A new botnet malware called “Eleven11bot” has infected thousands of IoT devices, mostly security cameras and network video recorders (NVRs), to carry out Distributed Denial of Service (DDoS) attacks.

The botnet was discovered by Nokia researchers who shared their findings with the threat monitoring platform GreyNoise.

“Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors. Attack intensity has varied widely, ranging from a few hundred thousand to several hundred million packets per second,” Nokia’s team said.

According to Jérôme Meyer, a security researcher at Nokia, the Eleven11bot is among the largest DDoS botnets cybersecurity researchers have seen in recent years.

“Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices,” Meyer wrote on LinkedIn. “Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.”

The Shadowserver Foundation later reported that over 86,000 IoT devices had been compromised by Eleven11bot as of Sunday, nearly triple the 30,000 devices initially reported by Nokia.

The majority of compromised devices are located in the US, with nearly 25,000 infections, followed by the UK, which has close to 11,000 infected devices. Canada has around 4,000 compromised devices, while Australia follows with about 3,000 infections.

A closer examination of the IP addresses involved in the Eleven11bot botnet revealed that 96 percent of them were legitimate, originating from real, accessible devices, according to GreyNoise.

Researchers note that botnet operators target IoT devices by exploiting weak or default passwords, using brute-force techniques, and focusing on specific security camera brands like VStarcam. The attackers often scan for exposed Telnet and SSH ports, which are commonly left unprotected on IoT hardware.

“Secure IoT devices immediately. Change default passwords, update firmware, and disable remote access where unnecessary. Enable DDoS protection and rate-limiting. The botnet is designed for high-intensity attacks, so organizations should harden their network defenses,” the researchers said.