FortiGuard Labs has uncovered a sophisticated malware campaign targeting critical infrastructure devices from multiple vendors, with the “Gayfemboy” malware strain demonstrating advanced evasion techniques and multi-platform capabilities.
The campaign affects organizations globally, exploiting vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco systems to establish persistent botnet infrastructure with backdoor access and distributed denial-of-service (DDoS) attack capabilities.
Multi-Vendor Attack on Critical Infrastructure
The Gayfemboy malware campaign has expanded significantly since its initial discovery by Chinese cybersecurity researchers, with FortiGuard Labs tracking renewed activity beginning in July 2025.
The malware targets a broad range of network infrastructure devices including DrayTek Vigor series routers, TP-Link Archer AX21 devices, Raisecom MSG gateway systems, and Cisco Identity Services Engine (ISE) platforms.
Attack vectors originate from a consistent source at 87[.]121[.]84[.]34, with payload distribution hosted at 220[.]158[.]234[.]135.
The campaign demonstrates global reach, affecting organizations across Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam.
Targeted sectors include manufacturing, technology, construction, and media communications industries. The malware exploits over ten different CVE vulnerabilities, including CVE-2020-8515, CVE-2023-1389, CVE-2024-7120, and the recently disclosed CVE-2025-20281 affecting Cisco ISE systems.
Advanced Malware Evasion
Gayfemboy distinguishes itself from traditional Mirai variants through sophisticated anti-analysis mechanisms and obfuscation techniques.
The malware modifies standard UPX packing headers, replacing the recognizable “UPX!” signature with non-printable hexadecimal values to evade detection.
It employs architecture-specific naming conventions, assigning distinct identifiers like “xale” for x86-64 and “aale” for AArch64 systems rather than predictable Linux architecture extensions.
The malware incorporates four primary functional modules with distinct capabilities:
- Monitor – Tracks threads and processes while implementing anti-analysis techniques, terminating competing malware and security tools.
- Watchdog – Ensures malware persistence through UDP port binding and self-monitoring mechanisms.
- Attacker – Launches DDoS attacks including UDP flood, TCP SYN flood, and ICMP flood capabilities.
- Killer – Enforces self-protection through time checks and remote kill command functionality.
Sandbox evasion occurs through precise 50-nanosecond timing delays that cause extended sleep periods in virtualized environments.
Command-and-control infrastructure utilizes multiple domains including cross-compiling[.]org, i-kiss-boys[.]com, and furry-femboys[.]top, with DNS resolution bypassing local filtering through public resolvers like 8.8.8.8.
The malware systematically scans 15 predefined ports for C2 communication, ensuring connectivity despite network restrictions.
Fortinet Unveils Protection Measures
Fortinet has implemented multi-layered protection against the Gayfemboy campaign through FortiGuard services.
Antivirus signatures detect the malware as BASH/Dloader.P!tr, BASH/Agent.CSQ!tr.dldr, ELF/Mirai.CSQ!tr, and ELF/Mirai.GFB!tr across FortiGate, FortiMail, FortiClient, and FortiEDR platforms.
Web filtering services actively block identified C2 domains, while IPS signatures provide protection against all exploited vulnerabilities.
Organizations should prioritize immediate patching of affected systems and implement comprehensive network monitoring for the identified command-and-control infrastructure.
FortiGuard IP Reputation services proactively block attack sources through collaborative threat intelligence from global security partners.
The company recommends completing their free Fortinet Certified Fundamentals cybersecurity training to enhance organizational security awareness and incident response capabilities.
Indicators of Compromise (IoCs):
| Type | Value |
|---|---|
| IP | 141[.]11[.]62[.]222 |
| IP | 149[.]50[.]96[.]114 |
| IP | 220[.]158[.]234[.]135 |
| IP | 78[.]31[.]250[.]15 |
| IP | 5[.]182[.]206[.]7 |
| IP | 5[.]182[.]204[.]251 |
| Domain | cross-compiling[.]org |
| Domain | i-kiss-boys[.]com |
| Domain | furry-femboys[.]top |
| Domain | twinkfinder[.]nl |
| Domain | 3gipcam[.]com |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
