Cybersecurity researchers have discovered a new botnet called Zergeca that is capable of conducting distributed denial of service (DDoS) attacks.
Written in Golang, the botnet is named so for a reference to a string named “ootheca” present on the command and control (C2) servers (“ootheca(.)pw” and “ootheca(.)top”).
“Functionally, Zergeca is not just a typical DDoS botnet; in addition to supporting six different attack methods, it also has capabilities for proxy, scanning, self-updating, storage, file transfer, reverse shell, and gathering sensitive device information.” — QiAnXin XLab. team said in the report.
Zergeca is also notable for using DNS-over-HTTPS (DoH) to perform Domain Name System (DNS) resolution of the C2 server and use a lesser-known library known as Smooks for connection C2.
There is evidence that the malware is actively developing and updating it to support new commands. Moreover, C2’s IP address 84.54.51(.)82 was allegedly previously used to distribute The Mirai botnet around September 2023.
As of April 29, 2025, the same IP address began to be used as a C2 server for a new botnet, raising the possibility that the threat actors “had experience with Mirai botnets prior to the creation of Zergeca.”
Attacks are primarily botnet-based ACK flood DDoS attackswere targeting Canada, Germany and the US between early and mid-June 2024.
Zergeca’s features cover four different modules, namely persistence, proxy, silivaccine, and zombie, to configure persistence by adding a system service, implementing a proxy server, removing competing miners and backdoor malware, and gaining exclusive control over devices with x86-64 CPU architecture . , and handle basic botnet functions.
The zombie module is responsible for transmitting confidential information from the compromised device to C2 and waits for commands from the server, supports six types of DDoS attacks, scanning, reverse shell and other functions.
“The built-in competitor list demonstrates familiarity with common Linux threats,” XLab said. “Techniques such as modified UPX packaging, XOR encryption for sensitive strings, and using DoH to hide C2 resolution demonstrate a good understanding of evasion tactics.”
