A newly identified botnet, dubbed Eleven11bot, has emerged as a significant cyber threat, compromising over 30,000 internet-connected devices, primarily security cameras and network video recorders (NVRs).
This botnet is being used to launch distributed denial-of-service (DDoS) attacks against various sectors, including telecommunications and gaming platforms.
The botnet’s size is notable, making it one of the largest DDoS botnet campaigns observed since early 2022, according to Nokia’s Deepfield Emergency Response Team.
Discovery and Impact
Eleven11bot was first detected by Nokia’s Deepfield Emergency Response Team in late February 2025, with the botnet rapidly expanding its reach.
The attacks have caused significant disruptions, lasting multiple days and impacting service providers and gaming platforms.
According to the researchers, the intensity of these attacks varies widely, ranging from a few hundred thousand to several hundred million packets per second.
Notably, the botnet has been linked to Iran, with a majority of the observed IP addresses traced back to the region.
The botnet’s expansion strategy involves brute-force attacks on login systems, exploiting weak and default passwords on IoT devices, and targeting specific security camera brands using hardcoded credentials.
Additionally, it conducts network scans for exposed Telnet and SSH ports, which are often left unprotected on IoT hardware.
Despite its size and impact, Nokia Deepfield customers are protected due to active tracking and the design of their DDoS solution.
Global Reach and Security Measures
While initial reports suggested around 30,000 compromised devices, more recent data indicates that the botnet has infected over 86,000 IoT devices globally, with significant numbers in the United States, the United Kingdom, Mexico, Canada, and Australia.
To defend against Eleven11bot, organizations are advised to block traffic from known malicious IPs, monitor network logs for unusual login attempts, secure IoT devices by changing default passwords and updating firmware, and implement DDoS protection and rate-limiting.
As the botnet continues to pose a threat, vigilance and proactive measures are crucial for protecting networks from such cyber threats.
