A surge in malicious activity involving the roping of susceptible D-Link routers into two distinct botnets has alerted researchers. Both the Kaiten (also known as Tsunami) variant CAPSAICIN and the Mirai variant FICORA are in use. Telemetry data from the cybersecurity firm indicates that FICorA attacks have targeted several nations worldwide.

East Asian countries like Taiwan and Japan were the main focus of those associated with CAPSA ICIN. Additionally, it is claimed that the CAPSAACIN activity was only "intensely" active from October 21 to October 22,

2024.

According to researcher Vincent Li's analysis on Thursday, the malware eliminates known botnet processes to make sure it is the only botnet running on the victim host. Additionally, it includes capabilities to use UDP, TCP, and DNS protocols to launch distributed denial-of-service (DDoS) attacks. The ICMP packet flooding attack is the foundation of the BlackNurse attack.

Killall: Prevent all DDoS assaults. KillmyEYEPEEUSINGHOIC: Remove the initial malicious software. Li stated, "It is essential for every enterprise to maintain thorough monitoring and update the kernel of their devices on a regular basis." "These attacks have remained continuously active worldwide, even though the vulnerabilities exploited in this attack had been exposed and patched nearly ten years ago," he stated.

The BlackNurse group, a U.S.-based organization headed by Killmyeyepeeusinghoic, a U.K.-based business, carried out the attack. Since its founding in 2007, the group has amassed over 1,000 members worldwide, including over 100 in the US, China, Japan, and South Korea.