PYbot

PyBot is a Python-based framework used for botnet management and coordination in a broad DDoS campaign attributed to the threat actor Matrix. In the reported activity, Matrix compromises IoT devices, routers, telecom equipment, IP cameras, DVRs, and some enterprise systems by exploiting known vulnerabilities, abusing misconfigured Telnet, SSH, and Hadoop services, and brute-forcing weak or default credentials such as admin:admin. PyBot was used alongside other DDoS-related tooling including Mirai variants, pynet, DiscordGo, Homo Network, and an HTTP/HTTPS flood script. The campaign was observed primarily targeting IP space in China and Japan, with additional activity affecting Argentina, Australia, Brazil, Egypt, India, and the United States, and also focusing on cloud-provider-associated ranges including AWS, Microsoft Azure, and Google Cloud. Aqua Nautilus researchers assessed the operation as financially motivated and linked it to a Telegram-based DDoS-for-hire service called Kraken Autobuy that accepts cryptocurrency payments and offers Layer 4 and Layer 7 attack options. High-confidence indicators in the content are limited to the malware/tool name and its use as part of the Matrix DDoS ecosystem; no standalone file hashes, domains, or other PyBot-specific IOCs were provided.