Gayfemboy Botnet Resurfaces with Advanced Evasion and New Targets

FortiGuard Labs has been closely tracking a stealthy new malware strain known as Gayfemboy. Initially disclosed by a Chinese cybersecurity firm, this malware resurfaced in July 2025 with new capabilities and a wider range of exploits targeting vendors such as DrayTek, TP-Link, Raisecom, and Cisco.

The latest wave of activity leveraged downloader scripts that deploy Gayfemboy alongside XMRig coin miners. These scripts were labeled after popular vendors—“asus,” “vivo,” “zyxel,” and “realtek”—and executed the malware with the corresponding product name as a parameter.

The campaign has impacted organizations worldwide, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam. Targeted sectors span Manufacturing, Technology, Construction, and Media or Communications, reflecting the botnet’s versatility.

Unlike its Mirai and Gafgyt predecessors, Gayfemboy avoids predictable file naming conventions. Instead, it assigns cryptic names to each Linux architecture, such as “xale” for x86-64 and “aale” for AArch64.

The malware employs advanced anti-analysis tricks:

• Modified UPX packing – replacing the “UPX!” header with a non-printable string (10 F0 00 00) to bypass detection.
• Sandbox evasion – introducing a deliberate 50-nanosecond delay. If the sandbox misinterprets it, the malware defaults to a 27-hour sleep cycle, delaying analysis.
• Self-persistence – automatically re-executing if its process is terminated.

FortiGuard Labs highlights that “Gayfemboy includes four primary functions: Monitor, Watchdog, Attacker, and Killer.”

• Monitor – Tracks processes and kills rival malware by scanning /proc/[PID]/exe paths for keywords such as /tmp/., bot, and dvrlocker.
• Watchdog – Ensures only one instance is active by binding to UDP port 47272, killing itself if compromised.
• Attacker – Launches DDoS floods (UDP, TCP, SYN, ICMP) and supports a backdoor module triggered by the string “meowmeow.”
• Killer – Protects itself by monitoring system time for manipulation or listening for a remote ^kill^ command from its C2 server.

To maintain resilience, Gayfemboy avoids local DNS resolvers, instead relying on public DNS servers like 1.1.1.1 and 8.8.8.8. This allows it to rotate among multiple domains such as cross-compiling[.]org, twinkfinder[.]nl, and furry-femboys[.]top.

Once connected, the C2 can issue both lightweight 4-byte commands (e.g., reset socket, sleep, send system info) and more complex multi-byte instructions, including remote payload execution, reverse shell opening, firewall rule modifications, and DDoS initiation.

While inheriting much of its structure from Mirai, Gayfemboy represents a significant leap in stealth and adaptability. Its obfuscation techniques, multi-platform targeting, and backdoor capabilities demonstrate how IoT-focused malware continues to evolve into persistent global threats.

As FortiGuard Labs concludes: “This evolution reflects the increasing sophistication of modern malware and reinforces the need for proactive, intelligence-driven defense strategies.”

Related Posts:

• “Gayfemboy” Botnet Leveraging 0-Day Exploit in Four-Faith Industrial Routers
• New Agent Tesla Spyware Variant was spread via Microsoft Word documents
• IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy