Security cameras, network video recorders, and other IoT devices are part of a newly discovered global botnet that attacks telecoms and online forums.
The ShadowServer Foundation tracks the Eleven11bot botnet, which was discovered by the Nokia Deepfield Emergency Response Team (ERT) on February 26th, 2025. The botnet has already infected 86,400 devices globally.
As of March 2nd, most compromised devices are in the US (almost 25,000), and the UK is second with nearly 11,000 infected devices.
Eleven11bot, primarily composed of compromised webcams and network video recorders (NVRs), has participated in distributed denial of service (DDoS) attacks.
ERT previously estimated the size of the botnet to be around 30,000 devices. Even then, the researchers said that the size “is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.”
“Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors. Attack intensity has varied widely, ranging from a few hundred thousand to several hundred million packets per second,” ERT said previously.
Some attacks against public forums reportedly lasted multiple days and remain ongoing.
We started scanning for IoT devices compromised by the Eleven11bot DDoS botnet, with ~86.4K discovered on 2025-03-02. IP data is shared daily in our Compromised IoT report https://t.co/92PBnEQhqG
undefined The Shadowserver Foundation (@Shadowserver) March 4, 2025
Top affected: US (24.7K), UK (10.8K).
Dashboard map view: https://t.co/pL82jUmWeq pic.twitter.com/H9sNUB404j
Eleven11bot is capable of launching massive volumetric DDoS attacks exceeding hundreds of millions of packets per second across certain vectors.
A deeper look into some of the IP addresses participating in the botnet revealed that 96% of them were not spoofable and originated from genuine accessible devices, GreyNoise reports.
The researchers warn that botnet operators target IoT devices by exploiting weak and default passwords, brute-forcing, and targeting specific security camera brands, such as VStarcam. Attackers scan for exposed Telnet and SSH ports, which are often left unprotected on IoT hardware.
GreyNoise recommends network defenders block traffic from known malicious IPs and monitor network logs for unusual login attempts.
“Secure IoT devices immediately. Change default passwords, update firmware, and disable remote access where unnecessary. Enable DDoS protection and rate-limiting. The botnet is designed for high-intensity attacks, so organizations should harden their network defenses,” the researchers said.
Eleven11bot is named for the distinctive hexadecimal banners, such as \`head\[...\]1111\` or \`head\[...\]11111111\`, that identify the bots on TCP port 17000.
Your email address will not be published. Required fields are markedmarked