Malicious authors continued their impressively efficient efforts to syphon in the latest IoT exploits and churn out new Mirai-based variants. However, while Mirai variants are the most dominant IoT bots seen on the internet today, several non-Mirai IoT malware are also causing a ruckus. One such example is Gafgyt, a multi-architecture IoT bot with several similarities to Mirai.

Gafgyt has used telnet with default/factory credentials and exploits to spread to vulnerable IoT devices. Like Mirai, Gafgyt supports several TCP, UDP, and HTTP based DDoS attacks. Gafgyt is continuously undergoing development with new exploits and credentials, as shown by the numerous variants running wild on the internet. NETSCOUT saw a significant spike in Gafgyt samples from February through June, although January through February decreased compared with 2019.

It is likely that this spike was related to the sudden increase in consumer devices brought online as the remote work skyrocketed during that time frame. Indeed, during lockdown, the world was hit by the single largest number of monthly attacks NETSCOUT has ever seen—929,000 DDoS attacks in May alone.