全新基于Golang的Zergeca僵尸网络震撼登场

Cybersecurity researchers have uncovered a new botnet called Zergeca that's capable of conducting distributed denial-of-service (DDoS) attacks.

网络安全研究人员发现了一个名为Zergeca的新僵尸网络，能够进行分布式拒绝服务（DDoS）攻击。

Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top").

这个僵尸网络是用Golang编写的，其名称来源于命令与控制（C2）服务器中的一个名为"ootheca"的字符串（"ootheca[.]pw"和"ootheca[.]top"）。

"Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information," the QiAnXin XLab team said in a report.

齐安信XLab团队在一份报告中表示：“在功能上，Zergeca不仅仅是一个典型的DDoS僵尸网络；除了支持六种不同的攻击方法，还具有代理、扫描、自升级、持久性、文件传输、反向Shell和收集敏感设备信息的能力。”

Zergeca is also notable for using DNS-over-HTTPS (DoH) to perform Domain Name System (DNS) resolution of the C2 server and using a lesser-known library known as Smux for C2 communications.

Zergeca还值得注意的是，它使用DNS-over-HTTPS（DoH）执行C2服务器的域名系统（DNS）解析，并使用一个较少知名的库称为Smux进行C2通信。

There is evidence to suggest that the malware is actively developing and updating the malware to support new commands. What's more, the C2 IP address 84.54.51[.]82 is said to have been previously used to distribute the Mirai botnet around September 2023.

有证据表明，该恶意软件正在积极开发和更新以支持新命令。此外，据说C2 IP地址84.54.51[.]82曾在2023年9月左右用于分发Mirai僵尸网络。

As of April 29, 2025, the same IP address began to be used as a C2 server for the new botnet, raising the possibility that the threat actors "accumulated experience operating the Mirai botnets before creating Zergeca."

截至2025年4月29日，相同的IP地址开始用作新僵尸网络的C2服务器，这引发了威胁行动者“在创建Zergeca之前积累了操作Mirai僵尸网络的经验”的可能性。

Attacks mounted by the botnet, primarily ACK flood DDoS attacks, have targeted Canada, Germany, and the U.S. between early and mid-June 2024.

该僵尸网络发起的攻击主要是ACK洪水DDoS攻击，已经瞄准了加拿大、德国和美国在2024年6月初至中旬之间。

Zergeca's features span four distinct modules, namely persistence, proxy, silivaccine, and zombie, to set up persistence by adding a system service, implementing proxying, removing competing miner and backdoor malware and gaining exclusive control over devices running the x86-64 CPU architecture, and handle the main botnet functionality.

Zergeca的功能涵盖了四个不同的模块，即持久性、代理、silivaccine和僵尸，通过添加系统服务建立持久性、实现代理、删除竞争矿工和后门恶意软件、获得对运行x86-64 CPU架构设备的独家控制，并处理主要僵尸网络功能。

The zombie module is responsible for reporting sensitive information from the compromised device to the C2 and awaits commands from the server, supporting six types of DDoS attacks, scanning, reverse shell, and other functions.

僵尸模块负责将受损设备的敏感信息报告给C2，并等待服务器的命令，支持六种类型的DDoS攻击、扫描、反向Shell和其他功能。

"The built-in competitor list shows familiarity with common Linux threats," XLab said. "Techniques like modified UPX packing, XOR encryption for sensitive strings, and using DoH to hide C2 resolution demonstrate a strong understanding of evasion tactics."

XLab表示：“内置的竞争者列表显示了对常见Linux威胁的熟悉程度。像修改过的UPX打包、XOR加密敏感字符串和使用DoH隐藏C2解析的技术展示了对规避战术的深刻理解。”

---

参考资料

[1]https://thehackernews.com/2024/07/new-golang-based-zergeca-botnet-capable.html

---

原文始发于微信公众号（知机安全）：全新基于Golang的Zergeca僵尸网络震撼登场