Scroll Top
19th Ave New York, NY 95822, USA

EnemyBot malware exploits new critical VMware, F5 BIG-IP flaws


EnemyBot, a botnet based on code from multiple malware pieces, is expanding its reach by quickly adding exploits for recently disclosed critical vulnerabilities in web servers, content management systems, IoT, and Android devices.

The botnet was first discovered in March by researchers at Securonix and by April, when analysis of newer samples emerged from Fortinet, EnemyBot had already integrated flaws for more than a dozen processor architectures.

Its main purpose is launching distributed denial-of-service (DDoS) attacks and the malware also has modules to scan for new target devices and infect them.

New variant additions

A new report from AT&T Alien Labs notes that the latest variants of EnemyBot incorporate exploits for 24 vulnerabilities. Most of them are critical but there are several that don’t even have a CVE number, which makes it more difficult for defenders to implement protections.

In April, most of the flaws related to routers and IoT devices, with CVE-2022-27226 (iRZ) and CVE-2022-25075 (TOTOLINK) being among the most recent ones and Log4Shell being the most notable.


However, a new variant analyzed by AT&T Alien Labs included exploits for the following security issues:

  • CVE-2022-22954: Critical (CVSS: 9.8) remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022.
  • CVE-2022-22947: Remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022.
  • CVE-2022-1388: Critical (CVSS: 9.8) remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately.

Looking at the list of supported commands by a newer versions of the malware, RSHELL stands out, used to create a reverse shell on the infected system. This allows the threat actor to bypass firewall restrictions and get access to the compromised machine.

All of the commands seen in the previous version are still present, offering a rich list of options concerning DDoS attacks.


Keksec, the group behind EnemyBot, is actively developing the malware and has other malicious projets under its belt: Tsunami, Gafgyt, DarkHTTP, DarkIRC, and Necro.

This appears to be an experienced malware author who shows special care for the newest project, adding new vulnerabilities exploits as soon as they emerge, often before system admins have the chance to apply fixes.

To make matters worse, AT&T reports that someone, likely closely affiliated to Keksec, has released the EnemyBot source code, making it available for any adversary.

The recommendations for protecting against this type of threat include patching software products as soon as updates become available and monitoring network traffic, including outbound connections.

At this moment, EnemyBot’s main purpose is DDoS attacks but other possibilities are also to be considered (e.g. cryptomining, access), especially since the malware is now targeting more powerful devices.