The Gafgyt IoT botnet has been around for 7 years already, boasting many different variants over time. Also known as BASHLITE, this botnet has become notorious for launching DDoS attacks, making it almost as well-known as famous botnets such as Mirai in recent years. In 2018, two Gafgyt variants were detected, targeting Apache Struts and SonicWall vulnerabilities. Over the next year, Gafgyt started targeting vulnerable internet of things devices, wreaking havoc on gaming servers all over the world.
Recently, a new variant dubbed Gafgyt_tor by researchers was discovered. Although its main purpose is still DDoS, this new version has upped its evasion tactics, and is the first variant to use the Tor network to conceal its malicious activity. Weak Telnet passwords allow the cyber attackers behind the botnet to deploy their infections. This type of password exploitation is a widely known issue on IoT devices. In addition, the hackers exploit three vulnerabilities to deploy their attacks:
The new variant’s main function, establishing a Tor connection, has replated the original initConnection() function which was used to establish communication with the botnet’s C2 servers. This way, Gafgyt_tor can hide its activity when it calls home. The new botnet variants is suspected to be built by the same threat actor that has been distributing previous variants, dubbed Freak threat actor or keksec group.
ThreatSTOP customers are automatically protected from threats like Gafgyt botnet through blocking the IP addresses for the C2 servers, and/or blocking the domains being used, which may be newly registered or observed. If you are not yet a ThreatSTOP user, we recommend blocking the IOCs below.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?
| Indicator | Type | Details |
| wvp3te7pkfczmnnl.onion | Domain | C2 Server |
| 45.145.185.83 | IPv4 | Download |
| 45.153.203.124 | IPv4 | Download |
| 91.236.251.131 | IPv4 | Tor Proxy |
| 66.42.34.110 | IPv4 | Tor Proxy |
| 52.47.87.178 | IPv4 | Tor Proxy |
| 5.167.53.191 | IPv4 | Tor Proxy |
| 35.192.111.58 | IPv4 | Tor Proxy |
| 35.189.88.51 | IPv4 | Tor Proxy |
| 34.239.11.167 | IPv4 | Tor Proxy |
| 3.91.139.103 | IPv4 | Tor Proxy |
| 188.68.52.220 | IPv4 | Tor Proxy |
| 188.166.82.232 | IPv4 | Tor Proxy |
| 18.229.49.115 | IPv4 | Tor Proxy |
| 18.191.18.101 | IPv4 | Tor Proxy |
| 130.193.56.117 | IPv4 | Tor Proxy |
| 107.20.204.32 | IPv4 | Tor Proxy |
| 104.155.207.91 | IPv4 | Tor Proxy |
| 103.125.218.111 | IPv4 | Tor Proxy |
| 103.82.219.42 | IPv4 | Tor Proxy |
| 104.224.179.229 | IPv4 | Tor Proxy |
| 111.90.159.138 | IPv4 | Tor Proxy |
| 116.202.107.151 | IPv4 | Tor Proxy |
| 116.203.210.124 | IPv4 | Tor Proxy |
| 119.28.149.37 | IPv4 | Tor Proxy |
| 128.199.45.26 | IPv4 | Tor Proxy |
| 134.122.4.130 | IPv4 | Tor Proxy |
| 134.122.59.236 | IPv4 | Tor Proxy |
| 134.209.230.13 | IPv4 | Tor Proxy |
| 134.209.249.97 | IPv4 | Tor Proxy |
| 135.181.137.237 | IPv4 | Tor Proxy |
| 138.68.6.227 | IPv4 | Tor Proxy |
| 139.162.149.58 | IPv4 | Tor Proxy |
| 139.162.32.82 | IPv4 | Tor Proxy |
| 139.162.42.124 | IPv4 | Tor Proxy |
| 139.99.239.154 | IPv4 | Tor Proxy |
| 142.47.219.133 | IPv4 | Tor Proxy |
| 143.110.230.187 | IPv4 | Tor Proxy |
| 145.239.83.129 | IPv4 | Tor Proxy |
| 146.59.156.72 | IPv4 | Tor Proxy |
| 146.59.156.76 | IPv4 | Tor Proxy |
| 146.59.156.77 | IPv4 | Tor Proxy |
| 146.66.180.176 | IPv4 | Tor Proxy |
| 148.251.177.144 | IPv4 | Tor Proxy |
| 157.230.27.96 | IPv4 | Tor Proxy |
| 157.230.98.211 | IPv4 | Tor Proxy |
| 157.230.98.77 | IPv4 | Tor Proxy |
| 158.174.108.130 | IPv4 | Tor Proxy |
| 158.247.211.132 | IPv4 | Tor Proxy |
| 159.65.69.186 | IPv4 | Tor Proxy |
| 159.69.203.65 | IPv4 | Tor Proxy |
| 159.89.19.9 | IPv4 | Tor Proxy |
| 161.35.84.202 | IPv4 | Tor Proxy |
| 165.22.194.250 | IPv4 | Tor Proxy |
| 165.22.94.245 | IPv4 | Tor Proxy |
| 167.172.123.221 | IPv4 | Tor Proxy |
| 167.172.173.3 | IPv4 | Tor Proxy |
| 167.172.177.33 | IPv4 | Tor Proxy |
| 167.172.178.215 | IPv4 | Tor Proxy |
| 167.172.179.199 | IPv4 | Tor Proxy |
| 167.172.180.219 | IPv4 | Tor Proxy |
| 167.172.190.42 | IPv4 | Tor Proxy |
| 167.233.6.47 | IPv4 | Tor Proxy |
| 167.71.236.109 | IPv4 | Tor Proxy |
| 168.119.37.152 | IPv4 | Tor Proxy |
| 168.119.61.251 | IPv4 | Tor Proxy |
| 172.104.240.74 | IPv4 | Tor Proxy |
| 172.104.4.144 | IPv4 | Tor Proxy |
| 176.37.245.132 | IPv4 | Tor Proxy |
| 178.62.215.4 | IPv4 | Tor Proxy |
| 185.105.237.253 | IPv4 | Tor Proxy |
| 185.106.121.176 | IPv4 | Tor Proxy |
| 185.106.122.10 | IPv4 | Tor Proxy |
| 185.128.139.56 | IPv4 | Tor Proxy |
| 185.18.215.170 | IPv4 | Tor Proxy |
| 185.18.215.178 | IPv4 | Tor Proxy |
| 185.180.223.198 | IPv4 | Tor Proxy |
| 185.212.128.115 | IPv4 | Tor Proxy |
| 185.217.1.30 | IPv4 | Tor Proxy |
| 188.127.231.152 | IPv4 | Tor Proxy |
| 188.165.233.121 | IPv4 | Tor Proxy |
| 188.166.17.35 | IPv4 | Tor Proxy |
| 188.166.34.137 | IPv4 | Tor Proxy |
| 188.166.79.209 | IPv4 | Tor Proxy |
| 188.166.80.74 | IPv4 | Tor Proxy |
| 188.227.224.110 | IPv4 | Tor Proxy |
| 192.46.209.98 | IPv4 | Tor Proxy |
| 192.99.169.229 | IPv4 | Tor Proxy |
| 193.123.35.48 | IPv4 | Tor Proxy |
| 193.187.173.33 | IPv4 | Tor Proxy |
| 195.123.222.9 | IPv4 | Tor Proxy |
| 195.93.173.53 | IPv4 | Tor Proxy |
| 197.156.89.19 | IPv4 | Tor Proxy |
| 198.27.82.186 | IPv4 | Tor Proxy |
| 198.74.54.182 | IPv4 | Tor Proxy |
| 199.247.4.110 | IPv4 | Tor Proxy |
| 20.52.130.140 | IPv4 | Tor Proxy |
| 20.52.147.137 | IPv4 | Tor Proxy |
| 20.52.37.89 | IPv4 | Tor Proxy |
| 201.40.122.152 | IPv4 | Tor Proxy |
| 206.81.17.232 | IPv4 | Tor Proxy |
| 206.81.27.29 | IPv4 | Tor Proxy |
| 212.71.253.168 | IPv4 | Tor Proxy |
| 212.8.244.112 | IPv4 | Tor Proxy |
| 217.12.201.190 | IPv4 | Tor Proxy |
| 217.144.173.78 | IPv4 | Tor Proxy |
| 217.170.127.226 | IPv4 | Tor Proxy |
| 217.61.98.33 | IPv4 | Tor Proxy |
| 37.200.66.166 | IPv4 | Tor Proxy |
| 45.33.45.209 | IPv4 | Tor Proxy |
| 45.33.79.19 | IPv4 | Tor Proxy |
| 45.33.82.126 | IPv4 | Tor Proxy |
| 45.79.207.110 | IPv4 | Tor Proxy |
| 45.81.225.67 | IPv4 | Tor Proxy |
| 45.81.226.8 | IPv4 | Tor Proxy |
| 45.92.94.83 | IPv4 | Tor Proxy |
| 46.101.156.38 | IPv4 | Tor Proxy |
| 46.101.159.138 | IPv4 | Tor Proxy |
| 47.90.1.153 | IPv4 | Tor Proxy |
| 49.147.80.102 | IPv4 | Tor Proxy |
| 5.100.80.141 | IPv4 | Tor Proxy |
| 5.63.13.54 | IPv4 | Tor Proxy |
| 50.116.61.125 | IPv4 | Tor Proxy |
| 51.11.240.222 | IPv4 | Tor Proxy |
| 51.116.185.181 | IPv4 | Tor Proxy |
| 51.195.201.47 | IPv4 | Tor Proxy |
| 51.195.201.50 | IPv4 | Tor Proxy |
| 51.68.191.153 | IPv4 | Tor Proxy |
| 51.75.161.21 | IPv4 | Tor Proxy |
| 51.83.185.71 | IPv4 | Tor Proxy |
| 51.83.186.137 | IPv4 | Tor Proxy |
| 51.89.165.233 | IPv4 | Tor Proxy |
| 67.205.130.65 | IPv4 | Tor Proxy |
| 68.183.67.182 | IPv4 | Tor Proxy |
| 68.183.82.50 | IPv4 | Tor Proxy |
| 79.124.62.26 | IPv4 | Tor Proxy |
| 8.210.163.246 | IPv4 | Tor Proxy |
| 80.251.220.190 | IPv4 | Tor Proxy |
| 87.236.215.248 | IPv4 | Tor Proxy |
| 88.198.167.20 | IPv4 | Tor Proxy |
| 94.23.40.220 | IPv4 | Tor Proxy |
| 95.179.163.1 | IPv4 | Tor Proxy |
| 95.179.164.28 | IPv4 | Tor Proxy |
| 95.188.93.135 | IPv4 | Tor Proxy |
| 95.216.123.39 | IPv4 | Tor Proxy |
| 95.216.137.149 | IPv4 | Tor Proxy |
| 95.217.27.5 | IPv4 | Tor Proxy |