A new botnet malware called ‘Eleven11bot’ has compromised more than 86,000 Internet of Things (IoT) devices.

The botnet, which has been loosely linked to Iran, has already launched attacks against telecommunication service providers and online gaming servers. It primarily targets security cameras and network video recorders (NVRs) to carry out large-scale distributed denial-of-service (DDoS) attacks.

Nokia researchers first identified the malware, who disclosed their findings to the threat intelligence platform GreyNoise. Nokia’s security researcher Jérôme Meyer described Eleven11bot as one of the most significant DDoS botnets observed in recent years, with a rapidly growing network of compromised webcams and NVRs. He noted that the botnet’s scale is unprecedented among non-state actor campaigns, making it one of the largest since the invasion of Ukraine in early 2022.


Earlier today, The Shadowserver Foundation, a threat monitoring platform, reported detecting 86,400 infected devices, with most located in the United States, the United Kingdom, Mexico, Canada, and Australia. GreyNoise, with the assistance of Censys, identified 1,400 IP addresses associated with the botnet in the past month, with 96% of them originating from real, non-spoofed devices. The majority of these IPs are based in Iran, and more than 300 have been flagged as malicious.

The malware spreads by brute-forcing weak admin credentials, leveraging default login details for specific IoT models, and actively scanning for exposed Telnet and SSH ports. In response, GreyNoise has published a list of malicious IP addresses linked to Eleven11bot, advising security teams to incorporate them into their blocklists and monitor for unusual login attempts.

READ
Suspected Cybercriminal Behind ‘DESORDEN Group’ Arrested in Thailand

To mitigate the risk, users should ensure their IoT devices are running the latest firmware, disable remote access features if not necessary, and replace default credentials with strong, unique passwords. Since IoT devices often lack long-term vendor support, periodically checking for end-of-life (EOL) status and upgrading to newer models when needed is essential for maintaining security.