Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information



First seen in Guardicore Centra 2020-08-06
Last seen in Guardicore Centra 2020-08-11
B3astMode is a Mirai-based DDoS botnet targeting SSH servers, Huawei HG532 routers and IoT devices. In this campaign, the attacker attempts to hack into SSH servers using brute-force. In case of success, the attacker connects to the C&C server and downloads a malicious payload named B3astMode, according to the victim’s architecture.
In order to expand the attack’s botnet network, the malware attempts to exploit 2 Remote Code Execution (RCE) vulnerabilities:

By breaching these devices, the attacker amplifies the volume of the performed TCP and UDP flood attacks. At the time of writing, there were nearly 200k devices that are potential victims of this attack.


Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Connect-Back Servers

Attack Flow

Breached Services





Outgoing Connection

Access Suspicious Domain

Successful SSH Login

Download Operation

Download File

Incident Summary

A user logged in using SSH with the following credentials: root / **** – Authentication policy: White List Successful SSH Login
A possibly malicious Download Operation was detected Download Operation
Process /usr/bin/wget generated outgoing network traffic to: Outgoing Connection
Process /usr/bin/wget attempted to access suspicious domains: Outgoing Connection

Access Suspicious Domain

/root/b3astmode.x86 was downloaded Download File
Connection was closed due to timeout