New Eleven11bot botnet infects 86,000 devices for DDoS attacks - Related to badbox, fixes, android, devices, disrupted

Broadcom fixes three VMware zero-days exploited in attacks

Broadcom warned clients today about three VMware zero-days, tagged as exploited in attacks and .

The vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) impact VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.

Attackers with privileged administrator or root access can chain these flaws to escape the virtual machine's sandbox.

"This is a situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself," the organization explained today. "Broadcom has information to suggest that exploitation of these issues has occurred 'in the wild'."

Broadcom says CVE-2025-22224 is a critical-severity VCMI heap overflow vulnerability that enables local attackers with administrative privileges on the targeted VM to execute code as the VMX process running on the host.

CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape, while CVE-2025-22226 is described as an HGFS information-disclosure flaw that lets threat actors with admin permissions to leak memory from the VMX process.

A Microsoft spokesperson was not immediately available to comment when contacted by BleepingComputer earlier today for more information on these three zero days.

VMware vulnerabilities are often targeted in attacks by ransomware gangs and state-sponsored hacking groups because they are commonly used in enterprise operations to store or transfer sensitive corporate data.

Most in the recent past, ​Broadcom warned in November that attackers were actively exploiting two VMware vCenter Server vulnerabilities that were patched in September. One allows privilege escalation to root (CVE-2024-38813) while the other is a critical remote code execution flaw (CVE-2024-38812) reported during China's 2024 Matrix Cup hacking contest.

In January 20204, Broadcom also revealed that Chinese state hackers had exploited a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021 to deploy VirtualPita and VirtualPie backdoors on vulnerable ESXi hosts.

Der Nachrichtenstrom zu aktuell angegriffenen Sicherheitslücken in Software reißt nicht ab. Die US-amerikanische IT-Sicherheitsbehörde CISA warnt nun ......

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to depl......

Zwei Sicherheitslücken gefährden IBM Business Automation Workflow. Aktualisierte Versionen schützen Systeme vor möglichen Attacken.

BadBox malware disrupted on 500K infected Android devices

The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices.

The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones.

These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads.

The malware then turns the devices into residential proxies, generates fake ad impressions on the infected devices, redirects consumers to low-quality domains as part of fraudulent traffic distribution operations, and uses people's IPs to create fake accounts and perform credential stuffing attacks.

Last December, German authorities disrupted the malware for infected devices in the country. However, a few days later, BitSight reported that the malware had been found in at least 192,000 devices, showing resilience against law enforcement action.

Since then, it is estimated that the botnet has grown to over 1,000,000 infections, impacting Android devices in 222 countries, with most located in Brazil ([website], the United States ([website], Mexico ([website], and Argentina ([website].

HUMAN's Satori Threat Intelligence team led the latest disruption operation in collaboration with Google, Trend Micro, The Shadowserver Foundation, and other partners.

Due to the botnet's sudden size inflation, HUMAN now calls it 'BadBox [website],' indicating a new era in its operation.

"This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX [website] operation included lower-price-point, "off brand", uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN.

HUMAN says it found evidence that the botnet serves and is supported by multiple threat groups with distinct roles or benefits.

These groups are SalesTracker (infrastructure management), MoYu (backdoor and botnet development), Lemon (ad fraud campaigns), and LongTV (malicious app development).

Android devices infected with the BadBox malware will routinely connect to attacker-controlled command and control servers to receive new configuration settings and commands to execute on the infected device.

HUMAN told BleepingComputer that, in partnership with The Shadowserver Foundation, the researchers sinkholed an undisclosed number of BADBOX [website] domains to prevent over 500,000 infected devices from communicating with command-and-control (C2) servers set up by threat actors.

When a domain is sinkholed, it is take over by the researchers, allowing them to monitor all connections made by infected devices to that domain and gather data about the botnet. As the infected devices can no longer connect with attacker-controlled domains, the malware is put into a dormant state, effectively disrupting the infection.

HUMAN says it also discovered 24 Android apps in the official app store, Google Play, that installed the BadBox malware on Android devices. Some apps, like 'Earn Extra Income' and 'Pregnancy Ovulation Calculator' by Seekiny Studio, had over 50,000 downloads each.

Google removed the apps from Google Play and added a Play Protect enforcement rule to warn individuals and block the installation of apps associated with BadBox [website] on certified Android devices.

Moreover, the tech giant has terminated publisher accounts that engaged in ad fraud associated with the BadBox operation, preventing monetization through Google Ads.

However, it is key to note that Google cannot disinfect non-Play Protect-certified Android devices sold globally, so while BadBox [website] has been disrupted, it has not been eliminated.

Ultimately, as long as consumers buy AOSP-based Android devices like off-brand TV boxes, that lack official Google Play Services support, they are at risk of using hardware pre-loaded with malware.

A list of devices known to be impacted by the BadBox malware are listed below:

Device Model Device Model Device Model Device Model TV98 X96Q_Max_P Q96L2 X96Q2 X96mini S168 ums512_1h10_Natv X96_S400 X96mini_RP TX3mini HY-001 MX10PRO X96mini_Plus1 LongTV_GN7501E Xtv77 NETBOX_B68 X96Q_PR01 AV-M9 ADT-3 OCBN X96MATE_PLUS KM1 X96Q_PRO Projector_T6P X96QPRO-TM sp7731e_1h10_native M8SPROW TV008 X96Mini_5G Q96MAX Orbsmart_TR43 Z6 TVBOX Smart KM9PRO A15 Transpeed KM7 iSinbox I96 SMART_TV Fujicom-SmartTV MXQ9PRO MBOX X96Q isinbox Mbox R11 GameBox KM6 X96Max_Plus2 TV007 Q9 Stick SP7731E H6 X88 X98K TXCZ.

In response to the disruption, Google shared the following statement with BleepingComputer.

"If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. consumers should ensure Google Play Protect, Android's malware protection that is on by default on devices with Google Play Services, is enabled."

If you own any of the above devices, it is likely that you will not be able to get clean firmware for them.

Instead, these devices should be replaced with those from reputable brands. If it is impossible to replace the device, they should be disconnected from the Internet.

More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been ......

The China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics......

New Eleven11bot botnet infects 86,000 devices for DDoS attacks

A new botnet malware named 'Eleven11bot' has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks.

The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers.

Eleven11bot was discovered by Nokia researchers who shared the details with the threat monitoring platform GreyNoise.

Nokia's security researcher, Jérôme Meyer, commented that Eleven11bot is one of the largest DDoS botnets they have observed in recent years.

"Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices," stated Meyer on LinkedIn.

"Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022."

Earlier today, threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia.

Meyer says the botnet's attacks have reached several hundred million packets per second in volume, and their duration often spans multiple days.

GreyNoise, with the help of Censys, logged 1,400 IPs tied to the botnet's operation in the past month, with 96% of them coming from real devices (not spoofed).

Malicious IP addresses associated with Eleven11bot.

The majority of those IP addresses are based in Iran, while over three hundred are classified as malicious by GreyNoise.

the malware is spread by brute-forcing weak or common admin user credentials, leveraging known default credentials for specific IoT models, and actively scanning networks for exposed Telnet and SSH ports.

GreyNoise has , so defenders are recommended to add this list to their blocklists and monitor for suspicious login attempts.

In general, it is advisable to ensure that all IoTs run the latest firmware version, have their remote access aspects disabled if not needed, and that the default admin account credentials have been changed with something strong and unique.

IoTs do not generally enjoy long-term support from their vendors, so periodically checking that your devices have not reached end-of-life (EOL) and replacing those that have with newer models is crucial.

Zwei Sicherheitslücken gefährden IBM Business Automation Workflow. Aktualisierte Versionen schützen Systeme vor möglichen Attacken.

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to depl......

In LibreOffice hat das Projekt eine Sicherheitslücke entdeckt. Angreifer können dadurch Makros ausführen lassen. Aktualisierte Software bessert die Sc......