TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GreyNoise

New DDoS Botnet Discovered: Over 30,000 Hacked Devices, Majority of Observed Activity Traced to Iran

2025-02-28 · Read original ↗

ATT&CK techniques detected

9 predictions
T1584.005Botnet
91%
"new ddos botnet discovered : over 30, 000 hacked devices, majority of observed activity traced to iran update ( 5 march 2025 ) : key clarifications on eleven11bot further analysis has refined the understanding of the scale and nature of eleven11bot. key clarifications : likely a …"
T1584.005Botnet
91%
"traffic as botnet activity. how greynoise identified this activity greynoise analyzed a list of 1, 400 ips provided by censys, identifying 1, 042 of them engaging in scanning and exploitation attempts. these were primarily embedded systems that typically do not initiate outbound …"
T1584.005Botnet
76%
"( 636 ) are traced to iran. - 305 ips are currently classified as malicious by greynoise. while greynoise does not speculate on attribution, this increase in botnet activity comes just two days after the u. s. administration reasserted its “ maximum pressure ” campaign on iran, i…"
T1584.005Botnet
63%
"has compromised over 30, 000 devices, primarily security cameras and network video recorders ( nvrs ). according to deepfield, eleven11bot has been used in distributed denial of service ( ddos ) attacks against telecom providers and gaming platforms, with some attacks lasting mul…"
T1584.005Botnet
54%
"151. 235. 192. 159, 5. 202. 84. 19, 209. 131. 253. 45, 2. 181. 127. 121, 108. 170. 68. 134, 5. 239. 211. 210, 93. 117. 13. 29, how organizations can defend themselves greynoise recommends the following steps to protect against the botnet and similar cyber threats : - block traffi…"
T1583.005Botnet
43%
"new ddos botnet discovered : over 30, 000 hacked devices, majority of observed activity traced to iran update ( 5 march 2025 ) : key clarifications on eleven11bot further analysis has refined the understanding of the scale and nature of eleven11bot. key clarifications : likely a …"
T1498.001Direct Network Flood
38%
"has compromised over 30, 000 devices, primarily security cameras and network video recorders ( nvrs ). according to deepfield, eleven11bot has been used in distributed denial of service ( ddos ) attacks against telecom providers and gaming platforms, with some attacks lasting mul…"
T1498Network Denial of Service
35%
"has compromised over 30, 000 devices, primarily security cameras and network video recorders ( nvrs ). according to deepfield, eleven11bot has been used in distributed denial of service ( ddos ) attacks against telecom providers and gaming platforms, with some attacks lasting mul…"
T1584.005Botnet
32%
"s live activity using greynoise : - navigate to the analysis feature. - paste the list of botnet ips ( source : censys ) into the search bar. - download the csv of malicious ips to take immediate blocking actions. censys - provided ip list a list of ips associated with this botne…"

Summary

A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has identified a new botnet, tracked as Eleven11bot, which they estimated has compromised over 30,000 devices, primarily security cameras and network video recorders (NVRs).