The Resurgence of IoT Malware: Inside the Mirai-Based “Gayfemboy” Botnet Campaign

    Monday, August 25, 2025 In: Threat Research Print

    Date: 08/25/2025

    Severity: Medium

    Summary

    The Resurgence of IoT Malware: Inside the Mirai-Based 'Gayfemboy' Botnet Campaign explores a stealthy and evolving malware strain named "Gayfemboy," initially discovered by a Chinese cybersecurity firm. Over the past year, the malware resurfaced with renewed activity in July, targeting vulnerabilities in IoT devices from vendors like DrayTek, TP-Link, Raisecom, and Cisco. Based on Mirai, the malware has shown signs of technical evolution, raising concerns about its growing threat to IoT security.

    Indicators of Compromise (IOC) List 

    URL/Domain

    cross-compiling.org

    i-kiss-boys.com

    furry-femboys.top

    twinkfinder.nl

    3gipcam.com

    IP Address

    141.11.62.222

    149.50.96.114

    220.158.234.135

    78.31.250.15

    5.182.206.7

    5.182.204.251

    Hash

    1940296f59fb5fb29f52e96044eca25946f849183ceda4feb03e816b79fbaa81

    269259e5c2df6b51719fd227fa90668dd8400d7da6c0e816a8e8e03f88e06026

    87b6917034daa6f96f1f3813f88f2eb6d5e5c1b8f6b5b9ab337ab7065d4cb4c0

    ca93203a9b795ffa66e5949e1ef643314bc3f3a3db4bed551ecd1c1e20b06089

    26375b74e64d786ebc769cfd04e75eebec3b100da3637976e433a67ffa0cac79

    2bfe2748bc594614dd03577053b58a5fb9fb8a6182fecc2025f1b715554d7fe1

    39fdef9339c75723d865481283f3d4566f78969743eef38061beddcbf5a2690d

    7eee9ad9bb0154c8e60201f3dbfe3cff84692f95f0515c6c66fab7240e864b64

    ed3f85e537ada33c5f3b1f09b5df6e8b4345514e920f7e75fc0a6535b7e4a352

    728dbb47e10a245b612453b8f9aaf3fb125760691d5f0397b01da2190f2e9709

    9cc814ac2e15d1405fb4d35cb72d6341c0df8ae26741d1b08a243f236ef4f531

    e764413c5ed6a9dba0d69b95a15841fb9b867f7aab3be7600381547eb5c2c1ab

    400cc665fd3f23a6ca7a88c4c0f8cbb4f64b7a950786f202acc64623a8e452d7

    b83b1484cf9dc6fe34a7d100c0ee582eaa2917f50bca1f7f9da7891698e3bedb

    57861ee774b1ff56035f62e48590ce16246f484503bd0670c597ea102679d86b

    737a795bfb19059062ee2f0a7b2ea0e88283413e76d1b796782423006f3b2cdf

    7fda54c9a489fea2dc8f7248d7bf72e1e356e47366478c0d5f4ba421dddf4ab7

    01c0a184c145ee382174937bb891bff90b3d574ee0616f40b3eb3ccfb68ba786

    c3862c9b2d85c74dc5b2e38c600474e8df92677c064973b0a464a1aaa12f607e

    9f77b86621c7cec885ab89a3dcf0548a7ee17c8c88f66780dfc7dcb2a13da146

    e85291d70a144ebe2842aeba2c77029762ca8ebfd36008b7bb83cda3e5d5d99d

    dd0c9a205b0c0f4c801c40e1663ca3989f9136e117d4dcb4f451474ceb67c3da

    6ca219e62ca53b64e4fdf7bff5c43a53681ed010cbaa688fa12de85a8f3de5e7

    0672a9aebc7597eef44490f40c42e203d5ddfebc9300b62f38b0d1312a852235

    47785b773808d7e1d2f1064b054e7e13b8b2ce9a35c68b926cd32c006c78f655

    48d2c2c68fa0bd44eb70c1a6cf572406442b289fb6030e946f0530ce6f9fad98

    5a2d60ab5d281e0118603cc793f49f7e95a87de959a25bb3275c09ec8e8762e5

    92f9bcf6c55008c60013b75b49e143a1c9673e838efe0971490d19a241146fe5

    915ee7620406946b859dd4a00f9862d77fba8b452aebee5d94587e66c1085c88

    e597b492a88f0524ea38121e6b8230d9515a82ea8ca28cdcc64413c33ed846c9

    fed7a3cec01cad14d9a46804b43e64a8021e89d8d38a49a700cf8c2e0c2578f6

    bcdbeb7eeb64d6daf5aa6e13f1f70acfe057df50ec4773f434ffab684b78aead

    282ada9a29a5f3144114373ef3c5826bcc8fb5018cd0f2ecb97d2a7bee1df296

    bba29011e0b51eb0907735933641c226f3441f79a8e49ab6047c1625dd0b5176

    08a4bd4758e4cbf39fff22a0cc5fb28d9bdd9944a0cd2120fdbe9222aaecbcf4

    f99b33bd086f9b331a0df40525a45326bb977fee5272111edaffbe4be56e78fa

    49b1a220b9a7450e151f19eec3da496b26799612811e512d138da88e0ee596bc

    493e33d9ade8781e93fe9cd982de42a8032d2fc6b07baf5b202e0761a0fbe89d

    ac14a60064081215f5a308ebeb6de69d67e6cb52ebb38d60fef99137fc1ea93a

    7863ba5267cb187ba3892060f3868dca8b0dfae712649a650847e22d47ccb60a

    58af5c340d271ac41f4a6009281466c7ad996b1a029a27b88f03e5ec6d95c54b

    b03cf96cf2583ea45e4c13833e7201c2c55b96a4931a909925624913e9ad8d33

    b979fb79cf120f5d8789adb25fc016816c68e6d52bdc5749c817f4386e0c32da

    77df7c3d6d364474d411845fa185b196dcda437134f7093126a3f3bd145bdeee

    228b3f006d63b8d75dcb8f66951cbf75e2a4ebdf13af9e2f47ad1c1a9b2e5753

    2c758b1eac4fda920f90c459b773e7c3017e90f9049502b41d8b5391a8b61621

    834d7c6bb4fd6b5da03e36fed96d7a828342d7e8bf27222b17f9f39bc6aaed80

    05cfcef1273063c0c8b0eadf429e850471223bc2403a7cc943c252306d72e561

    fbc42240f07235d3a0290f3e82a06ef4376e845973c146e423f8de4913a1cce4

    82b221177f2e31052245d761e9aca47a511ae3ee9d6602ddb1f9b5be25745638

    1b6deb5f47ebfe3a0cbb35751f3df6a893c6570cb7863c74e4262397edd6552e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "cross-compiling.org" or siteurl like "cross-compiling.org" or url like "cross-compiling.org" or domainname like "i-kiss-boys.com" or siteurl like "i-kiss-boys.com" or url like "i-kiss-boys.com" or domainname like "furry-femboys.top" or siteurl like "furry-femboys.top" or url like "furry-femboys.top" or domainname like "twinkfinder.nl" or siteurl like "twinkfinder.nl" or url like "twinkfinder.nl" or domainname like "3gipcam.com" or siteurl like "3gipcam.com" or url like "3gipcam.com"

    Detection Query 2 :

    dstipaddress IN ("141.11.62.222","149.50.96.114","220.158.234.135","78.31.250.15","5.182.206.7","5.182.204.251") or srcipaddress IN ("141.11.62.222","149.50.96.114","220.158.234.135","78.31.250.15","5.182.206.7","5.182.204.251")

    Detection Query 3 :

    sha256hash IN ("1940296f59fb5fb29f52e96044eca25946f849183ceda4feb03e816b79fbaa81","269259e5c2df6b51719fd227fa90668dd8400d7da6c0e816a8e8e03f88e06026","87b6917034daa6f96f1f3813f88f2eb6d5e5c1b8f6b5b9ab337ab7065d4cb4c0","ca93203a9b795ffa66e5949e1ef643314bc3f3a3db4bed551ecd1c1e20b06089","26375b74e64d786ebc769cfd04e75eebec3b100da3637976e433a67ffa0cac79","2bfe2748bc594614dd03577053b58a5fb9fb8a6182fecc2025f1b715554d7fe1","39fdef9339c75723d865481283f3d4566f78969743eef38061beddcbf5a2690d","7eee9ad9bb0154c8e60201f3dbfe3cff84692f95f0515c6c66fab7240e864b64","ed3f85e537ada33c5f3b1f09b5df6e8b4345514e920f7e75fc0a6535b7e4a352","728dbb47e10a245b612453b8f9aaf3fb125760691d5f0397b01da2190f2e9709","9cc814ac2e15d1405fb4d35cb72d6341c0df8ae26741d1b08a243f236ef4f531","e764413c5ed6a9dba0d69b95a15841fb9b867f7aab3be7600381547eb5c2c1ab","400cc665fd3f23a6ca7a88c4c0f8cbb4f64b7a950786f202acc64623a8e452d7","b83b1484cf9dc6fe34a7d100c0ee582eaa2917f50bca1f7f9da7891698e3bedb","57861ee774b1ff56035f62e48590ce16246f484503bd0670c597ea102679d86b","737a795bfb19059062ee2f0a7b2ea0e88283413e76d1b796782423006f3b2cdf","7fda54c9a489fea2dc8f7248d7bf72e1e356e47366478c0d5f4ba421dddf4ab7","01c0a184c145ee382174937bb891bff90b3d574ee0616f40b3eb3ccfb68ba786","c3862c9b2d85c74dc5b2e38c600474e8df92677c064973b0a464a1aaa12f607e","9f77b86621c7cec885ab89a3dcf0548a7ee17c8c88f66780dfc7dcb2a13da146","e85291d70a144ebe2842aeba2c77029762ca8ebfd36008b7bb83cda3e5d5d99d","dd0c9a205b0c0f4c801c40e1663ca3989f9136e117d4dcb4f451474ceb67c3da","6ca219e62ca53b64e4fdf7bff5c43a53681ed010cbaa688fa12de85a8f3de5e7","0672a9aebc7597eef44490f40c42e203d5ddfebc9300b62f38b0d1312a852235","47785b773808d7e1d2f1064b054e7e13b8b2ce9a35c68b926cd32c006c78f655","48d2c2c68fa0bd44eb70c1a6cf572406442b289fb6030e946f0530ce6f9fad98","5a2d60ab5d281e0118603cc793f49f7e95a87de959a25bb3275c09ec8e8762e5","92f9bcf6c55008c60013b75b49e143a1c9673e838efe0971490d19a241146fe5","915ee7620406946b859dd4a00f9862d77fba8b452aebee5d94587e66c1085c88","e597b492a88f0524ea38121e6b8230d9515a82ea8ca28cdcc64413c33ed846c9","fed7a3cec01cad14d9a46804b43e64a8021e89d8d38a49a700cf8c2e0c2578f6","bcdbeb7eeb64d6daf5aa6e13f1f70acfe057df50ec4773f434ffab684b78aead","282ada9a29a5f3144114373ef3c5826bcc8fb5018cd0f2ecb97d2a7bee1df296","bba29011e0b51eb0907735933641c226f3441f79a8e49ab6047c1625dd0b5176","08a4bd4758e4cbf39fff22a0cc5fb28d9bdd9944a0cd2120fdbe9222aaecbcf4","f99b33bd086f9b331a0df40525a45326bb977fee5272111edaffbe4be56e78fa","49b1a220b9a7450e151f19eec3da496b26799612811e512d138da88e0ee596bc","493e33d9ade8781e93fe9cd982de42a8032d2fc6b07baf5b202e0761a0fbe89d","ac14a60064081215f5a308ebeb6de69d67e6cb52ebb38d60fef99137fc1ea93a","7863ba5267cb187ba3892060f3868dca8b0dfae712649a650847e22d47ccb60a","58af5c340d271ac41f4a6009281466c7ad996b1a029a27b88f03e5ec6d95c54b","b03cf96cf2583ea45e4c13833e7201c2c55b96a4931a909925624913e9ad8d33","b979fb79cf120f5d8789adb25fc016816c68e6d52bdc5749c817f4386e0c32da","77df7c3d6d364474d411845fa185b196dcda437134f7093126a3f3bd145bdeee","228b3f006d63b8d75dcb8f66951cbf75e2a4ebdf13af9e2f47ad1c1a9b2e5753","2c758b1eac4fda920f90c459b773e7c3017e90f9049502b41d8b5391a8b61621","834d7c6bb4fd6b5da03e36fed96d7a828342d7e8bf27222b17f9f39bc6aaed80","05cfcef1273063c0c8b0eadf429e850471223bc2403a7cc943c252306d72e561","fbc42240f07235d3a0290f3e82a06ef4376e845973c146e423f8de4913a1cce4","82b221177f2e31052245d761e9aca47a511ae3ee9d6602ddb1f9b5be25745638","1b6deb5f47ebfe3a0cbb35751f3df6a893c6570cb7863c74e4262397edd6552e")

    Reference:    

    https://www.fortinet.com/blog/threat-research/iot-malware-gayfemboy-mirai-based-botnet-campaign


    Tags

    MalwareBotnetGayfemboyMirai

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.