DeepfieldMar 1, 2025

On 26 February 2025, the Nokia Deepfield Emergency Response Team (ERT) identified a significant new DDoS botnet, now tracked under #Eleven11bot

Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices. Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.

Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors. Attack intensity has varied widely, ranging from a few hundred thousand to several hundred million packets per second (pps). Public forums report sustained attack campaigns causing service degradation lasting multiple days, some of which remain ongoing.

Show threadDeepfield

Bots associated with this botnet can typically be recognized by distinctive hexadecimal banners featuring strings such as `head[...]1111` or `head[...]11111111`, predominantly appearing on TCP port 17000.

Since its initial detection, our ERT has closely monitored the activities and growth of #Eleven11bot . Early assessments indicate a large and geographically distributed botnet presence, spanning multiple countries such as the United States, Canada, Israel, Spain, the United Kingdom, Brazil, Taiwan, Romania, and Japan, among others.

Mar 1, 2025 at 9:56amWeb
Show threadDeepfieldMar 1, 2025
In scenarios involving maximum bot activation, #Eleven11bot is capable of launching volumetric DDoS attacks exceeding several hundred million packets per second across certain vectors. Most observed attacks, however, involve fewer devices—typically between 3,000 and 5,000 bots—but still represent a substantial threat to network reliability and service continuity.
Show threadDeepfieldMar 1, 2025

We'd like to really thank the folks over at @greynoise and @censys for providing additional insights and context: https://www.greynoise.io/blog/new-ddos-botnet-discovered

#threatintel #Eleven11bot

New DDoS Botnet Discovered: Over 30,000 Hacked Devices, Majority of Observed Activity Traced to Iran

A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks.

Show threadDeepfieldJun 30, 2025

Quick nod to the brilliant folks at @nicter_jp and @xlab_qax: their latest research shows #Eleven11bot is really the next #Rapperbot evolution, leveraging a brand‑new device family.

Teamwork in action 👉 https://blog.nicter.jp/2025/06/rapperbot_2025_2g/ | https://blog.xlab.qianxin.com/rapperbot-en/

DVRを狙うRapperBotの最新動向

毎年フランスで開催されているボットネットとマルウェアに関する国際コンファレンスbotconf 1が、今年はパリからTGVで2時間ほどかかるアン

NICTER Blog