Gayfemboy: the next-gen Mirai variant disrupting routers, miners and supply-edge devices

TL;DR: Gayfemboy is a resurfaced, Mirai-family botnet (first seen in 2024) that re-emerged in mid-2025 with expanded exploitation of router and network gear vulnerabilities, multi-architecture payloads, stealthy anti-analysis tricks, and dual motives (DDoS botnet + opportunistic cryptomining). The campaign has impacted organisations across multiple industries and countries and uses flamboyantly named C2 domains and artefacts that make it easy to talk about — but hard to remove.

1) Executive summary

FortiGuard Labs and other intel teams observed a July–August 2025 resurgence of Gayfemboy. The operators exploit a range of known vendor flaws (DrayTek, TP-Link, Raisecom, Cisco and others) to drop downloader scripts that fetch architecture-specific payloads and XMRig miners, then enrol devices into DDoS and backdoor fleets. The malware compiles for ARM, MIPS, PowerPC and x86 families, uses sandbox evasions and file-renaming tricks, and maintains C2 reachability via public resolvers and rapidly rotating domains. Targeting has included manufacturing, telco/tech, construction and media across Brazil, Germany, France, Israel, Mexico, Switzerland, the U.S., and Vietnam.

2) Anatomy of the malware (technical breakdown)

Multi-stage infection

1. Initial access: attackers exploit internet-exposed devices,s CVE,s or use weak credentials to run small downloader scripts on devices. These scripts are often named after vendor/product strings (e.g., asus, realtek, vivo) and request architecture-specific binaries.
2. Payload fetch & unpack: downloader retrieves an obfuscated Gayfemboy binary (or an XMRig miner). Gayfemboy uses unusual file-naming for each architecture (breaking Mirai’s predictable patterns), making simple YARA rules less effective.
3. Persistence & lateral steps: the binary installs persistence hooks, may rename system tools (e.g., ps, top, curl, wget) to hide itself, and spawns watchdogs to kill competing malware. Analysts observed wrappers replacing binaries, so standard admin checks miss the miner/process.

Capabilities

• DDoS: supports UDP/TCP/ICMP floods and Mirai-style scanning to both recruit and attack.
• Cryptomining: drops XMRig in opportunistic cases where CPU/GPU resources are available, monetising compromised hosts.
• Backdoor & command strings: a backdoor trigger string, such as meowmeow has been observed; other runtime strings like twinks :3 appear in samples. While theatrical, these strings are reliable detection clues.
• Multi-arch builds: compiled for ARM/AArch64, MIPS variants, PowerPC and x86 to maximise recruitable device pool.
• Anti-analysis: modified UPX-style packing/headers, auto-hibernation (long sleeps), timing checks to detect sandboxes, and renaming of utilities to evade simple scanner checks.

3) TTPs (Tactics, Techniques & Procedures)

• Exploitation of internet-facing network gear — attackers chain multiple N-day/known CVE exploits in routers, gateways and management appliances to run downloaders.
• Downloader-driven deployment — the initial script is the workhorse: small, stealthy, vendor-named, and used to fetch the appropriate binary for the target device.
• Use of public DNS resolvers (1.1.1.1, 8.8.8.8, 8.8.4.4) and ambiguous C2 domain names → evasion of local DNS filters and blending with legitimate traffic.
• Rapid domain churn & disposable infrastructure — C2 uses a parade of short-lived typosquatted/novel domains that are easy to register and rotate.

4) Observed impact and victims

Actors have hit a mix of small and medium enterprise perimeter devices and some larger organisations where edge devices were unpatched. Impact modes include:

• Service disruption via amplified DDoS.
• Resource theft through Monero mining.
• Persistent foothold at the network edge—giving attackers a launching pad for future attacks or reconnaissance. Geographies reported include Brazil, Germany, France, Israel, Mexico, Switzerland, the U.S., and Vietnam; sectors include manufacturing, tech, construction and media.

5) IOCs (selection for detection/blocklists)

Note: infrastructure changes fast. Treat domain/IP lists as immediate but short-lived indicators and combine with behavioral detections.

Domains (examples observed in intel reporting): i-kiss-boys[.]com, furry-femboys[.]top, twinkfinder[.]nl, cross-compiling[.]org, 3gipcam[.]com.

IPs / observed sources (examples from active scans): 87.121.84.34, 220.158.234.135.

Behavioural indicators:

• Sudden outbound DNS to 1.1.1.1/8.8.8.8 from IoT/edge device.
• New scheduled processes that sleep for long periods (~hours) before activity.
• Renamed system binaries (e.g., ps.original, wrappers for curl/wget).
• Unexpected listening on uncommon UDP/TCP ports; Mirai-style scanning outbound.
• Presence of strings like twinks :3 or meowmeow in memory or on disk.

6) Vulnerabilities & CVEs (what to patch first)

FortiGuard and other vendors list multiple exploited product flaws across DrayTek, TP-Link, Raisecom, Cisco and more. Vendor and vendor-specific CVEs change as researchers find new issues; as an immediate step, apply available vendor firmware updates and consult Fortinet/Broadcom advisories for a precise CVE list and IPS signatures.

(If you want, I can extract the exact CVE numbers from Fortinet’s advisory and format a prioritised patch matrix for your device inventory.)

7) Practical detections & SIEM rules (quick starters)

Here are high-value rules you can drop into your logging stack immediately:

1. DNS anomaly rule: Alert when IoT/edge device queries public DNS resolvers (1.1.1.1/8.8.8.8/8.8.4.4) AND the source is a device normally pinned to corporate DNS.
2. Process string match: Scan memory/disk for twinks :3 or meowmeow. Flag occurrences from non-workstation hosts.
3. Binary rename spotting: Detect /bin/ps.original, /bin/top.original, or unexpected wrappers for curl/wget.
4. Network scanning behaviour: Identify spikes in outbound scanning to multiple remote IPs/ports originating from edge devices.
5. Unexpected persistence: New crontab entries or startup scripts in routers/embedded devices that call unknown vendor-named binaries.

I can convert these into Sigma rules or Snort/Suricata signatures if you want ready-to-deploy files.

8) Recommended containment & remediation playbook

1. Immediate isolation: If a router/gateway shows suspicious DNS/scan/miner behaviour, logically isolate it (VLAN or ACL) while preserving forensic data.
2. Collect volatile evidence: Capture running process list, network connections and memory dump where possible (note: many IoT devices make memory capture hard).
3. Factory-reset & firmware reinstall: Reflash vendor firmware from a trusted source (not backup configs that may contain the compromise). Replace if hardware EOL.
4. Rotate credentials & management access: Replace device credentials, ensure management interfaces are VPN-only, and disable remote web admin.
5. Block & monitor: Blacklist known C2 domains, block malicious IPs at the perimeter while monitoring for fallback infrastructure.
6. Upstream DDoS mitigation: Coordinate with ISP/hosting provider for rate limiting or scrubbing if an active DDoS occurs.
7. Post-incident hardening: Harden device inventory—replace old devices, enforce central management, and restrict internet exposure for management planes.

9) Attribution & operator profile (what we can infer)

• Not loudly nation-state: tactics (cryptomining, Mirai-style floods, disposable domains) fit financially motivated criminal actors or cybercrime groups monetising IoT fleets.
• Professional tooling: multi-arch builds, sandbox evasion and vendor-targeted downloaders indicate skilled operator(s) with access to cross-platform build systems.
• Disruptive behaviour: attacks against researchers monitoring networks (reported historically for Mirai families) suggest operators are aware of and actively suppressing analysis.

10) Why Gayfemboy matters — strategic outlook

Gayfemboy is a reminder that:

• The edge (cheap routers, unmanaged gateways, industrial comms devices) is the low-cost, high-impact attack surface.
• Old assumptions — “only home devices get Mirai” — are false; supply-chain and industrial gear are now targets.
• Defenders must shift from purely perimeter firewalling to lifecycle device management: replace EOL hardware, enforce firmware management, and centralise telemetry from the edge.

Appendix A — Key public advisories & analysis (read next)

• FortiGuard Labs technical write-up (Fortinet) — primary technical teardown and IPS/CVE mapping.
• Broadcom / Symantec protection bulletin summarising indicators and recommendations.
• SecurityAffairs in-depth timeline and observed IPs/payload details.
• Heise (Germany) summary of downloads/miner behaviour and affected countries.
• The Hacker News roundup linking Gayfemboy activity to broader botnet trends.