New Golang-based Zergeca botnet is capable of powerful DDoS attacks

05 July 2024Press releaseNetwork security/cyber attack

Cybersecurity researchers have discovered a new botnet called Zergeca that can carry out distributed denial-of-service (DDoS) attacks.

The botnet, written in Golang, owes its name to its reference to a string called “ootheca” present in the command-and-control (C2) servers (“ootheca(.)pw” and “ootheca(.)top”).

“Functionally, Zergeca is not just a typical DDoS botnet; in addition to supporting six different attack vectors, it also has proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information capabilities,” the QiAnXin XLab team said in a report.

Zergeca is also notable for using DNS-over-HTTPS (DoH) to resolve the C2 server’s Domain Name System (DNS) and using a lesser-known library called Smux for C2 communication.

There are indications that the malware is being actively developed and updated to support new commands. In addition, the C2 IP address 84.54.51(.)82 is said to have been used to spread the Mirai botnet as early as September 2023.

As of April 29, 2025, the same IP address was used as the C2 server for the new botnet, raising the possibility that the threat actors “gained experience operating the Mirai botnets before creating Zergeca.”

The attacks carried out by the botnet, mainly ACK flood DDoS attacks, targeted Canada, Germany and the United States between early and mid-June 2024.

Zergeca’s features include four different modules, namely Persistence, Proxy, Silivaccine and Zombie. By adding a system service, implementing proxies, removing competing miners and backdoor malware, and gaining exclusive control over devices with the x86-64 CPU architecture, persistence is established and the main functionality of the botnet is managed.

The zombie module is responsible for reporting sensitive information from the compromised device to C2 and waiting for commands from the server. It supports six types of DDoS attacks, scanning, reverse shell and other functions.

“The integrated list of competitors shows a familiarity with common Linux threats,” XLab said. “Techniques such as modified UPX packing, XOR encryption for sensitive strings, and the use of DoH to hide C2 resolution show a strong understanding of evasion tactics.”