October 3, 2023

A huge botnet, tracked as Pink, that already infected over 1.6 million devices. The botnet was created to launch DDoS attacks and to insert advertisements in the legitimate HTTP traffic of the victims, most of which are in China (96%).

Pink is the largest botnet they have observed in the last six years. The number of infected devices is impressive, researchers have observed 1,962,308 unique daily active IPs from the Pink botnet targeting its systems.


The botnet leverages a robust architecture based on a combination of third-party services, P2P, and Command & Control servers. This architecture was implemented to make the botnet resilient to takedowns by law enforcement and security firms with the support of the vendors of the infected devices.

Every time a vendor made some attempts to address the problem, the botmaster pushed out multiple firmware updates on the fiber routers to maintain their control.

Pink also adopts the DNS-Over-HTTPS (DoH) for the distribution of configuration information that’s done either via a project hidden on GITHUB or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples.

Threat actors leverage a zero day attack aimed at broadband devices of specific brands. The impacted devices were mainly provided to North China and Northeast China, with most of the installs in Beijing.

Unlike other botnets, the Pink malware is only able to target the MIPS architecture used by the above devices.


The Pink botnet supports the following set of commands:

  1. File download
  2. System command execution
  3. DDoS attacks
  4. Scan
  5. Report device information
  6. Self-update
  7. P2P node list synchronisation
  8. Http message injection
  9. Sock5 proxy service
  10. Download the file and execute
  11. Stop the attack
  12. Reset watchdog

Indicators of Compromise

Leave a Reply

%d bloggers like this: