Security News

Dark Nexus: The Evolving IoT Botnet Targets Variety of Devices Says Bitdefender Research

Security researchers from security vendor Bitdefender have uncovered a new botnet which is targeting millions of IoT devices.

The so-called dark_nexus botnet seeks to infect common IoT devices like smart cameras, routers, and more. Bitdefender gave dark_nexus its name after featuring in its user agent string when carrying out exploits over HTTP: “dark_NeXus_Qbot/4.0”.

According to a new report from Bitdefender, the Dark Nexus botnet borrows ideas and features from previously successful IoT threats like Qbot and Mirai, but is largely an original creation by an established malware developer who advertises distributed denial-of-service (DDoS) services on YouTube and other social media websites.

Bitdefender has been tracking the botnet for over three months and says it’s able to launch a range of DDoS attacks, spread multiple strains of malware, and affects 12 different CPU architectures.

“While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust,” Bitdefender says.

One of the unique features of dark_nexus is its use of a “scoring system” which assesses which processes might pose a risk to it. The botnet maintains a list of whitelisted processes and kills every other process that appears suspicious.

Bitdefender believes dark_nexus is created by a known botnet author that has been actively selling botnet code and DDoS services for many years. Under the username of greek. Helios, the suspected author has posted demos of his work on YouTube and posted information on cybercriminal forums.

Achieving persistence on some embedded devices, especially routers, is difficult because modifications made during their runtime are only stored in RAM and their file systems are reset at reboot. That is why Dark Nexus attempts to delay device reboots for as long as possible and uses some persistence techniques that the author probably knows work on at least some devices, but not all.


The best defense against IoT malware is to change the default administrative credentials supplied with the devices and to make sure their firmware is always up to date. Most devices should not be exposed directly to the internet. This cannot be avoided with routers, but their admin interface can be restricted to the LAN. IP cameras and DVRs, for example, do not need to be connected directly to the internet and can be monitored securely through VPNs.

“Companies should audit internal networks to identify connected IoT devices and run a vulnerability assessment to discover unpatched or misconfigured ones before the bad guys do,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender.

(Image Courtesy:

Leave a Comment

Your email address will not be published.

You may also like