Security News > 2023 > February > Medusa botnet returns as a Mirai-based variant with ransomware sting
A new version of the Medusa DDoS botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer.
Medusa is an old malware strain being advertised in darknet markets since 2015, which later added HTTP-based DDoS capabilities in 2017.
Medusa is now promoted as a MaaS for DDoS or mining via a dedicated portal.
What's particularly interesting in this new Medusa variant is a ransomware function that enables it to search all directories for valid file types for encryption.
It's worth noting that while the new version of Medusa features a data exfiltration tool, it does not steal user files before encryption.
Finally, upon establishing a Telnet connection, the malware infects the system with the primary Medusa payload. The final Medusa payload also has incomplete support for receiving the "FivemBackdoor" and "Sshlogin" commands.
News URL
Related news
- Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet (source)
- Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit (source)
- US indicts leader of Qakbot botnet linked to ransomware attacks (source)
- New Mirai botnet infect TBK DVR devices via command injection flaw (source)