Cybersecurity researchers have uncovered a brand new botnet referred to as Zergeca that is able to conducting distributed denial-of-service (DDoS) assaults.
Written in Golang, the botnet is so named for its reference to a string named “ootheca” current within the command-and-control (C2) servers (“ootheca[.]pw” and “ootheca[.]prime”).
“Functionally, Zergeca is not only a typical DDoS botnet; in addition to supporting six totally different assault strategies, it additionally has capabilities for proxying, scanning, self-upgrading, persistence, file switch, reverse shell, and amassing delicate system data,” the QiAnXin XLab group mentioned in a report.
Zergeca can also be notable for utilizing DNS-over-HTTPS (DoH) to carry out Area Title System (DNS) decision of the C2 server and utilizing a lesser-known library often known as Smux for C2 communications.
There’s proof to recommend that the malware is actively growing and updating the malware to help new instructions. What’s extra, the C2 IP tackle 84.54.51[.]82 is claimed to have been beforehand used to distribute the Mirai botnet round September 2023.
As of April 29, 2025, the identical IP tackle started for use as a C2 server for the brand new botnet, elevating the likelihood that the risk actors “collected expertise working the Mirai botnets earlier than creating Zergeca.”
Attacks mounted by the botnet, primarily ACK flood DDoS assaults, have focused Canada, Germany, and the U.S. between early and mid-June 2024.
Zergeca’s options span 4 distinct modules, specifically persistence, proxy, silivaccine, and zombie, to arrange persistence by including a system service, implementing proxying, eradicating competing miner and backdoor malware and gaining unique management over units operating the x86-64 CPU structure, and deal with the primary botnet performance.
The zombie module is answerable for reporting delicate data from the compromised system to the C2 and awaits instructions from the server, supporting six kinds of DDoS assaults, scanning, reverse shell, and different capabilities.
“The built-in competitor record reveals familiarity with widespread Linux threats,” XLab mentioned. “Strategies like modified UPX packing, XOR encryption for delicate strings, and utilizing DoH to cover C2 decision exhibit a robust understanding of evasion techniques.”
