GAFGYT, also known as BASHLITE, is a Linux-based IoT botnet first discovered in 2014. It primarily targets vulnerable IoT devices to launch large-scale distributed denial-of-service (DDoS) attacks. Early versions of GAFGYT exploited the Shellshock vulnerability (CVE-2014-7169) for initial access, along with router-specific flaws like CVE-2017-17215 (Huawei), CVE-2017-18368 (ZYXEL), and CVE-2014-8361 (Realtek). Compromised devices receive backdoor commands from a command-and-control (C&C) server and can download additional payloads.
Recent variants of GAFGYT have added advanced features, including using the TOR network to obfuscate C&C traffic and encrypting command-related strings. The botnet propagates by brute-forcing weak Telnet passwords and exploiting vulnerabilities such as CVE-2019-16920 (D-Link), CVE-2019-19781 (Citrix), and CVE-2020-7961 (Liferay Portal). Some versions integrate code from MIRAI, enhancing capabilities with modules for HTTP, UDP, TCP, and STD flooding, as well as Telnet brute force attacks. Despite its evolution, it continues to exploit Huawei and Realtek vulnerabilities to deliver payloads.