2026-07-09 · view entry permalink →
Nozomi documents two new Golang IoT/Linux DDoS botnets (Apex2, c2c/meow) built for speed and reuse over sophistication
Nozomi Networks Labs' AI-assisted honeypot triage flagged two Golang-based DDoS botnet samples this spring that stand out from the routine volume of Mirai-derived variants: Apex2 and c2c (distributed under the filename "meow") (Nozomi Networks Labs, 2026-07-06). Apex2 is a direct structural evolution of the earlier Apex botnet: infection begins with Telnet connections and credential brute-forcing, followed by download-and-execute of the Golang payload, which registers with its C2 over a plaintext protocol (host OS/architecture) and ships builds for Linux (arm, arm64, mipsle, ppc64) and Windows (386, amd64). Its named flood commands include cf (an HTTP(S) flood specifically tuned to bypass Cloudflare via randomized User-Agent lists and long keep-alive timeouts), udp/pps, discord/game UDP floods, and three TLS-flood variants (tls, tlsplus, tlsplusbypass). c2c/meow is architecturally simpler — a Golang flooder with no built-in propagation (a separate SSH scanner handles brute-forcing and delivery) that authenticates to a hardcoded C2 over plaintext JSON-over-TCP, checks for passwordless sudo (sudo -n true) to self-escalate, then persists by copying itself to /usr/local/bin/cpufreqd and registering a fake systemd unit masquerading as a "CPU Frequency Daemon" — supporting ten flood-module types (icmp, dnsudp, udp, http, directhttp, fasthttp, betterhttp, tcp, tcphandshake, dnstcp).
Nozomi's stated point for defenders is that neither family is sophisticated — both lean on commodity Golang tooling, weak/default credentials and exposed Telnet/SSH interfaces rather than novel exploitation — and that the lack of sophistication does not reduce the risk at scale, because the build-and-deploy cycle for such botnets is getting faster. ATT&CK mapping: T1110 Brute Force (Telnet/SSH), T1105 Ingress Tool Transfer, T1548.003 Abuse Elevation Control Mechanism: Sudo (c2c's passwordless-sudo self-escalation), T1543.002 Create or Modify System Process: Systemd Service with T1036.005 Masquerading (the fake cpufreqd unit), and T1498 Network Denial of Service for the flood modules.
It checks whether passwordless sudo is available by running sudo -n true and evaluating the return value. If successful, it relaunches itself with increased privileges, copies to /usr/local/bin/cpufreqd, and creates a fake systemd service named "CPU Frequency Daemon"
In both cases, the emphasis is not on sophistication, but on speed, reuse and scalability.