The Hajime malware infected nearly 300,000 internet-connected devices by combining multiple compromise methods against routers, cameras, DVRs, and cable modems. Researchers reported that the worm spread through Telnet default-password attacks, added a TR-069 exploitation module for remote code execution, and abused an Arris cable modem password-of-the-day mechanism, allowing it to compromise vulnerable IoT systems at scale. The botnet used a peer-to-peer architecture and tailored downloader binaries to victim device architectures and WAN interfaces, while also refining banner-based brute-forcing and architecture detection to improve infection success.
Victimology data showed broad global exposure, with the highest concentrations of infected hosts observed in Iran, Brazil, Vietnam, Russia, and Turkey. DHT leecher analysis identified 297,499 unique infected hosts, and honeypot telemetry indicated many victims were consumer and small-office embedded devices. Despite the botnet’s size and continued evolution, researchers said they had not observed Hajime being used for overt attacks at the time of reporting, leaving its ultimate purpose unclear even as it was tracked as Backdoor.Linux.Hajime.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
In its June 2017 report, Kaspersky said it had not observed Hajime being used for overt attacks or other malicious activity, even as the botnet continued to expand. The company detected the malware as Backdoor.Linux.Hajime.
Kaspersky reported that Hajime had grown into a peer-to-peer botnet with 297,499 unique infected hosts identified through DHT leecher analysis, affecting many DVRs, cameras, and routers worldwide. The largest concentrations of infections were observed in Iran, Brazil, Vietnam, Russia, and Turkey.
By the time of Kaspersky's analysis, Hajime had evolved beyond Telnet default-password attacks to add a TR-069 exploitation module and an Arris cable modem password-of-the-day attack, improving its ability to compromise IoT devices via remote command execution and credential abuse.
The Hajime malware family was first publicly reported in October 2016 as an IoT worm spreading through vulnerable internet-connected devices.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.