Skybotsd: The Malware Botnet Infecting IoT Devices


Skybotsd is a dangerous malware botnet that targets vulnerable Internet of Things (IoT) devices like routers, IP cameras, and digital video recorders (DVRs). Once infected, these devices become part of a global network of bots that can be remotely controlled by cybercriminals.


In this post, we’ll provide an overview of Skybotsd, explain how it infects devices and spreads, detail what it does once installed, and discuss how to protect yourself and your IoT devices against this increasingly prevalent threat.

What is Skybotsd?

Skybotsd is a malware botnet first discovered in early 2022. It builds on the framework of older IoT botnets like Mirai but contains additional functionality that makes it more sophisticated and dangerous.

Like other botnets, Skybotsd is made up of two main components:

  • Malware – This is the code that infects vulnerable devices and turns them into bots under the control of the botnet operators.
  • Command and control infrastructure – This refers to the servers and domains that the malware contacts to receive commands and updates from the botnet owners.

By compromising thousands or even millions of devices and linking them together in a botnet, cybercriminals gain immense power to conduct large-scale attacks, steal data, or make money through other illicit activities.

How Does Skybotsd Infect Devices?

Skybotsd spreads by targeting IoT devices that have weak default passwords and other vulnerabilities. The main infection methods include:

  • Scanning for vulnerable devices – The botnet constantly scans the internet for IoT devices like routers, cameras, DVRs etc. that have known factory default credentials or common weak passwords that have not been changed by the owner.
  • Exploiting vulnerabilities – In addition to default credentials, Skybotsd also contains exploits for known vulnerabilities in various devices and firmware. This allows it to break in even if credentials have been changed.
  • Brute force attacks – Where default credentials fail, Skybotsd can launch brute force login attempts, guessing hundreds of common password combinations per second until it gains access.

Once it gains access to a device, Skybotsd first kills any other malware already on the system. It then downloads its components and connects to the command and control infrastructure to join the botnet. It also takes steps to maintain persistence on the device and prevent removal.

What Does Skybotsd Do on Infected Devices?

Once installed, Skybotsd exhibits the following behaviors:

  • Establishes command and control – It connects the compromised device to the botnet’s C2 infrastructure so it can be controlled as part of the wider botnet.
  • Closes security vulnerabilities – It disables things like default credentials and ports used for infection to prevent other malware from hijacking the device.
  • Self-protection and persistence – It takes various steps to prevent detection and removal, like disabling security services, modifying system files, and re-installing itself after reboots.
  • Spreads to new devices – It contains hard-coded credential lists and scanning capabilities to target and compromise new vulnerable devices, expanding the botnet.
  • Steals data – It extracts and exfiltrates data from infected devices, including credentials, emails, documents, and any other valuable information.
  • Conducts DDoS attacks – It can flood targets with junk traffic, overwhelm servers, and knock websites and online services offline in powerful distributed denial of service (DDoS) attacks.
  • Installs additional malware – Based on commands from the botnet operator, it can download and install any other malware to infected devices, adding capabilities like cryptojacking.
  • Proxies network traffic – Devices infected with Skybotsd can be used as anonymous proxies to relay malicious traffic for things like phishing campaigns or scanning for other vulnerable targets.

Who is Behind Skybotsd?

Skybotsd is believed to be the work of a group tracked as “LeaseWeb”. This is a financially-motivated cybercriminal group that operates various IoT botnets. Their goal is to build up armies of compromised devices that can then be rented out or weaponized for profit.

The malware code itself appears to have originated and leaked from the Russian-nexus threat actor “Anna-sempai”, who was behind the Mirai botnet that caused major internet outages in 2016. LeaseWeb seems to have adapted the leaked Mirai code and enhanced it to create the newer Skybotsd variant.

How Widespread is the Skybotsd Botnet?

In the short period since its discovery, Skybotsd has shown rapid growth:

  • Over 60,000 unique IP addresses were observed connecting to the botnet infrastructure in just the first few weeks.
  • It is estimated to have doubled in size within the first month, suggesting extremely rapid spread.
  • Skybotsd has been seen targeting (and comprimising) consumer-grade smart cameras, routers, and DVRs from major brands like Dahua, Hikvision, Vacron, and others.
  • Infection has been observed globally, with the highest concentration in Southeast Asia, South America, and Europe.
  • Currently it remains smaller than record-setting botnets like Mirai which exceeded 600,000 devices. But at its current growth rate, Skybotsd could eclipse Mirai in scale over time.

This wide and accelerating spread demonstrates how vulnerable many consumer IoT devices still are to these kind of attacks. It also shows the importance for indivduals and businesses to secure devices properly.

How to Protect Against Skybotsd and Other IoT Botnets

Here are some key steps you can take to protext your own devices as well as business networks:

Change Default Passwords

The number one precaution is changing factory default passwords. Use strong, complex passwords of at least 10-12 characters, including upper and lower case letters, numbers, and symbols. Avoid common terms and sequences.

Keep Firmware Updated

Manufacturers will release firmware patches to fix vulnerabilities. So keep devices updated to the latest firmware versions to prevent exploitation of known security holes.

Isolate IoT Devices

Don’t expose IoT devices directly to the public internet if possible. Place them on isolated networks behind firewalls, with only the required ports exposed.

Disable Remote Access

Turn off remote access to devices like cameras or DVRs if not needed. If remote access is required, use the most secure methods like VPN, TLS, SSH, and avoid basic credential access.

Network Segmentation

Segment your network to limit an infection’s ability to spread if a device is compromised.

Anti-Malware Protection

Use dedicated IoT and network security solutions to detect device infections and block malicious traffic.


Actively monitor device traffic and behavior to identify any indicators of compromise early before botnets grow.

The Future of IoT Botnets

Skybotsd represents the latest evolution in IoT botnets – rapidly spreading, feature-rich malware that turns insecure home and business devices into weapons. Its emergence demonstrates clearly that IoT security remains in a precarious state.

Until basic steps like password hygiene and firmware updates become standard, we will continue to see insecure IoT devices co-opted into botnets on massive scales. Cybercriminal groups are continuously scanning for andsubverting these devices because it requires minimal effort and the rewards are significant.

By properly understanding the risks these botnets pose and following cybersecurity best practices, individuals and organizations can help halt their growth and make the worldwide swarm of interconnected devices safer and more resilient. But there is still a long way to go.

Disclaimer: The information provided in this article is for educational and informational purposes only. While we aim to provide accurate and up-to-date information, the threat landscape is constantly evolving. Therefore, we make no warranties regarding the accuracy or completeness of this article. Users should conduct their own research and consult with professionals before making security decisions. The author and publisher disclaim all liability for any damages resulting from use or misuse of the information provided herein.