Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Gafgyt

129
Global rank
94 infographic chevron month
Month rank
125 infographic chevron week
Week rank
0
IOCs

Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks.

Botnet
Type
Unknown
Origin
1 September, 2014
First seen
7 October, 2025
Last seen
Also known as
BASHLITE
LizardStresser
Torlus

How to analyze Gafgyt with ANY.RUN

Type
Unknown
Origin
1 September, 2014
First seen
7 October, 2025
Last seen

IOCs

Hashes
f2d0e09c0bfafcbd4c34d17876ba904609166385a98d939e42835afa08fcfad6
425a0a8c30db2392ee0417bbc358e2d981a91bf019b120ad1c26232dfbcd786a
5f93cde41bf79ff93865979d26497fade27d144095d4c0f6d4016e156c4699b7
1e1d2b19e0e6831266b74f0b565defbd1ecc809675937e5dfea7f60a3042c36b
9bf6d386347ebccde99755664310da698522fed4a9b5edf40dc0db731871f861
3b1be8499ec382dfafbc496a73dea2794f6dd201b3e46a4128c7fcd88e8c17c2
cc5e73ad5d32b85ff1a07c88ac022bc9ca9750b2c9ab9cb06a4a1f833b1408ea
071d1efd8562b639963130523730599daebcf1fbf9eb23afd214467f7cd0edff
c3c90781e5ca95e27ce005ad15b63ae5bfe39fdd5e157ee260b110a5cf0a5393
ac03cbaace321ca3c832198ead3fbd9626533080a2a3908945c24d1ca0ff89e4
6f8564d0a698eb37228c32ee281253d9eba05ab8b63d63f154f4a4f1e9e12403
db8436dc925fb1e7c27e0baeba7acd6ac3a2f70c4e7eecdfe5e974864f155a5e
a90fa3c9213b835866a288ab034f54238293ba2777150044bf2929c77fd7b6ab
f08d1d7ca7862c1ed3ceef8e00b20104aeaca3ada7f6cece14b79fc0694568ee
0cd75724fcc73af1080b0f4a5ad7e672f695cffb1505e8eceaac6bda1a94f6bd
a6e85153b3abe1706e15d9fc174489a9a5acacecbbae01777ebd17881e79b288
ada6ca15ea782a6a56744eaa518a2e04620fe2a912de72cef84bcb6810538ce5
e4f787cd291bea10e71c5337ae2ae4a783405bc47ec86d497d60c1891b43b050
3338edcbefcf15b410cc5792c7a60ed30cdb2b458268a54d0514e5f0509f1c5f
6dc69cb51aac93f8663d149568ffd7327dcb16c86cf8cde151a0c2e293b67880
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 109
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 443
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3378
comments 0

What is Gafgyt malware?

Gafgyt, also known as BASHLITE, LizardStresser, and Torlus, is a malware family that targets Linux-based IoT devices such as routers and IP cameras. It is known for its botnet capabilities, which allow it to conduct DDoS attacks and perform other malicious activities.

Gafgyt has been active since at least 2014, when it was initially named Bashdoor. Over the years, it has been responsible for multiple high-profile DDoS attacks. For instance, in 2019, the botnet was used to disrupt the operations of Valve Source Engine and games like Fortnine by targeting their servers.

The prevalence of this malware can be attributed to the fact that its original code was exposed to the public in 2015. Since then, different threat actors have used it to build their own strains of the malware and employed them in numerous attacks.

Gafgyt execution process

We can study the behavior of Gafgyt on an infected system by analyzing its sample in ANY.RUN’s cloud malware sandbox.

We are going to use an .elf file sample, which is an executable format on Linux systems commonly used by attackers to distribute Gafgyt. View the analysis session by following this link.

Gafgyt analysis in ANY.RUN Gafgyt analysis in ANY.RUN

After launching the analysis, the service instantly detects Gafgyt and starts to record all of its malicious activities.

When looking at the Connections tab, we can see how the infected machine joins a botnet and participates in a DDoS attack. Specifically, the sandbox shows how the machine begins making thousands of connections.

Gafgyt analysis in ANY.RUN ANY.RUN also provides the Suricata rule which was used to detect Gafgyt

When exploring the Threats tab, we can observe the Suirata rules which were triggered during the analysis process. We can click on each one to access more details.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Gafgyt malware technical details

Gafgyt is written in C programming language. It uses a modular structure, which allows it to dynamically load and execute plugins. Interestingly, some of the versions of Gafgyt utilize code originally found in the Mirai malware, including TCP and HTTP flooding modules.

The primary way used by Gafgyt to hijack IoT devices is through brute forcing. The malware has a hard-coded list of default Telnet and SSH credentials which it employs in its attempts to penetrate devices.

Another method of infecting devices utilized by Gafgyt is through vulnerabilities. For instance, CVE-2017-18368 is one of the flaws exploited by the malware to target Zyxel routers. It is possible because of a lack of proper input validation in the Remote System Log forwarding function.

CVE-2023-1389 is another vulnerability abused by the most recent variants of Gafgyt. It is present on TP-Link Archer devices and once again involves the execution of an unauthorized malicious command that can be added to the country form in the web management interface.

After infecting the device, Gafgyt usually downloads a script from a pre-configured address and launches it. After collecting the device’s IP address and system information, it connects to its command-and-control server (C2).

Next, the C2 may send instructions to the malware which usually include engaging in different types of flooding attacks on specified targets.

The malware uses a combination of symmetric and asymmetric encryption for its communication.The malware's C2 servers are typically hosted on compromised devices.

Some versions of Gafgyt also have a persistence mechanism that allows it to survive device reboots.

Gafgyt malware distribution methods

Unlike botnet malware such as Socks5Systemz that spreads via loaders, Gafgyt is usually distributed through exploitation of security flaws in IoT devices. This can include devices with open Telnet or SSH ports, devices with default or weak credentials, and devices that have not been patched for known vulnerabilities.

It also has a self-propagation mechanism, which allows it to spread to other devices without any user interaction. This is typically done by scanning the internet for devices with open ports and attempting to gain access using default credentials.

The malware can also be distributed through malicious downloads. This can occur when a user downloads and executes a file from an untrusted source, such as a malicious website or email attachment.

How to analyze BASHLITE malware

Despite being decade-old, Gafgyt continues to be a considerable threat. It is particularly serious for organizations with Linux-based infrastructure. Protecting against a Gafgyt infection requires a combination of security measures, including strong unique passwords and timely patching.

To understand how Gafgyt and other malware operate, as well as to collect indicators of compromise, use ANY.RUN’s interactive sandbox.

The service is invaluable for malware analysts and SOC professionals, as it:

  • Detects threats in files and links in under 40 seconds.
  • Lets you interact with the samples and the system just like with a standard computer.
  • Offers customizable Windows and Linux virtual machines.
  • Generates comprehensive threat reports.
  • Exposes all malicious network, registry, & files activity and processes.

With ANY.RUN, you can strengthen your security posture.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
BTMOB RAT screenshot
BTMOB RAT
btmob
BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks.
Read More