Cybersecurity experts have recently uncovered a new botnet named Zergeca, capable of executing potent distributed denial-of-service (DDoS) attacks. The botnet, written in Golang, derives its name from a string named "ootheca" present in its command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top").
According to the QiAnXin XLab team, Zergeca is more than just a typical DDoS botnet. It supports six different attack methods and possesses capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information.
One notable feature of Zergeca is its use of DNS-over-HTTPS (DoH) for Domain Name System (DNS) resolution of the C2 server. It also uses a lesser-known library known as Smux for C2 communications. There is evidence suggesting that the malware is actively developing and updating to support new commands.
The C2 IP address 84.54.51[.]82 is believed to have been previously used to distribute the Mirai botnet around September 2023. As of April 29, 2025, the same IP address began to be used as a C2 server for Zergeca, indicating that the threat actors may have gained experience operating the Mirai botnets before creating Zergeca.
Zergeca has launched attacks, primarily ACK flood DDoS attacks, targeting Canada, Germany, and the U.S. between early and mid-June 2024. Its features are divided into four distinct modules: persistence, proxy, silivaccine, and zombie. These modules handle various functionalities, from setting up persistence by adding a system service to gaining exclusive control over devices running the x86-64 CPU architecture.
The zombie module is responsible for reporting sensitive information from the compromised device to the C2 and awaits commands from the server, supporting six types of DDoS attacks, scanning, reverse shell, and other functions.
"The built-in competitor list shows familiarity with common Linux threats," stated XLab. "Techniques like modified UPX packing, XOR encryption for sensitive strings, and using DoH to hide C2 resolution demonstrate a strong understanding of evasion tactics."
