BrickerBot is a destructive IoT malware family designed to cause permanent denial of service (PDoS) by "bricking" insecure Internet-connected devices. It targets poorly secured IoT and embedded Linux devices by exploiting hard-coded or default credentials, brute-forcing Telnet, and abusing exposed Telnet and SSH services. Reported variants include BrickerBot.1 and BrickerBot.2, with later observations of BrickerBot.3 and a rarely seen BrickerBot.4.
Observed behavior includes logging into vulnerable devices and executing destructive commands to render them unusable. Reported actions include use of BusyBox commands to corrupt MMC and MTD storage, deleting files, disconnecting devices from the Internet, and in some reporting overwriting firmware. BrickerBot.1 was associated with BusyBox-based devices exposing Telnet and older Dropbear SSH, while BrickerBot.2 targeted Linux-based devices more broadly, did not require BusyBox, could corrupt additional storage types, and concealed attack origin through Tor exit nodes.
The malware was discovered by Radware after repeated attacks against a honeypot in April 2017; BrickerBot.1 activity was reported from March 20 to March 25, 2017. ICS-CERT/US-CERT issued alerts in April 2017. Many observed BrickerBot.1 targets were outdated Ubiquiti network devices, including access points and bridges, though the malware was described more generally as targeting insecure IoT devices. Reported infections were most heavily observed in Argentina, followed by North America, Europe, and Asia including India.
BrickerBot has been associated with the so-called Internet Chemotherapy project, allegedly started in November 2016. Its claimed operator used the monikers Janit0r, The Janit0r, and The Doctor, and stated the malware was intended to prevent vulnerable devices from being recruited into botnets such as Mirai. The operator claimed more than 10 million devices were destroyed and announced retirement on December 10, 2017. High-confidence defensive recommendations mentioned in the reporting include changing factory default credentials, disabling Telnet, updating firmware such as on affected Ubiquiti devices, minimizing Internet exposure, segmenting networks, and enforcing stronger authentication and monitoring.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Janit0r took it upon himself to destroy IoT devices so they couldn’t become infected by Mirai, starting with the “colossally dangerous CVE-2016-10372 situation.” The situation referenced was considered dangerous because it allowed attackers to send remote commands to affected devices from anywhere on the Internet (WAN port) and then reconfigure the devices to allow further remote access. | As a result of these attacks, a project dubbed Internet Chemotherapy, also known as BrickerBot, allegedly started in November 2016 with the intention of cleaning the Internet of the vulnerable IoT devices that were low-hanging, infectible hosts for bot herders.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive IoT malware that brute-forces Telnet credentials on poorly secured devices, then executes commands (often via BusyBox) to corrupt storage (MMC/MTD), delete files, and disrupt connectivity—effectively bricking devices (permanent denial of service). Later variants (e.g., BrickerBot.2) used Tor for concealment and expanded storage-corruption capability.
Vigilante IoT malware that permanently or temporarily disables vulnerable devices by overwriting firmware or altering network settings to prevent their use in botnets such as Mirai.
Malware known for destroying or 'bricking' unsecured internet-connected/IoT devices.
A botnet family that targets IoT and Linux-based devices by exploiting hard-coded or default credentials, exposed SSH, and brute-force Telnet access to render devices permanently unusable through permanent denial of service (PDoS).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.