The new Eleven11bot botnet has compromised 86,000 IP cameras to launch a massive DDoS attack. This botnet successfully took control of these devices to carry out distributed denial-of-service attacks, disrupting online services. The specific technical details of the attack and the methods used to compromise the cameras were not disclosed in the article. The actual impact of this attack is not specified, but it is clear that the compromise of these devices enabled a large-scale attack.

The cybersecurity landscape faces a growing threat from sophisticated botnet operations targeting Internet of Things (IoT) devices, with recent developments highlighting the vulnerability of connected cameras and smart devices. While specific details about the Eleven11bot malware remain limited in publicly available research, the broader context reveals an alarming trend of attackers exploiting poorly secured IP cameras to construct massive distributed denial-of-service (DDoS) networks capable of generating unprecedented traffic volumes. The emergence of large-scale IoT botnets represents a significant escalation in cyber threat capabilities, with attackers increasingly targeting IP cameras due to their widespread deployment, often inadequate security configurations, and substantial bandwidth capacity. These compromised devices can collectively generate traffic volumes measured in terabits per second, making them particularly attractive for cybercriminals seeking to maximize the impact of their DDoS campaigns. The scale of 86,000 compromised IP cameras suggests a highly organized operation with sophisticated infection and command-and-control mechanisms. StormWall analysts identified a dramatic surge in DDoS attack sophistication during Q1 2025, with carpet bombing attacks rising by 96% across the Asia-Pacific region. Attack data (Source – StormWall) This trend aligns with the operational characteristics typically associated with large IoT botnets, where attackers deploy multiple attack vectors simultaneously to overwhelm target defenses. The researchers noted that modern DDoS campaigns increasingly combine UDP floods, TCP SYN floods, and HTTP-based attacks in rapid succession, employing what security experts describe as an “everything, everywhere, all at once” approach. DDoS attacks by countries (Source – StormWall) The technical implications of such large-scale IoT compromises extend beyond simple volumetric attacks. Modern botnet operators have evolved their tactics to include sophisticated evasion techniques that keep traffic volume per compromised device below conventional detection thresholds, making identification and mitigation significantly more challenging. This strategic approach allows attackers to maintain persistent access to compromised devices while avoiding detection by legacy security systems designed to identify traditional high-volume flood attacks. Infection Mechanism and Payload Delivery The infection vectors employed by advanced IoT botnets typically exploit a combination of weak authentication protocols and unpatched firmware vulnerabilities present in consumer and commercial IP camera systems. While specific code analysis of the Eleven11bot payload remains unavailable, similar malware families generally utilize automated scanning techniques to identify vulnerable devices across large IP address ranges. The infection process commonly begins with dictionary-based credential attacks targeting default or weak passwords, followed by exploitation of known Common Vulnerabilities and Exposures (CVE) entries affecting popular camera firmware. Once initial access is established, the malware typically downloads additional payloads designed to establish persistence and integrate the compromised device into the botnet command structure. The scale of 86,000 compromised devices suggests the operation employed highly efficient automated scanning and infection techniques, likely leveraging cloud-based infrastructure to distribute the workload across multiple scanning nodes. This distributed approach enables rapid identification and compromise of vulnerable devices while minimizing the risk of detection by network security monitoring systems. Speed up and enrich threat investigations with Threat Intelligence Lookup! ->  50 trial search requests The post New Eleven11bot Hacked 86,000 IP Cameras for Massive DDoS Attack appeared first on Cyber Security News .

Botnets like Eleven11bot now target IoT devices, hijacking IP cameras to build DDoS networks generating massive traffic surges.

Eleven11bot infects webcams and video recorders, with a large concentration in the US.

Entwarnung vor Eleven11bot: livespotting-Kameras bleiben geschützt – keine Gefahr durch DDoS!

86 Posts, 59 Following, 693 Followers · Pampa•Don't look @ me…I do what he does—just slower. #rstats avuncular•👨‍🍳•✝️•💤•Varaforseti í Gögn Vísindi @ @greynoiseio + @carnegiemellon lecturer #BLM🇺🇦

A newly identified botnet, tracked as Eleven11bot, has compromised approximately 30,000 internet-connected devices—primarily security cameras and network video recorders (NVRs)—to launch distributed denial-of-service (DDoS) attacks against critical infrastructure.  Discovered by Nokia Deepfield’s Emergency Response Team (ERT) on February 26, 2025, the botnet has since been linked to multi-day campaigns targeting telecom providers, gaming platforms, and enterprise networks.  Security researcher Jérôme Meyer, who contributed to its analysis, described it as “one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022”. Mirai Variant with HiSilicon Exploit Eleven11bot is not a standalone botnet but a Mirai variant leveraging a novel exploit against HiSilicon-based IoT devices , particularly those running the TVT-NVMS9000 video management software.  The malware exploits default credentials and unpatched vulnerabilities in firmware to gain control of devices.  Unlike earlier Mirai iterations, Eleven11bot uses a refined scanning algorithm to identify exposed Telnet (Port 23) and SSH (Port 22) services, followed by brute-force attacks using credential dictionaries tailored to IoT manufacturers like VStarcam. GreyNoise Intelligence analyzed 1,400 IPs associated with the botnet, confirming 1,042 as actively malicious. Of these, 96% originate from non-spoofable, geolocatable devices, with 61% (636 IPs) traced to Iran.  The botnet’s command-and-control (C2) infrastructure uses encrypted channels to distribute attack payloads, including UDP flood and HTTP/HTTPS amplification vectors, with observed attack intensities ranging from 100,000 to over 500 million packets per second (pps). Initial reports estimated 86,400 infected devices based on a misinterpreted network signature—“head[…]1111”—detected in traffic logs.  This signature was later attributed to the HiSilicon SDK protocol, a legitimate component of remote device management in white-labeled IoT hardware.  Revised analysis by GreyNoise suggests fewer than 5,000 devices are actively compromised, though the botnet’s concentrated firepower remains significant. The botnet’s surge coincided with renewed U.S. economic sanctions against Iran on March 5, 2025, though GreyNoise cautions against direct attribution.  Compromised devices in Iran largely belong to residential ISPs and small businesses using outdated firmware. Eleven11bot’s operators have prioritized targets in the telecommunications sector, with attacks disrupting latency-sensitive services like VoIP and cloud gaming. Notably, the botnet avoids targeting networks protected by Nokia Deepfield’s Defender platform, which uses real-time traffic analysis to filter malicious payloads .  Meyer emphasized that Deepfield customers were “fully shielded” due to preemptive botnet IP blocklisting and behavioral anomaly detection. Mitigation Strategies for Organizations GreyNoise recommends the following actions to counter Eleven11bot and similar threats: Network-Level Blocking: Deploy firewalls or intrusion prevention systems (IPS) to block traffic from the 1,042 malicious IPs identified by GreyNoise.  IoT Hardening: Disable remote administration, change default credentials, and apply firmware updates for HiSilicon-based devices. The TVT-NVMS9000 software requires immediate patching to CVE-2024-32899 (unauthenticated RCE). DDoS Mitigation: Enable rate-limiting for UDP/53 (DNS) and UDP/123 (NTP) protocols, and deploy cloud-based scrubbing services during attacks. Behavioral Monitoring: Use SIEM tools to flag repeated login attempts on Telnet/SSH ports and unexpected outbound traffic from IoT devices. While Eleven11bot’s initial infection numbers were overstated, its capacity for high-pps DDoS attacks poses a tangible risk to unsecured networks.  The incident underscores the critical need for firmware updates and zero-trust policies in IoT environments. As researchers continue to monitor the botnet’s 305 actively malicious IPs, organizations are urged to audit their device landscapes and adopt proactive threat-hunting measures. Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN ->  Start Now for Free .   The post New Botnet Dubbed “Eleven11bot” Hacked 30,000 Webcams appeared first on Cyber Security News .

Eleven11bot infects webcams and video recorders, with a large concentration in the US.

A new cyber menace has emerged in the form of Eleven11bot, a sophisticated botnet that has already compromised tens of thousands of internet-connected devices, predominantly targeting security cameras and network video recorders (NVRs). This botnet has been used to launch large-scale distributed denial-of-service (DDoS) attacks, causing widespread disruptions in critical sectors such as telecommunications and gaming platforms. Since its discovery in February 2025, Eleven11bot has quickly become one of the largest DDoS botnet campaigns seen since 2022.

A newly identified botnet, dubbed Eleven11bot, has emerged as a significant cyber threat, compromising over 30,000 internet-connected devices

A newly identified botnet, dubbed Eleven11bot, has emerged as a significant cyber threat, compromising over 30,000 internet-connected devices