Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Gafgyt

130
Global rank
113 infographic chevron month
Month rank
115 infographic chevron week
Week rank
0
IOCs

Gafgyt, also known as BASHLITE, is a botnet affecting Internet of Things (IoT) devices and Linux-based systems. The malware aims to compromise and gain control of these devices, often by exploiting weak or default passwords, as well as known vulnerabilities. Gafgyt has been around since 2014 and has evolved into multiple variants, each with its own set of features and capabilities, including the ability to launch distributed denial of service (DDoS) attacks.

Botnet
Type
Unknown
Origin
1 September, 2014
First seen
27 October, 2025
Last seen
Also known as
BASHLITE
LizardStresser
Torlus

How to analyze Gafgyt with ANY.RUN

Type
Unknown
Origin
1 September, 2014
First seen
27 October, 2025
Last seen

IOCs

Hashes
f2d0e09c0bfafcbd4c34d17876ba904609166385a98d939e42835afa08fcfad6
425a0a8c30db2392ee0417bbc358e2d981a91bf019b120ad1c26232dfbcd786a
5f93cde41bf79ff93865979d26497fade27d144095d4c0f6d4016e156c4699b7
1e1d2b19e0e6831266b74f0b565defbd1ecc809675937e5dfea7f60a3042c36b
9bf6d386347ebccde99755664310da698522fed4a9b5edf40dc0db731871f861
3b1be8499ec382dfafbc496a73dea2794f6dd201b3e46a4128c7fcd88e8c17c2
cc5e73ad5d32b85ff1a07c88ac022bc9ca9750b2c9ab9cb06a4a1f833b1408ea
071d1efd8562b639963130523730599daebcf1fbf9eb23afd214467f7cd0edff
c3c90781e5ca95e27ce005ad15b63ae5bfe39fdd5e157ee260b110a5cf0a5393
ac03cbaace321ca3c832198ead3fbd9626533080a2a3908945c24d1ca0ff89e4
6f8564d0a698eb37228c32ee281253d9eba05ab8b63d63f154f4a4f1e9e12403
db8436dc925fb1e7c27e0baeba7acd6ac3a2f70c4e7eecdfe5e974864f155a5e
a90fa3c9213b835866a288ab034f54238293ba2777150044bf2929c77fd7b6ab
f08d1d7ca7862c1ed3ceef8e00b20104aeaca3ada7f6cece14b79fc0694568ee
0cd75724fcc73af1080b0f4a5ad7e672f695cffb1505e8eceaac6bda1a94f6bd
a6e85153b3abe1706e15d9fc174489a9a5acacecbbae01777ebd17881e79b288
ada6ca15ea782a6a56744eaa518a2e04620fe2a912de72cef84bcb6810538ce5
e4f787cd291bea10e71c5337ae2ae4a783405bc47ec86d497d60c1891b43b050
3338edcbefcf15b410cc5792c7a60ed30cdb2b458268a54d0514e5f0509f1c5f
6dc69cb51aac93f8663d149568ffd7327dcb16c86cf8cde151a0c2e293b67880
Last Seen at

Recent blog posts

post image
Major Cyber Attacks in October 2025: Phishing...
watchers 655
comments 0
post image
5 SOC Challenges and How Threat Intelligence...
watchers 335
comments 0
post image
ANY.RUN Recognized as Threat Intelligence Com...
watchers 589
comments 0

What is Gafgyt malware?

Gafgyt, also known as BASHLITE, LizardStresser, and Torlus, is a malware family that targets Linux-based IoT devices such as routers and IP cameras. It is known for its botnet capabilities, which allow it to conduct DDoS attacks and perform other malicious activities.

Gafgyt has been active since at least 2014, when it was initially named Bashdoor. Over the years, it has been responsible for multiple high-profile DDoS attacks. For instance, in 2019, the botnet was used to disrupt the operations of Valve Source Engine and games like Fortnine by targeting their servers.

The prevalence of this malware can be attributed to the fact that its original code was exposed to the public in 2015. Since then, different threat actors have used it to build their own strains of the malware and employed them in numerous attacks.

Gafgyt execution process

We can study the behavior of Gafgyt on an infected system by analyzing its sample in ANY.RUN’s cloud malware sandbox.

We are going to use an .elf file sample, which is an executable format on Linux systems commonly used by attackers to distribute Gafgyt. View the analysis session by following this link.

Gafgyt analysis in ANY.RUN Gafgyt analysis in ANY.RUN

After launching the analysis, the service instantly detects Gafgyt and starts to record all of its malicious activities.

When looking at the Connections tab, we can see how the infected machine joins a botnet and participates in a DDoS attack. Specifically, the sandbox shows how the machine begins making thousands of connections.

Gafgyt analysis in ANY.RUN ANY.RUN also provides the Suricata rule which was used to detect Gafgyt

When exploring the Threats tab, we can observe the Suirata rules which were triggered during the analysis process. We can click on each one to access more details.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Gafgyt malware technical details

Gafgyt is written in C programming language. It uses a modular structure, which allows it to dynamically load and execute plugins. Interestingly, some of the versions of Gafgyt utilize code originally found in the Mirai malware, including TCP and HTTP flooding modules.

The primary way used by Gafgyt to hijack IoT devices is through brute forcing. The malware has a hard-coded list of default Telnet and SSH credentials which it employs in its attempts to penetrate devices.

Another method of infecting devices utilized by Gafgyt is through vulnerabilities. For instance, CVE-2017-18368 is one of the flaws exploited by the malware to target Zyxel routers. It is possible because of a lack of proper input validation in the Remote System Log forwarding function.

CVE-2023-1389 is another vulnerability abused by the most recent variants of Gafgyt. It is present on TP-Link Archer devices and once again involves the execution of an unauthorized malicious command that can be added to the country form in the web management interface.

After infecting the device, Gafgyt usually downloads a script from a pre-configured address and launches it. After collecting the device’s IP address and system information, it connects to its command-and-control server (C2).

Next, the C2 may send instructions to the malware which usually include engaging in different types of flooding attacks on specified targets.

The malware uses a combination of symmetric and asymmetric encryption for its communication.The malware's C2 servers are typically hosted on compromised devices.

Some versions of Gafgyt also have a persistence mechanism that allows it to survive device reboots.

Gafgyt malware distribution methods

Unlike botnet malware such as Socks5Systemz that spreads via loaders, Gafgyt is usually distributed through exploitation of security flaws in IoT devices. This can include devices with open Telnet or SSH ports, devices with default or weak credentials, and devices that have not been patched for known vulnerabilities.

It also has a self-propagation mechanism, which allows it to spread to other devices without any user interaction. This is typically done by scanning the internet for devices with open ports and attempting to gain access using default credentials.

The malware can also be distributed through malicious downloads. This can occur when a user downloads and executes a file from an untrusted source, such as a malicious website or email attachment.

How to analyze BASHLITE malware

Despite being decade-old, Gafgyt continues to be a considerable threat. It is particularly serious for organizations with Linux-based infrastructure. Protecting against a Gafgyt infection requires a combination of security measures, including strong unique passwords and timely patching.

To understand how Gafgyt and other malware operate, as well as to collect indicators of compromise, use ANY.RUN’s interactive sandbox.

The service is invaluable for malware analysts and SOC professionals, as it:

  • Detects threats in files and links in under 40 seconds.
  • Lets you interact with the samples and the system just like with a standard computer.
  • Offers customizable Windows and Linux virtual machines.
  • Generates comprehensive threat reports.
  • Exposes all malicious network, registry, & files activity and processes.

With ANY.RUN, you can strengthen your security posture.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

INC Ransomware screenshot
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
Salvador Stealer screenshot
Salvador Stealer
salvador
Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More