New Eleven11bot Botnet Infected +86K IoT Devices
Researchers from Nokia's Deepfield Emergency Response Team (ERT) have discovered a new botnet named Eleven11bot that has infected over 86,000 Internet of Things (IoT) devices. The majority of these infected devices are security cameras and network video recorders (NVRs), which are commonly used to launch Distributed Denial-of-Service (DDoS) attacks.
According to Jérôme Meyer, a Nokia security researcher who identified the botnet, "On February 26, 2025, we detected a significant new DDoS botnet, now tracked under 'Eleven11bot.' Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices. Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022."
The Eleven11bot botnet has targeted various sectors, including communications service providers and gaming hosting infrastructure, using a range of attack vectors. The intensity of attacks has varied widely, with some devices sending only a few hundred thousand packets per second (pps), while others have sent several hundred million pps.
GreyNoise researchers who monitored the botnet discovered that 96% of IP addresses associated with the botnet are genuine, but 61% of them originate from Iran. GreyNoise flagged 305 IPs as malicious, which is believed to be linked to the surge in attacks following new U.S. sanctions on Iran.
Researchers at Shadowserver Foundation have also been monitoring the botnet and reported that approximately 86,400 devices are infected by the Eleven11bot botnet. Most of these infected devices are located in the United States (24,700) and the United Kingdom (10,800).
The botnet is expanding its reach through brute-force attacks, exploiting weak IoT passwords, and targeting VStarcam devices with hardcoded credentials. It also scans for exposed Telnet and SSH ports on vulnerable hardware.
How to Protect Yourself
To protect yourself from the Eleven11bot botnet, it's essential to take steps to secure your IoT devices. This includes:
- Updating passwords regularly
- Enabling strong authentication protocols
- Using a firewall and antivirus software
- Maintaining up-to-date firmware on your devices
It's also crucial to monitor your network activity regularly for suspicious activity. Stay informed about the latest updates on the Eleven11bot botnet and take immediate action if you suspect that your device has been compromised.
Stay Safe Online
If you're concerned about the security of your IoT devices, follow us on Twitter (@securityaffairs) for the latest news and updates. You can also check our Compromised IoT report daily to stay informed about the latest threats.
Join the conversation on Mastodon and Facebook to share your concerns and ask questions about the Eleven11bot botnet. Let's work together to protect ourselves and our devices from cyber threats!