A group of cybersecurity analysts has revealed a fresh botnet dubbed Zergeca, which possesses the ability to execute widespread denial-of-service (DDoS) assaults.
Developed using Golang, the botnet’s moniker is derived from a particular string known as “ootheca” found in the control-and-command (C2) servers (“ootheca[.]pw” and “ootheca[.]top”).
“Regarding functionality, Zergeca represents more than a mere typical DDoS botnet; beyond supporting six varied attack methodologies, it also includes features for proxying, scanning, self-enhancement, maintaining persistence, file exchange, reverse shell operation, and gathering critical device details,” declared the QiAnXin XLab team explained in a report.
Zergeca also stands out for its utilization of DNS-over-HTTPS (DoH) for carrying out Domain Name System (DNS) resolutions of the C2 server and leveraging an obscure library called Smux for C2 communications.
Indications reveal that the malicious software is actively evolving and updating to accommodate new directives. Furthermore, the C2 IP address 84.54.51[.]82 is known to have previously disseminated the Mirai botnet circa September 2023.
Beginning April 29, 2025, the said IP address commenced acting as a C2 server for the novel botnet, indicating that the threat actors may have “gained extensive expertise in managing the Mirai botnets prior to establishing Zergeca.”
The assaults perpetrated by the botnet, primarily focusing on ACK flood DDoS attacks, have targeted Canada, Germany, and the U.S. from early to mid-June 2024.
Zergeca’s capabilities are inclusive of four discrete modules, specifically persistence, proxy, silivaccine, and zombie, to establish permanency by integrating a system service, facilitate proxy operations, eliminate rival miner and backdoor software and acquire full control over systems running the x86-64 CPU architecture, and manage the core botnet functions.
The zombie module is tasked with transmitting crucial data from compromised devices to the C2 server and stays awaiting instructions from the server, backing up six types of DDoS attacks, scanning, reverse shell operation, and other functionalities.
“The embedded blacklist showcases familiarity with common Linux threats,” XLab stated. “Techniques like customized UPX packing, XOR encryption for sensitive strings, and employing DoH for concealing C2 resolutions reveal a deep understanding of evasion strategies.”
About Author
