Matrix

Matrix is a threat actor linked to a large-scale, financially motivated distributed denial-of-service (DDoS) campaign. Aqua Nautilus researchers described the operation as leveraging publicly available and open-source tools, scripts, and frameworks to scan for targets, exploit known vulnerabilities, brute-force weak or default credentials, deploy malware, and monetize DDoS activity. Aqua assessed there is evidence the operation may be run by a lone actor and described it as likely a Russian-origin script-kiddie-style operation, but the campaign itself is characterized as low sophistication rather than advanced. Matrix primarily targets internet-connected IoT devices and enterprise-exposed systems, including routers, DVRs, IP cameras, telecom equipment, and servers. Reported targets and access vectors include exploitation of router vulnerabilities such as CVE-2017-18368 and CVE-2021-20090, flaws affecting Hi3520-based devices, and attacks against misconfigured or exposed Telnet, SSH, Apache Hadoop YARN, and HugeGraph services. The campaign heavily relies on weak/default credentials, including common admin and root accounts, and has focused on IP ranges associated with cloud service providers such as AWS, Microsoft Azure, and Google Cloud. Compromised systems are incorporated into a botnet used for DDoS attacks. Tooling associated with Matrix includes Mirai variants, SSH scanners, Python, Shell, and Golang-based scripts, and DDoS-related programs such as PYbot, pynet, DiscordGo, Homo Network, and a JavaScript HTTP/HTTPS flood tool. Reporting also noted use of a tool capable of disabling Microsoft Defender Antivirus on Windows systems. Some artifacts were staged from a GitHub account opened in November 2023. Victimology is concentrated in China and Japan, with additional targeting reported in Argentina, Australia, Brazil, Egypt, India, and the United States. Reporting states the campaign avoids Russian and Ukrainian assets, and the absence of Ukraine in the victimology footprint was assessed as consistent with financial rather than political motivation. Matrix is also reported to advertise or monetize DDoS-for-hire services through a Telegram bot named Kraken Autobuy, with customers able to purchase attack tiers using cryptocurrency. The campaign has been described as potentially affecting a very large pool of vulnerable devices, with estimates citing up to 35 million potential targets and a possible botnet size of roughly 350,000 to 1.7 million devices. No additional aliases or sub-groups for Matrix were directly identified in the provided content.