Zerobot malware spreads now by exploiting Apache flaws

Zerobot has been updated to infect more devices using security flaws that affect unpatched Apache servers and Internet-exposed Apache servers.

Microsoft Defender for IoT researchers also noted that the latest version includes new distributed denial of service (DDoS), capabilities.

Zerobot is in active development as of November. New versions include new modules and features that expand the botnet’s attack vectors. They also make it easier for new devices to be infected, such as routers and firewalls.

The malware developers removed the modules targeting Dasan GPON routers and phpMyAdmin servers.

Microsoft has spotted an update that adds more exploits to the malware’s toolkit. This allows it to attack seven types of software and hardware, such as unpatched Apache Spark and Apache Spark servers.

Here is the complete list of all modules that Zerobot 1.1 has added:

  • CVE-2017-17105: Zivif PR115-204-P-RS
  • CVE-2019-1055: Grandstream
  • CVE-2020-25223 WebAdmin of Sophos SG UTM
  • Apache CVE-2021-42013
  • CVE-2022-31137: Roxy-WI
  • CVE-2022-33891: Apache Spark
  • ZSL-2022-5717: MiniDVBLinux

Microsoft Security Threat Intelligence Team .

The updated malware also includes seven additional DDoS capabilities including a TCP_XMAS attack technique.

Attack method



Sends UDP packages where the payload can be customized.


This packet was supposed to contain an ICMP Flood, but it is incorrectly constructed.


Transmits TCP packets in which the payload, flags and other parameters can be fully customized.


SYN sends.


Sends ACK packages


SYN-ACKs sent.


Christmas tree attack (All TCP flags have been set). The reset cause field for this attack is “xmas”.

This Go-based malware, also known as ZeroStresser by the developers, was .

It used approximately two dozen exploits at the time to infect different devices including Zyxel firewalls and F5 BIG-IP.

This attack targets many systems architectures and devices including ARM64 and AMD64.

Zerobot is a brute force attack on unsecured devices that have weak or default credentials. It exploits security vulnerabilities in web applications and Internet of Things devices.

It infects the system and downloads “zero”, a script that allows it to self-propagate on other vulnerable devices.

It can be used to create persistent compromised devices and launch DDoS attacks across a variety of protocols. However, it is also able to provide initial access to victim networks to its operators.