Dark Nexus Botnet – A New and More Potent DDoS Threat


Cybersecurity professionals should take heed that a new botnet has been unleashed in the wild; called Dark Nexus, it’s more powerful than any previously known botnets, such as Mirai or Qbot. Researchers at security vendor Bitdefender discovered it in December 2019 and reported that it has “…new features and capabilities that put to shame most IoT botnets and malware that we’ve seen…While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration.”

How to Defend Against Dark Nexus

Like other botnets, Dark Nexus can be used to launch spam and phishing attacks, but it appears that its primary purpose is to carry out damaging Distributed Denial of Service (DDoS) attacks on websites and online services. According to CSO Online, the cybercriminal responsible for this malware has already “made over 30 iterations — the latest version is 8.6 –, including customizable DDoS attack techniques, improved scanning and infection routines and a persistence mechanism.” To make matters worse, it’s more stealthy than other botnet malware. According to TechRadar, “The fact that it can mimic genuine web browser traffic makes this botnet more lethal than other strains, with the startup code of dark nexus resembles that of the notorious Qbot.”

When defending against DDoS attacks, the greatest challenge for security analysts is ensuring good traffic can continue to flow through, unimpeded. Therefore, a botnet that closely mimics genuine web traffic makes that significantly more difficult. Given the challenge of the latest fast-changing, automated, multi-vector attacks, and short, sub-saturating, attacks that are intended to “fly under the radar” of conventional traffic monitoring tools, it is already impossible for human security analysts to reliably monitor incoming network traffic to discern good vs. bad (DDoS) traffic. Dark Nexus is yet another, more compelling, reason why organizations should implement an automated, real-time, DDoS mitigation solution that can analyze incoming packets and immediately discern the good traffic and mitigate the bad.

Dark Nexus is a prime illustration of how the DDoS threat landscape is constantly evolving, and becoming increasingly potent. The vast majority of DDoS consists of short, sub-saturating attacks, but bad actors appear to always be on the lookout for the next attack tool which can send a massively overwhelming number of packets per second to potentially impact huge swathes of the Internet. As more and more IoT devices come online, the Dark Nexus botnet will have greater power to deliver small and large-volume DDoS attacks on all kinds of organizations. Cybersecurity professionals must respond to this new threat, and those which follow it, with DDoS mitigation technology that can automatically detect and block DDoS traffic, surgically.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.