Hajime is a Linux-based IoT malware family and worm first publicly reported in October 2016 that builds a large peer-to-peer botnet targeting internet-connected embedded devices such as routers, DVRs, cameras, and other IoT systems. It is written in C and has been described as more advanced than Mirai in some reporting, while using propagation methods similar to Mirai but differing architecturally through decentralized peer-to-peer communications. Multiple reports state Hajime lacked denial-of-service modules and was primarily focused on propagation and botnet growth rather than observed DDoS activity. Researchers also noted similarities to Linux.Wifatch because Hajime appeared to attempt to secure infected devices and left messages on compromised systems including: "Just a white hat, securing some systems." and "Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!"
High-confidence propagation methods mentioned in the content include Telnet default-password attacks, targeted brute-forcing based on device banners, an Arris cable modem password-of-the-day attack, exploitation of TR-069 via the NewNTPServer feature to achieve command execution, exploitation of GPON router vulnerabilities CVE-2018-10561 and CVE-2018-10562, exploitation of MikroTik Chimay Red / CVE-2017-20149, and association with exploitation of Xiongmai CVE-2018-10088. The malware used architecture detection during Telnet compromises and patched downloader binaries on the fly with host, port, and WAN interface information before execution. Researchers reported hand-written assembly code for several platforms, indicating a comparatively sophisticated implementation.
Victimology in the provided content indicates Hajime infected hundreds of thousands of IoT devices worldwide, with reports citing roughly 297,499 to 300,000 compromised devices. The most affected countries mentioned include Iran, Brazil, Vietnam, Russia, Turkey, India, Pakistan, Italy, and Taiwan. Honeypot and HTTP header observations indicated many infected systems were DVRs, web cameras, routers, and similar embedded Linux devices.
The malware is associated with the Hajime botnet and has been characterized in some reporting as a vigilante or white-hat botnet because of its messaging and apparent device-securing behavior, although its ultimate purpose was described as unknown. Kaspersky detected it as Backdoor.Linux.Hajime. The content also notes Hajime activity or infrastructure in later datasets, including association with 191 C2 servers in one Hunt.io dataset and continued mention alongside other IoT botnets such as Mirai, Mozi, Satori, and BotenaGo.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Gigabit-capable Passive Optical Network (GPON) routers manufactured by DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device. | Hajime Botnet — Another infamous IoT botnet, Hajime, has also been found adding GPON exploit to its code to target hundreds of thousands of home routers.
Gigabit-capable Passive Optical Network (GPON) routers manufactured by DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device. | Hajime Botnet — Another infamous IoT botnet, Hajime, has also been found adding GPON exploit to its code to target hundreds of thousands of home routers.
the botnet is co-located with a Xiongmai NVR/IP camera’s HTTP server... correlate three known vulnerabilities this server is affected by: CVE-2017-7577, CVE-2018-10088, and CVE-2022-45460... CVE-2018-10088, in particular, is already associated with the Satori, Hajime, and BotenaGo botnets.
“Eventually attackers, including the Hajime botnet, exploited this vulnerability in the wild.” | CVE-2017-20149, also known as Chimay Red... affected the HTTP interface of Mikrotik routers... attackers, including the Hajime botnet, exploited this vulnerability in the wild... Greynoise continues to see active scanning for the vulnerability.
CVE-2018-10888, in particular, is already associated with the Satori, Hajime, and BotenaGo botnets.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
...have been found vulnerable to an authentication bypass (CVE-2018-10561)...
Once the attack successfully passes the authentication stage, the first 52 bytes of the victim’s echo binary are read... The victim’s echo ELF header is then compared against a predefined array, containing the Hajime stub downloader binaries for different architectures.
Once the attack successfully passes the authentication stage, the first 52 bytes of the victim’s echo binary are read... The victim’s echo ELF header is then compared against a predefined array, containing the Hajime stub downloader binaries for different architectures.
researchers identified more than 1,350 command-and-control servers spread across 98 providers in 14 countries.
The sample represents a brand new P2P botnet implemented based on the DHT protocol... join the Mozi P2P network to become the new Mozi Bot node
"It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture... here we have a custom-built P2P communication mechanism." ... "HNS bots relay instructions and commands from one another"
Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.
This worm builds a huge P2P botnet... By announcing on the DHT network with a peer id similar to that day’s identifier of the configuration file we were able to be the “nearest” node and collected requests from almost every infected device... All of them were requesting Hajime config.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Botnet malware observed among families associated with the mapped C2 infrastructure.
An IoT-focused botnet operating through C2 infrastructure and abusing compromised routers and embedded devices.
CVE-2018-10888, in particular, is already associated with the Satori, Hajime, and BotenaGo botnets.
Botnet referenced as already associated with exploitation of a Xiongmai vulnerability.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.