Cybersecurity experts have identified a new botnet dubbed Zergeca that's capable of launching distributed denial-of-service (DDoS) assaults.
Written in Golang, the botnet is so called for its reference to a string named "ootheca" included in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top").
"Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information," the QiAnXin XLab team stated in a study.
Zergeca is also remarkable for leveraging DNS-over-HTTPS (DoH) to handle Domain Name System (DNS) resolution of the C2 server and employing a lesser-known library known as Smux for C2 communications.
There is evidence to imply that the virus is continually evolving and upgrading the infection to accommodate new instructions. What's more, the C2 IP address 84.54.51[.]82 is claimed to have been previously used to transmit the Mirai botnet around September 2023.
As of April 29, 2025, the same IP address started to be utilized as a C2 server for the new botnet, increasing the idea that the threat actors "accumulated experience operating the Mirai botnets before creating Zergeca."
assaults performed by the botnet, particularly ACK flood DDoS assaults, have targeted Canada, Germany, and the U.S. between early and mid-June 2024.
Zergeca's features span four distinct modules – namely persistence, proxy, silivaccine, and zombie – to set up persistence by adding a system service, implementing proxying, removing competing miner and backdoor malware, and gaining exclusive control over devices running the x86-64 CPU architecture, and handle the main botnet functionality.
The zombie module is responsible for relaying sensitive information from the infected device to the C2 and awaits orders from the server, providing six forms of DDoS assaults, scanning, reverse shell, and other services.
"The built-in competitor list shows familiarity with common Linux threats," XLab added. "Techniques like modified UPX packing, XOR encryption for sensitive strings, and using DoH to hide C2 resolution demonstrate a strong understanding of evasion tactics."
