered in early 2024 by researchers at QiAnXin’s XLab, this botnet has quickly established itself as a formidable and persistent actor capable of large-scale disruption through DDoS attacks and zero-day exploitation.
At first glance, Gayfemboy resembled just another recycled Mirai clone—basic packaging, unremarkable shell, and limited functionality. But over the following months, it rapidly evolved. By mid-2024, developers had overhauled the payload structure, introduced a custom signature, and implemented a distinct control mechanism. What started as a forgettable strain soon became one of the most aggressive threats of the year.
A key turning point came in November 2024 when the botnet was observed exploiting a zero-day vulnerability in Four-Faith industrial routers, later identified as CVE-2024-12856. It also appeared to leverage previously unknown flaws in Neterbit routers and Vimar smart home systems, enabling a significant expansion in its reach.
XLab analysts attempting to monitor the botnet by intercepting inactive command-and-control (C2) domains were met with a bold response—Gayfemboy retaliated with direct DDoS attacks against their infrastructure. This counteroffensive highlighted not only the scale but also the strategic sophistication of its operators.
The botnet’s infrastructure is sizable, with more than 15,000 infected devices active daily. These nodes are divided across 40+ organized clusters, each potentially tailored for different functions or target profiles. The diversity of infected hardware and the modular structure suggest a highly adaptable operation.
Gayfemboy’s infection toolkit includes a combination of over 20 vulnerabilities, blending well-documented (N-day) flaws with undisclosed and zero-day exploits. Common infection vectors include weak Telnet credentials and known security gaps in widely used router models such as ASUS and Four-Faith devices. The botnet’s reach spans multiple regions, with high concentrations of infected systems reported in China, the U.S., Iran, Russia, and Turkey.
The botnet’s primary weapon is its DDoS capability. Starting in February 2024, researchers noted consistent, high-volume attacks targeting a wide range of sectors including telecom, public infrastructure, and government services. The peak in activity came during the final quarter of the year, with victims in countries like Germany, Singapore, and the UK experiencing brief but highly disruptive attacks. In one case, a virtual private server used for analysis was rendered inoperable for 24 hours after a 100Gbps DDoS flood prompted a cloud provider to block traffic entirely.
Despite its advanced features, Gayfemboy maintains a connection to its Mirai origins. It uses a similar command structure but has removed legacy markers and added new layers of concealment. For instance, it actively searches for writable directories on infected systems to mount its own process directory, hiding its presence from common monitoring tools.
The bot is also capable of receiving commands to scan for new targets, deploy payloads, or halt operations—giving its operators complete control over the botnet’s behavior. A distinctive message—“we gone now\n”—displays upon execution, appearing consistently across multiple iterations.
The continued development of Gayfemboy signals a shift in how modern botnets are built and operated. With access to zero-day exploits and the ability to adapt quickly, threats like this challenge traditional detection and response strategies. As botnet infrastructure becomes more accessible to attackers, security teams must prepare for increasingly organized and resilient adversaries.
Gayfemboy’s rise illustrates the growing complexity of IoT-targeted threats and the urgent need for improved defense mechanisms across connected environments. Its sustained presence and evolving capabilities mark it as more than just another variant—it’s a blueprint for the next generation of persistent cyber threats.