New Eleven11bot Hacked 86,000 IP Cameras for Massive DDoS Attack

The cybersecurity landscape faces a growing threat from sophisticated botnet operations targeting Internet of Things (IoT) devices, with recent developments highlighting the vulnerability of connected cameras and smart devices.

While specific details about the Eleven11bot malware remain limited in publicly available research, the broader context reveals an alarming trend of attackers exploiting poorly secured IP cameras to construct massive distributed denial-of-service (DDoS) networks capable of generating unprecedented traffic volumes.

The emergence of large-scale IoT botnets represents a significant escalation in cyber threat capabilities, with attackers increasingly targeting IP cameras due to their widespread deployment, often inadequate security configurations, and substantial bandwidth capacity.

These compromised devices can collectively generate traffic volumes measured in terabits per second, making them particularly attractive for cybercriminals seeking to maximize the impact of their DDoS campaigns.

The scale of 86,000 compromised IP cameras suggests a highly organized operation with sophisticated infection and command-and-control mechanisms.

StormWall analysts identified a dramatic surge in DDoS attack sophistication during Q1 2025, with carpet bombing attacks rising by 96% across the Asia-Pacific region.

This trend aligns with the operational characteristics typically associated with large IoT botnets, where attackers deploy multiple attack vectors simultaneously to overwhelm target defenses.

The researchers noted that modern DDoS campaigns increasingly combine UDP floods, TCP SYN floods, and HTTP-based attacks in rapid succession, employing what security experts describe as an “everything, everywhere, all at once” approach.

The technical implications of such large-scale IoT compromises extend beyond simple volumetric attacks.

Modern botnet operators have evolved their tactics to include sophisticated evasion techniques that keep traffic volume per compromised device below conventional detection thresholds, making identification and mitigation significantly more challenging.

This strategic approach allows attackers to maintain persistent access to compromised devices while avoiding detection by legacy security systems designed to identify traditional high-volume flood attacks.

Infection Mechanism and Payload Delivery

The infection vectors employed by advanced IoT botnets typically exploit a combination of weak authentication protocols and unpatched firmware vulnerabilities present in consumer and commercial IP camera systems.

While specific code analysis of the Eleven11bot payload remains unavailable, similar malware families generally utilize automated scanning techniques to identify vulnerable devices across large IP address ranges.

The infection process commonly begins with dictionary-based credential attacks targeting default or weak passwords, followed by exploitation of known Common Vulnerabilities and Exposures (CVE) entries affecting popular camera firmware.

Once initial access is established, the malware typically downloads additional payloads designed to establish persistence and integrate the compromised device into the botnet command structure.

The scale of 86,000 compromised devices suggests the operation employed highly efficient automated scanning and infection techniques, likely leveraging cloud-based infrastructure to distribute the workload across multiple scanning nodes.

This distributed approach enables rapid identification and compromise of vulnerable devices while minimizing the risk of detection by network security monitoring systems.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests