New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks

Cybersecurity researchers have uncovered a new botnet called Zergeca that’s able of conducting distributed denial-of-services (DDoS) attacks.

Penned in Golang, the botnet is so named for its reference to a string named “ootheca” current in the command-and-command (C2) servers (“ootheca[.]pw” and “ootheca[.]top”).

“Functionally, Zergeca is not just a usual DDoS botnet other than supporting six distinct attack methods, it also has abilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and gathering sensitive system info,” the QiAnXin XLab staff stated in a report.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Zergeca is also notable for working with DNS-more than-HTTPS (DoH) to complete Domain Name Procedure (DNS) resolution of the C2 server and utilizing a lesser-recognised library recognized as Smux for C2 communications.

There is proof to advise that the malware is actively developing and updating the malware to guidance new instructions. What is actually more, the C2 IP handle 84.54.51[.]82 is reported to have been previously made use of to distribute the Mirai botnet all around September 2023.

As of April 29, 2025, the similar IP address commenced to be used as a C2 server for the new botnet, boosting the likelihood that the risk actors “gathered encounter running the Mirai botnets prior to producing Zergeca.”

Attacks mounted by the botnet, largely ACK flood DDoS attacks, have focused Canada, Germany, and the U.S. in between early and mid-June 2024.

Zergeca’s capabilities span four distinctive modules, specifically persistence, proxy, silivaccine, and zombie, to set up persistence by adding a procedure assistance, employing proxying, eradicating competing miner and backdoor malware and gaining unique control above devices jogging the x86-64 CPU architecture, and tackle the key botnet functionality.

The zombie module is accountable for reporting sensitive data from the compromised machine to the C2 and awaits commands from the server, supporting six sorts of DDoS attacks, scanning, reverse shell, and other functions.

“The designed-in competitor checklist shows familiarity with typical Linux threats,” XLab stated. “Tactics like modified UPX packing, XOR encryption for delicate strings, and working with DoH to hide C2 resolution exhibit a potent knowledge of evasion tactics.”

Identified this short article fascinating? Follow us on Twitter  and LinkedIn to read more special written content we put up.