Remaiten is a Linux malware family and IoT DDoS bot identified in 2016 that targets embedded Linux systems, including Linux-based routers and potentially other IoT devices. It compromises devices by brute-forcing access over weak credentials, using lists of frequently used default username and password combinations. Reporting also described it as a new Telnet worm affecting Linux-based home routers. Remaiten combines characteristics of the Tsunami and LizardStresser (Torlus) malware families and uses IRC for command-and-control, including actual IRC channels. It attempts to determine the victim device’s platform before downloading an architecture-appropriate payload from its command-and-control server, which improves infection success and can help evade detection. Once installed, it can launch distributed denial-of-service attacks, download additional malware, and scan for and remove competing bots from infected systems. It is associated with botnet activity on compromised Linux-based devices and is categorized among notable IoT malware.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Remaiten is able to scan and remove competing bots on a system compromised by it.
The infected devices constantly scan the Web for other IoT things to compromise... CJ: I scanned the internet with a few sets of defualt logins for telnet
Continuously scans /proc/ for new processes... For each process: Checks if the binary's realpath contains .anime... Performs memory scanning of /proc/$pid/exe against signatures for known competing botnets...
issues kill(pid, 9)... unlink() the binary and kill -9 the process... This targets malware that deletes itself after execution...
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remaiten is referenced as a competing Linux ELF botnet malware family that this Mirai variant attempts to detect and kill on infected devices.
Notable IoT malware BASHLITE BrickerBot Carna Hajime Linux.Darlloz Linux.Wifatch Mirai Remaiten
Linux malware targeting embedded systems and IoT devices, especially routers, by brute-forcing default credentials. It uses IRC-based command and control, can launch distributed denial-of-service attacks, download additional malware, determine device architecture to fetch appropriate components, and remove competing bots from infected systems.
Referenced as another IoT DDoS bot.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.