Core Viewpoint - The National Cybersecurity Incident Response Center of China has identified a series of malicious websites and IP addresses linked to foreign hacker organizations that pose significant threats to Chinese and other countries' networks and internet users [1]. Group 1: Malicious Address Information - Malicious Address: telnet.icealeximino.live, IP: 51.81.255.132, Location: USA/Oregon/Portland, Threat Type: Botnet, Virus Family: V3G4Bot, Description: A variant of the Mirai botnet targeting Linux and IoT devices, capable of launching DDoS attacks [1]. - Malicious Address: nj5056ja.duckdns.org, IP: 104.250.167.52, Location: Canada/Quebec/Montreal, Threat Type: Backdoor, Virus Family: NjRAT, Description: A remote access trojan with capabilities for screen monitoring, keylogging, and data theft [2]. - Malicious Address: dinero26.duckdns.org, IP: 192.159.99.171, Location: UK/England/London, Threat Type: Backdoor, Virus Family: RemCos, Description: A remote management tool that can execute various malicious activities including keylogging and password theft [3]. - Malicious Address: coomm.servebbs.net, IP: 185.196.20.150, Location: Germany/Bavaria/Nuremberg, Threat Type: Backdoor, Virus Family: AsyncRAT, Description: A backdoor trojan with functionalities for screen monitoring and file theft [4]. - Malicious Address: sedef3.duckdns.org, IP: 188.89.182.68, Location: Netherlands, Threat Type: Backdoor, Virus Family: Xworm, Description: A .NET compiled backdoor with extensive malicious control features [5]. - Malicious Address: 103.136.41.159, Location: Netherlands/South Holland/Nardewijk, Threat Type: Botnet, Virus Family: Mirai, Description: A Linux botnet virus capable of launching DDoS attacks [6]. - Malicious Address: 151.243.109.160, Location: Netherlands/North Brabant/Eindhoven, Threat Type: Botnet, Virus Family: Gafgyt, Description: An IoT botnet virus that can attack network devices and launch DDoS attacks [7]. - Malicious Address: xerecanega.ddns.net, IP: 186.192.123.40, Location: Brazil/Goiás/Goianésia, Threat Type: Backdoor, Virus Family: NjRAT, Description: Similar to previous NjRAT instances, capable of extensive remote control [10]. - Malicious Address: cvawrs.duckdns.org, IP: 160.187.246.23, Location: Vietnam/Thanh Hoa, Threat Type: Botnet, Virus Family: SoftBot, Description: A botnet capable of launching various forms of DDoS attacks [11]. Group 2: Detection and Response Methods - Method 1: Analyze browser records and recent traffic to identify connections to the listed malicious addresses, extracting source IP and device information for further analysis [12]. - Method 2: Deploy network traffic detection devices to analyze flow data and track activities related to the identified malicious websites and IPs [12]. - Method 3: Report incidents to law enforcement and cooperate in on-site investigations and technical tracing [14].

Security Vulnerabilities - Multiple Utree Robotics models have serious vulnerabilities in their BLE (Bluetooth Low Energy) Wi-Fi configuration interface [1] - Attackers can bypass authentication via the BLE interface to gain root access [1] - Compromised robots can automatically spread the infection, forming a robot zombie network attack [1] Company Response - Utree Robotics has responded and is working to resolve the issues, with most fixes already completed [1] - The company will continue to improve permission management to minimize potential misunderstandings [1]

Group 1 - The core viewpoint of the report is that botnets are increasingly being used as tools in geopolitical conflicts, impacting critical infrastructure and influencing public opinion [16][22][25] - Botnets are evolving into weapons for state-level cyber warfare, with significant DDoS attacks observed during major geopolitical events such as the Russia-Ukraine war and the Israel-Palestine conflict [16][22] - The report highlights that botnets are being utilized by advanced persistent threat (APT) groups and ransomware gangs for intelligence gathering and launching subsequent attacks [17][39] Group 2 - The report indicates that the Mirai botnet family is the most active, with a significant number of command and control (C&C) servers located in the United States [67][68] - The infection methods for botnets include exploiting vulnerabilities in Linux/IoT platforms and using phishing emails for Windows platforms, with the U.S. having the highest number of infected devices [51][58] - The report notes that botnets are increasingly employing advanced evasion techniques to avoid detection, such as using Domain Generation Algorithms (DGA) and DNS over HTTPS (DoH) [2][17] Group 3 - New botnet families are emerging, showcasing unique functionalities and communication patterns, which pose increasing threats to cybersecurity [3][67] - Active botnet groups like Hail and KekSec are frequently launching attacks, while new groups like Bigpanzi are also contributing to the evolving threat landscape [4][3] - The report predicts that botnets will be used more efficiently by APT and ransomware groups for profit-driven activities, with enhanced stealth in their propagation methods [4][16]

Investment Rating - The report does not explicitly state an investment rating for the industry or specific companies. Core Insights - The report highlights the increasing significance of botnets as tools for geopolitical conflict, particularly in the context of recent global events such as the Russia-Ukraine war and the Israel-Palestine conflict, where botnets have been used for DDoS attacks against critical infrastructure [14][18]. - The report indicates that the threat landscape posed by botnets is escalating, with a notable increase in the number of command and control (C&C) servers and attack activities, particularly targeting domestic critical infrastructure [14][15]. - Botnets are increasingly being utilized as a launchpad for advanced persistent threats (APTs) and ransomware groups, enhancing their operational efficiency by gathering intelligence and facilitating subsequent attacks [15][43]. Summary by Sections Executive Summary - In 2024, the global landscape is marked by turmoil and challenges, with the cyber domain becoming a battleground for major powers, where botnets play a crucial role in state-sponsored cyber operations [14]. - Botnets have been observed to execute high-intensity DDoS attacks against critical infrastructure, manipulate public opinion, and express political stances during significant geopolitical events [14][15]. Botnet Development Trends - Botnets have evolved into essential tools for state-level cyber warfare, with their operational capabilities being leveraged for both offensive and defensive strategies in the digital realm [18]. - The report notes that the Mirai botnet family remains the most active, with the Mozi malware continuing to spread at high levels, primarily exploiting vulnerabilities in Linux/IoT platforms [14][15]. Botnet Vulnerability and Propagation - The report identifies that Linux/IoT botnets primarily exploit outdated vulnerabilities and weak passwords for propagation, while Windows platforms are more susceptible to phishing and social engineering tactics [59][67]. - The geographical distribution of infected devices shows that the United States has the highest number of infected endpoints, followed by India, Russia, and Brazil [70][71]. Botnet Attack Activity Analysis - The Mirai botnet family is responsible for the majority of attack commands issued, with a significant spike in activity noted in September 2024 [80]. - China is reported to be the most targeted country for DDoS attacks, accounting for 34% of all recorded incidents, necessitating enhanced protection for critical infrastructure [80].