geoBotnetd
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Additionally, the attackers implemented a process where a bash script ("geoBotnetd") checks for new firmware updates at "/cf/FIRMWARE/NEW/INITRD.GZ" every 10 seconds.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueA suspected Chinese hacking campaign has been targeting unpatched SonicWall Secure Mobile Access (SMA) appliances... While it is unclear what vulnerability was used to compromise devices, Mandiant says that the targeted devices were unpatched, making them likely vulnerable to older flaws.
Execution
1 techniqueThe malware used on SonicWall devices consists of an ELF binary, the TinyShell backdoor, and several bash scripts... The threat actors achieved this by using scripts that offer redundancy and ensure long-term access to breached devices.
Persistence
1 techniqueThe script also adds a backdoor user named 'acme' on the upgrade file so they can maintain access after the firmware update is applied to the breached appliance.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.