Skip to main content
Radar
DashboardThreatsMapFeedsAPI
reconnecting

OSINT - Gorilla DDoS

Low
Unknowntype:osintosint:lifetime="perpetual"osint:certainty="50"tlp:whitetlp:clearmisp-galaxy:mitre-attack-pattern="network denial of service - t1464"misp-galaxy:mitre-attack-pattern="endpoint denial of service - t1499"misp-galaxy:mitre-attack-pattern="endpoint denial of service - t1642"
Published: Thu Nov 07 2024 (11/07/2024, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: type
Product: osint

Description

OSINT - Gorilla DDoS

AI-Powered Analysis

AILast updated: 07/01/2025, 13:55:18 UTC

Technical Analysis

The provided information references a threat labeled "OSINT - Gorilla DDoS," categorized primarily as an OSINT (Open Source Intelligence) observation related to denial of service (DoS) attack patterns. The threat is associated with multiple MITRE ATT&CK techniques: network denial of service (T1464), and endpoint denial of service (T1499 and T1642). These techniques describe attacks aimed at overwhelming network resources or endpoint systems to disrupt availability. However, the data lacks specific technical details about the Gorilla DDoS attack vector, such as the attack methodology, exploited vulnerabilities, or targeted platforms. The severity is marked as low with a certainty of 50%, indicating moderate confidence but limited concrete evidence. No affected versions or products are specified, and there are no known exploits in the wild or available patches. The threat appears to be an OSINT observation rather than a confirmed active threat campaign. The mention of network and endpoint denial of service suggests that the Gorilla DDoS could be a distributed denial of service attack leveraging multiple vectors to degrade or deny service to targeted systems or networks. The absence of detailed indicators or technical specifics limits the ability to fully characterize the attack or its mechanisms. Overall, this represents a potential low-severity denial of service threat with limited current impact or exploitation evidence.

Potential Impact

For European organizations, the primary impact of a denial of service threat like Gorilla DDoS would be disruption of network or endpoint availability. This could lead to temporary service outages, degraded performance, and potential operational interruptions. Critical infrastructure, financial institutions, healthcare providers, and public sector entities could be affected if targeted, resulting in service unavailability that impacts end users and business continuity. However, given the low severity and lack of known active exploitation, the immediate risk is limited. The threat could serve as an early warning to monitor for emerging DDoS campaigns or related network disruptions. If the threat evolves or is weaponized, it could increase in severity and impact, particularly for organizations with internet-facing services or insufficient DDoS mitigation capabilities. European organizations should consider the potential for increased network traffic anomalies and prepare incident response plans accordingly.

Mitigation Recommendations

1. Implement and regularly update network-level DDoS protection solutions such as traffic filtering, rate limiting, and anomaly detection to identify and mitigate unusual traffic patterns indicative of DDoS attacks. 2. Deploy endpoint protection and monitoring tools capable of detecting abnormal resource consumption or denial of service conditions at the host level. 3. Establish robust incident response procedures specifically for denial of service scenarios, including communication plans and escalation paths. 4. Collaborate with Internet Service Providers (ISPs) and utilize upstream filtering or scrubbing services to absorb or block malicious traffic before it reaches critical infrastructure. 5. Conduct regular network and endpoint resilience testing to ensure systems can handle traffic spikes and recover quickly from disruptions. 6. Monitor OSINT feeds and threat intelligence sources for updates on Gorilla DDoS or related campaigns to adapt defenses proactively. 7. Harden network infrastructure by disabling unnecessary services and closing unused ports to reduce attack surface. 8. Consider implementing redundancy and failover mechanisms to maintain service availability during attack conditions.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
NetherlandsNetherlands
ItalyItaly
SpainSpain
PolandPoland
BelgiumBelgium
Need more detailed analysis?Get Pro

Technical Details

Uuid
581c63d3-9c2b-4af0-994c-c73cf9d2e895
Original Timestamp
1748877175

Indicators of Compromise

Domain

ValueDescriptionCopy
domaingorillacnc.su
domaingorillabin.su
domaingorillaservices.su
domaingorillafirewall.su
domaingorillaproxy.su
domaingorilla-api.su
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.17.182
domain154.216.18.173
domain154.216.18.173
domain154.216.18.173
domain154.216.18.173
domain154.216.18.173
domain154.216.18.173
domain154.216.18.173
domain154.216.18.173
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.19.61
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.14
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain154.216.20.45
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain185.170.144.49
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.202.35.87
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.66.231.26
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.88.88.41
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain45.89.247.112
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain46.8.69.32
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain91.194.55.151
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.177.68
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domain94.156.65.232
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domaingorillabin.su
domainpen.gorillafirewall.su
domaingorillafirewall.su
domainpen.gorillafirewall.su
domaingorillafirewall.su
domainwww.xn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainwww.xn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainwww.xn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainwww.xn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainwww.xn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com
domainxn--girsdom-9ya.com

File

ValueDescriptionCopy
file193.143.1.61
On port 80
file193.143.1.70
On port 80
file193.143.1.66
On port 7070
file193.143.1.56
On port 7070
file193.143.1.62
On port 7070
file185.170.144.85
On port 7070
file154.216.19.146
On port 7070
file94.156.177.62
On port 7070
file93.123.85.166
On port 38241
file45.202.35.64
On port 38241
file154.216.19.139
On port 38242
file154.216.17.220
On port 38241
file193.143.1.59
On port 38242
file94.156.177.61
On port 38242
file185.170.144.84
On port 38242
file20241010_NCSC-CH-GorillaBot.pdf
filea9a56ecee25fb22a19757e98133aeb858312377f6fd9c2bbb747edf687ed8547
file14fb8b3b89c5f626519950882f242dd53889b1067578a9321e721dbf4311a91f
filed50acb9b20222c4e4a616a2ccc095eec2780141da7d4264a5ba2f82cae9c4670
filea9a56ecee25fb22a19757e98133aeb858312377f6fd9c2bbb747edf687ed8547

Hash

ValueDescriptionCopy
hash80
On port 80
hash80
On port 80
hash7070
On port 7070
hash7070
On port 7070
hash7070
On port 7070
hash7070
On port 7070
hash7070
On port 7070
hash7070
On port 7070
hash38241
On port 38241
hash38241
On port 38241
hash38242
On port 38242
hash38241
On port 38241
hash38242
On port 38242
hash38242
On port 38242
hash38242
On port 38242
hash3c21544cfb3979b9d823eac46998f86a
hash5a529aea9f676840b070bddc1b92519f57203b71
hasha9a56ecee25fb22a19757e98133aeb858312377f6fd9c2bbb747edf687ed8547
hashc58072fb79dbc1c71f16aed468a3e97f96aa17f2e1d9e3b6065defdc0d9cae73aaa1ca1389299e63de92f00ffe95e04ba766ab765fbee37167dbe156c9e0899e
hashdac26d3f514daf8f091b4599cd062a71
hash46720cd8faf68bf8ba8ef1fa46b39d012271153a
hashfca79d9e3088517e1b7a8228af27527ee8e0b7060a2f8164b7b750f917d313b1
hash130a9d9811f1504565a918d662e3cb042a28be8d9542e413af07f8e71c603cd7301cb8c403055a17c8351b0b71b6e577209c0141528fd8c8ec473100610a48e0
hash7cd2de3905e9ec35d981d1e2e8208137
hash8860ecc3dd756954216d9d441a2ff9512bb6bec5
hash3891ca18736558ebb156defd5290713f2684627a4c1d8c165d1de223cd289dcd
hash094d8ee65c3b00f50c7eae9271efde491e7db5be35e0c901ff51ea3fe71693de91c0299e313c72fe711d9a84f89bfbb1fcc541b56797c7a815f03cf06f85d0f7
hashf17d44750ffd57ca3bde2a8f74c66535
hash7305114a96c27bafb749f788319a1215181811ae
hash14ba7bb0bce448a41a06e438c09f58ad6d83d9adb37eebe36e0f277b0eeaa25a
hash1f50960ba1afd50dbd13d4307f2e7192af8888efc57af8d6c34fd8fb318b9bdff58073272e35ac870e16f84cbab271ad6efd8e2174732c08f7db7d12ebb8d791
hash9de308df2b62f41fe69d37de7597491d
hash2c47bcae176985b3762eab5ce56014ec3f13bc84
hashdfcd6add0983cc5156197429278ff1e98f1ccb3f96ca6cf9da8cf5dcb00f4c91
hash10b9c519a6b1efb0ec7ec17413b0376be92ac09cc726c6c1cd3cbf3e3d1c198c6aedf034492e12910d86c892d1b6f4e7481b16b9fc78196aa4af38724aaa5b03
hashf858d36231ba743ad8c898d86a67a864
hashf7fd9f0c0324c1723e1eaedd80f457bdf62aa9dc
hash60c69a3e87bf5c4f1e546bec45f262690bcf5494c4ecac2616bf2f731afa152a
hash2e68bf09036a490ce0e8d579ab0247a5cccf12f6ba44c3727ad22420e13e26c588a9fbf7b4dceeeced9d7148d9c29ef33ba6ca174596a65b1d297d0d7169bd6c
hashf858d36231ba743ad8c898d86a67a864
hashf7fd9f0c0324c1723e1eaedd80f457bdf62aa9dc
hash60c69a3e87bf5c4f1e546bec45f262690bcf5494c4ecac2616bf2f731afa152a
hash2e68bf09036a490ce0e8d579ab0247a5cccf12f6ba44c3727ad22420e13e26c588a9fbf7b4dceeeced9d7148d9c29ef33ba6ca174596a65b1d297d0d7169bd6c
hash4cd65de7456ca7c72970838ca38886f5
hashe2f39a924bf667891c060eff4b823d6d7b903732
hashd33fc4c4bdd437da6be127ee90b9ddb6d9d4788e7f8feff38f5bb89f1090df44
hash6b3b757f16155d89adc00f7b58e180c0dca521dc9fbcd7eb71da2e17c2aa38fba9a09429fd272156dc111cf4b5fc576d8b801c7a246118dce3be4c64455df87b
hashd41d8cd98f00b204e9800998ecf8427e
hashda39a3ee5e6b4b0d3255bfef95601890afd80709
hashe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
hashcf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
hash90d8eebc2a34162c49ec31cfc660cec1
hash82520d0c476256d276861afe5c02c83d444b380c
hash5da0b2d927ccda5332c1e053baec019d7bfb4b0605d7d6c7621052087c81bda2
hashf91be34869f6f53fb61cea8c82c68c54d11f9eaa4db19e3192dea5effb6161d6907a6fc19ea3a61e32fae0c260efe4c842e15e5e83b8ac5bce453ccb8f437a9e
hash6cfca1b6f1302235cf09a9942ba1d3c6
hash4afebb350020f0ee8f9f07e2d9f8ea8798e2e55a
hash14fb8b3b89c5f626519950882f242dd53889b1067578a9321e721dbf4311a91f
hashcfb4a10a6fb70670e7fc4be92c577c4edf414d5c2ccdb3c2b372f92a5ae4b85531c261554dbe8b7b4a8196c4f4488f5f9054f95bfa809eb2cab2f905dba8f495
hash02583bae37338df44022affe5c435d25
hash677d607fb1b1c81383e21ec91bcdd31fc4f108b4
hashfe0b1f2674c22b18994e44902d79d2bee8baafe03368f8567c339c53161f7e2e
hash4bf4eb2ab3da3da774cb06378a51b4631034ef5f4d85336e692ab158edd2f902ab9d8f143796f5aaf5ba76c9593df638e8ff9800c3a0ee32f64ad6291a98bbbe
hash3d908716385f194e5a1bf277214e8213
hash6a3fde177edbfa6aaf3b67a21f448eaa5f0426a2
hashda97af1e3b1e04ff63be13d2ae11276b707618261cd20526cfb2e61d1b3622e2
hashd4dcb06c41a4642a1b8e8ba23b8304380c369df89f9c90a492becbf2731563f04522892b6323c2478eccecbea195215267d528928ec41d2ce8cda883cf767485
hash901850fd8a67ae18d43bb63e94b81d6f
hash0785be31d16e84eeb087d518348606fef9be3b17
hash727dfefa0504bc9884daeba9be51b1c5f768e8d0f651dbfeeda89ec898459fd7
hash83bff39b4cc26c75c3698e4adcb175cd208c058757791e54e449a69f08ab4893ecce625d9344bc358eb95fe0d6a5789f9524fb6f2538621fb595c42465bf04f3
hashf83a04136594fa1967d66605b11b077a
hash7a974250ed0da586b41aa8ddecaa88be4d15b540
hashbb008bde4cbc41f91e86a5614c1e387cd4f00ccb254f26a48b536f0b48131155
hashc2b28c5c359ba584d6099ce6e4bd4af9667c79d979cc115ab5fa0500490029668b455b0f3c3f27b24c597645ed36086b81c824acc8257dc2976a9bd2256df566
hash14f9c4ad952bff03b2eb8fa9fb3aae76
hashce296b184763a332aca5193149245ab4653334e8
hash72a4fa3544e43a836ffcb268ce06ccdbc55d44d5e6b1b1c19216a53ea98301fd
hash7c403a4652234a853f476938085a4a0613f7540ea108da2da488812462f9479cd6af00d184ac313dcb9cbb0c7725342d0363aeff8e7ac856d9f45a2d1d05c4ec
hash14f9c4ad952bff03b2eb8fa9fb3aae76
hashce296b184763a332aca5193149245ab4653334e8
hash72a4fa3544e43a836ffcb268ce06ccdbc55d44d5e6b1b1c19216a53ea98301fd
hash7c403a4652234a853f476938085a4a0613f7540ea108da2da488812462f9479cd6af00d184ac313dcb9cbb0c7725342d0363aeff8e7ac856d9f45a2d1d05c4ec
hash55c20ba1956b1854c3a778395fe3eec9
hash4203802da10ee8a5d60d224ec60369d79c20204c
hash195de6b10a26a68995772d7debd606c16200f8878cd4ab570cb94b523e7f831e
hash45375f40ca02dc736ab3ce0a27b415b656b1d52ab9236c8372bf32cb6c4d79e930499b99ae0e39155449b6e08214f979259b8de3be27a478de3cbccff4290e9f
hashd41d8cd98f00b204e9800998ecf8427e
hashda39a3ee5e6b4b0d3255bfef95601890afd80709
hashe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
hashcf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
hash90d8eebc2a34162c49ec31cfc660cec1
hash82520d0c476256d276861afe5c02c83d444b380c
hash5da0b2d927ccda5332c1e053baec019d7bfb4b0605d7d6c7621052087c81bda2
hashf91be34869f6f53fb61cea8c82c68c54d11f9eaa4db19e3192dea5effb6161d6907a6fc19ea3a61e32fae0c260efe4c842e15e5e83b8ac5bce453ccb8f437a9e
hash4dc38c34e95ee063a4328a07871689ff
hash7df2a1d9b0a53b3eec0ae7f41b62066ff6ba86f0
hashd50acb9b20222c4e4a616a2ccc095eec2780141da7d4264a5ba2f82cae9c4670
hash474df744c51fb1b7f968c384f2c836e5592e8950ff0821f2711a95785888e3934f3fc1e7f386236c52f2bbd13ea30cb63bd2200f70ca830f693949f0bb6c4f2c

Url

ValueDescriptionCopy
urlhttp://154.216.17.182/arm6.nn
urlhttp://154.216.17.182/arm7.nn
urlhttp://154.216.17.182/lol
urlhttp://154.216.17.182/lol.sh
urlhttp://154.216.17.182/x86_64.nn
urlhttp://154.216.18.173/arm6.nn
urlhttp://154.216.18.173/lol
urlhttp://154.216.18.173/lol.sh
urlhttp://154.216.18.173/x86_64.nn
urlhttp://154.216.19.61/arm5.nn
urlhttp://154.216.19.61/arm6.nn
urlhttp://154.216.19.61/arm7.nn
urlhttp://154.216.19.61/arm.nn
urlhttp://154.216.19.61/lol
urlhttp://154.216.19.61/lol.sh
urlhttp://154.216.19.61/m68k.nn
urlhttp://154.216.19.61/mipsel.nn
urlhttp://154.216.19.61/mips.nn
urlhttp://154.216.19.61/powerpc.nn
urlhttp://154.216.19.61/sh4.nn
urlhttp://154.216.19.61/sparc.nn
urlhttp://154.216.19.61/x86_32.nn
urlhttp://154.216.19.61/x86_64.nn
urlhttp://154.216.20.14/arm5.nn
urlhttp://154.216.20.14/arm6.nn
urlhttp://154.216.20.14/arm7.nn
urlhttp://154.216.20.14/arm.nn
urlhttp://154.216.20.14/lol
urlhttp://154.216.20.14/lol.sh
urlhttp://154.216.20.14/m68k.nn
urlhttp://154.216.20.14/mipsel.nn
urlhttp://154.216.20.14/mips.nn
urlhttp://154.216.20.14/powerpc.nn
urlhttp://154.216.20.14/sh4.nn
urlhttp://154.216.20.14/sparc.nn
urlhttp://154.216.20.14/x86_32.nn
urlhttp://154.216.20.14/x86_64.nn
urlhttp://154.216.20.45/arm5.nn
urlhttp://154.216.20.45/arm6.nn
urlhttp://154.216.20.45/arm7.nn
urlhttp://154.216.20.45/arm.nn
urlhttp://154.216.20.45/lol
urlhttp://154.216.20.45/lol.sh
urlhttp://154.216.20.45/m68k.nn
urlhttp://154.216.20.45/mipsel.nn
urlhttp://154.216.20.45/mips.nn
urlhttp://154.216.20.45/powerpc.nn
urlhttp://154.216.20.45/sh4.nn
urlhttp://154.216.20.45/sparc.nn
urlhttp://154.216.20.45/x86_32.nn
urlhttp://154.216.20.45/x86_64.nn
urlhttp://185.170.144.49/arm5.nn
urlhttp://185.170.144.49/arm6.nn
urlhttp://185.170.144.49/arm7.nn
urlhttp://185.170.144.49/arm.nn
urlhttp://185.170.144.49/lol
urlhttp://185.170.144.49/lol.sh
urlhttp://185.170.144.49/m68k.nn
urlhttp://185.170.144.49/mipsel.nn
urlhttp://185.170.144.49/mips.nn
urlhttp://185.170.144.49/powerpc.nn
urlhttp://185.170.144.49/sh4.nn
urlhttp://185.170.144.49/sparc.nn
urlhttp://185.170.144.49/x86_32.nn
urlhttp://185.170.144.49/x86_64.nn
urlhttp://45.202.35.87/m68k.nn
urlhttp://45.202.35.87/mipsel.nn
urlhttp://45.202.35.87/mips.nn
urlhttp://45.202.35.87/powerpc.nn
urlhttp://45.202.35.87/sparc.nn
urlhttp://45.202.35.87/x86_32.nn
urlhttp://45.202.35.87/x86_64.nn
urlhttp://45.66.231.26/lol
urlhttp://45.66.231.26/lol.sh
urlhttp://45.66.231.26/m68k.nn
urlhttp://45.66.231.26/powerpc.nn
urlhttp://45.66.231.26/sh4.nn
urlhttp://45.66.231.26/sparc.nn
urlhttp://45.88.88.41/arm5.nn
urlhttp://45.88.88.41/arm6.nn
urlhttp://45.88.88.41/arm7.nn
urlhttp://45.88.88.41/arm.nn
urlhttp://45.88.88.41/mipsel.nn
urlhttp://45.88.88.41/mips.nn
urlhttp://45.88.88.41/x86_32.nn
urlhttp://45.88.88.41/x86_64.nn
urlhttp://45.89.247.112/arm5.nn
urlhttp://45.89.247.112/arm6.nn
urlhttp://45.89.247.112/arm7.nn
urlhttp://45.89.247.112/arm.nn
urlhttp://45.89.247.112/lol
urlhttp://45.89.247.112/lol.sh
urlhttp://45.89.247.112/m68k.nn
urlhttp://45.89.247.112/mipsel.nn
urlhttp://45.89.247.112/mips.nn
urlhttp://45.89.247.112/powerpc.nn
urlhttp://45.89.247.112/sh4.nn
urlhttp://45.89.247.112/sparc.nn
urlhttp://45.89.247.112/x86_32.nn
urlhttp://45.89.247.112/x86_64.nn
urlhttp://46.8.69.32/arm5.nn
urlhttp://46.8.69.32/arm6.nn
urlhttp://46.8.69.32/arm7.nn
urlhttp://46.8.69.32/arm.nn
urlhttp://46.8.69.32/lol
urlhttp://46.8.69.32/lol.sh
urlhttp://46.8.69.32/mipsel.nn
urlhttp://46.8.69.32/mips.nn
urlhttp://46.8.69.32/x86_32.nn
urlhttp://46.8.69.32/x86_64.nn
urlhttp://91.194.55.151/arm5.nn
urlhttp://91.194.55.151/arm6.nn
urlhttp://91.194.55.151/arm7
urlhttp://91.194.55.151/arm7.nn
urlhttp://91.194.55.151/arm.nn
urlhttp://91.194.55.151/mips
urlhttp://91.194.55.151/mipsel
urlhttp://91.194.55.151/x86_32.nn
urlhttp://91.194.55.151/x86_64.nn
urlhttp://94.156.177.68/arm5.nn
urlhttp://94.156.177.68/arm6.nn
urlhttp://94.156.177.68/arm7.nn
urlhttp://94.156.177.68/arm.nn
urlhttp://94.156.177.68/mipsel.nn
urlhttp://94.156.177.68/mips.nn
urlhttp://94.156.177.68/x86_32.nn
urlhttp://94.156.177.68/x86_64.nn
urlhttp://94.156.65.232/arm5.nn
urlhttp://94.156.65.232/arm6.nn
urlhttp://94.156.65.232/arm7.nn
urlhttp://94.156.65.232/arm.nn
urlhttp://94.156.65.232/lol
urlhttp://94.156.65.232/lol.sh
urlhttp://94.156.65.232/m68k.nn
urlhttp://94.156.65.232/mipsel.nn
urlhttp://94.156.65.232/mips.nn
urlhttp://94.156.65.232/powerpc.nn
urlhttp://94.156.65.232/sh4.nn
urlhttp://94.156.65.232/sparc.nn
urlhttp://94.156.65.232/x86_32.nn
urlhttp://94.156.65.232/x86_64.nn
urlhttp://gorillabin.su/arm5.nn
urlhttp://gorillabin.su/arm6.nn
urlhttp://gorillabin.su/arm7.nn
urlhttp://gorillabin.su/arm.nn
urlhttp://gorillabin.su/lol.sh
urlhttp://gorillabin.su/mipsel.nn
urlhttp://gorillabin.su/mips.nn
urlhttp://gorillabin.su/x86_32.nn
urlhttp://gorillabin.su/x86_64.nn
urlhttp://pen.gorillafirewall.su/lol.sh
urlhttp://pen.gorillafirewall.su/sh4.nn
urlhttp://www.xn--girsdom-9ya.com/arm5.nn
urlhttp://www.xn--girsdom-9ya.com/arm6.nn
urlhttp://www.xn--girsdom-9ya.com/arm.nn
urlhttp://www.xn--girsdom-9ya.com/mipsel.nn
urlhttp://www.xn--girsdom-9ya.com/x86_64.nn
urlhttp://xn--girsdom-9ya.com/arm5.nn
urlhttp://xn--girsdom-9ya.com/arm6.nn
urlhttp://xn--girsdom-9ya.com/arm.nn
urlhttp://xn--girsdom-9ya.com/mipsel.nn
urlhttp://xn--girsdom-9ya.com/x86_64.nn

Text

ValueDescriptionCopy
text/arm6.nn
text154.216.17.182
text/arm7.nn
text154.216.17.182
text/lol
text154.216.17.182
text/lol.sh
text154.216.17.182
text/x86_64.nn
text154.216.17.182
text/arm6.nn
text154.216.18.173
text/lol
text154.216.18.173
text/lol.sh
text154.216.18.173
text/x86_64.nn
text154.216.18.173
text/arm5.nn
text154.216.19.61
text/arm6.nn
text154.216.19.61
text/arm7.nn
text154.216.19.61
text/arm.nn
text154.216.19.61
text/lol
text154.216.19.61
text/lol.sh
text154.216.19.61
text/m68k.nn
text154.216.19.61
text/mipsel.nn
text154.216.19.61
text/mips.nn
text154.216.19.61
text/powerpc.nn
text154.216.19.61
text/sh4.nn
text154.216.19.61
text/sparc.nn
text154.216.19.61
text/x86_32.nn
text154.216.19.61
text/x86_64.nn
text154.216.19.61
text/arm5.nn
text154.216.20.14
text/arm6.nn
text154.216.20.14
text/arm7.nn
text154.216.20.14
text/arm.nn
text154.216.20.14
text/lol
text154.216.20.14
text/lol.sh
text154.216.20.14
text/m68k.nn
text154.216.20.14
text/mipsel.nn
text154.216.20.14
text/mips.nn
text154.216.20.14
text/powerpc.nn
text154.216.20.14
text/sh4.nn
text154.216.20.14
text/sparc.nn
text154.216.20.14
text/x86_32.nn
text154.216.20.14
text/x86_64.nn
text154.216.20.14
text/arm5.nn
text154.216.20.45
text/arm6.nn
text154.216.20.45
text/arm7.nn
text154.216.20.45
text/arm.nn
text154.216.20.45
text/lol
text154.216.20.45
text/lol.sh
text154.216.20.45
text/m68k.nn
text154.216.20.45
text/mipsel.nn
text154.216.20.45
text/mips.nn
text154.216.20.45
text/powerpc.nn
text154.216.20.45
text/sh4.nn
text154.216.20.45
text/sparc.nn
text154.216.20.45
text/x86_32.nn
text154.216.20.45
text/x86_64.nn
text154.216.20.45
text/arm5.nn
text185.170.144.49
text/arm6.nn
text185.170.144.49
text/arm7.nn
text185.170.144.49
text/arm.nn
text185.170.144.49
text/lol
text185.170.144.49
text/lol.sh
text185.170.144.49
text/m68k.nn
text185.170.144.49
text/mipsel.nn
text185.170.144.49
text/mips.nn
text185.170.144.49
text/powerpc.nn
text185.170.144.49
text/sh4.nn
text185.170.144.49
text/sparc.nn
text185.170.144.49
text/x86_32.nn
text185.170.144.49
text/x86_64.nn
text185.170.144.49
text/m68k.nn
text45.202.35.87
text/mipsel.nn
text45.202.35.87
text/mips.nn
text45.202.35.87
text/powerpc.nn
text45.202.35.87
text/sparc.nn
text45.202.35.87
text/x86_32.nn
text45.202.35.87
text/x86_64.nn
text45.202.35.87
text/lol
text45.66.231.26
text/lol.sh
text45.66.231.26
text/m68k.nn
text45.66.231.26
text/powerpc.nn
text45.66.231.26
text/sh4.nn
text45.66.231.26
text/sparc.nn
text45.66.231.26
text/arm5.nn
text45.88.88.41
text/arm6.nn
text45.88.88.41
text/arm7.nn
text45.88.88.41
text/arm.nn
text45.88.88.41
text/mipsel.nn
text45.88.88.41
text/mips.nn
text45.88.88.41
text/x86_32.nn
text45.88.88.41
text/x86_64.nn
text45.88.88.41
text/arm5.nn
text45.89.247.112
text/arm6.nn
text45.89.247.112
text/arm7.nn
text45.89.247.112
text/arm.nn
text45.89.247.112
text/lol
text45.89.247.112
text/lol.sh
text45.89.247.112
text/m68k.nn
text45.89.247.112
text/mipsel.nn
text45.89.247.112
text/mips.nn
text45.89.247.112
text/powerpc.nn
text45.89.247.112
text/sh4.nn
text45.89.247.112
text/sparc.nn
text45.89.247.112
text/x86_32.nn
text45.89.247.112
text/x86_64.nn
text45.89.247.112
text/arm5.nn
text46.8.69.32
text/arm6.nn
text46.8.69.32
text/arm7.nn
text46.8.69.32
text/arm.nn
text46.8.69.32
text/lol
text46.8.69.32
text/lol.sh
text46.8.69.32
text/mipsel.nn
text46.8.69.32
text/mips.nn
text46.8.69.32
text/x86_32.nn
text46.8.69.32
text/x86_64.nn
text46.8.69.32
text/arm5.nn
text91.194.55.151
text/arm6.nn
text91.194.55.151
text/arm7
text91.194.55.151
text/arm7.nn
text91.194.55.151
text/arm.nn
text91.194.55.151
text/mips
text91.194.55.151
text/mipsel
text91.194.55.151
text/x86_32.nn
text91.194.55.151
text/x86_64.nn
text91.194.55.151
text/arm5.nn
text94.156.177.68
text/arm6.nn
text94.156.177.68
text/arm7.nn
text94.156.177.68
text/arm.nn
text94.156.177.68
text/mipsel.nn
text94.156.177.68
text/mips.nn
text94.156.177.68
text/x86_32.nn
text94.156.177.68
text/x86_64.nn
text94.156.177.68
text/arm5.nn
text94.156.65.232
text/arm6.nn
text94.156.65.232
text/arm7.nn
text94.156.65.232
text/arm.nn
text94.156.65.232
text/lol
text94.156.65.232
text/lol.sh
text94.156.65.232
text/m68k.nn
text94.156.65.232
text/mipsel.nn
text94.156.65.232
text/mips.nn
text94.156.65.232
text/powerpc.nn
text94.156.65.232
text/sh4.nn
text94.156.65.232
text/sparc.nn
text94.156.65.232
text/x86_32.nn
text94.156.65.232
text/x86_64.nn
text94.156.65.232
textsu
text/arm5.nn
textgorillabin
textsu
text/arm6.nn
textgorillabin
textsu
text/arm7.nn
textgorillabin
textsu
text/arm.nn
textgorillabin
textsu
text/lol.sh
textgorillabin
textsu
text/mipsel.nn
textgorillabin
textsu
text/mips.nn
textgorillabin
textsu
text/x86_32.nn
textgorillabin
textsu
text/x86_64.nn
textgorillabin
textsu
textpen
text/lol.sh
textgorillafirewall
textsu
textpen
text/sh4.nn
textgorillafirewall
textcom
textwww
text/arm5.nn
textxn--girsdom-9ya
textcom
textwww
text/arm6.nn
textxn--girsdom-9ya
textcom
textwww
text/arm.nn
textxn--girsdom-9ya
textcom
textwww
text/mipsel.nn
textxn--girsdom-9ya
textcom
textwww
text/x86_64.nn
textxn--girsdom-9ya
textcom
text/arm5.nn
textxn--girsdom-9ya
textcom
text/arm6.nn
textxn--girsdom-9ya
textcom
text/arm.nn
textxn--girsdom-9ya
textcom
text/mipsel.nn
textxn--girsdom-9ya
textcom
text/x86_64.nn
textxn--girsdom-9ya
textSince September 2024, the National Cyber Security Centre of Switzerland (NCSC) is witnessing an increase in DDoS attacks against national critical infrastructure in Switzerland. According to our intelligence, these DDoS attacks are originating from a DDoS-as-a-service called ”Gorilla”. The attacks were mostly UDP based amplifi- cation attacks, apparently using open DNS resolvers. While the recent attacks have temporarily impacted the availability of certain services operated by the victim’s orga- nization, the security and confidentially of data or services have not been impacted nor ever been at risk. Under the name ”Gorilla Services”, an unknown threat actor is selling various services on Telegram, including DDoS-as-a-service where the cheapest plan starts at only a couple of dollars per day. While the service is already in business for quite some time, the amount of DDoS attacks conducted by Gorilla has increased recently. Gorilla of- fers a Mirai-like DDoS botnet for hire (”GorillaBot”) which contains out of compromised Linux/Unix devices. However, they also offer 10Gbit/s hosting with spoofed uplink, which commonly get used for DDoS attacks as well. As documented by NSFOCUS1, the number of attacks conducted by GorillaBot has increased rapidly to over 300’000 attacks in September 2024. With this, NSFOCUS considers the threat as ”The New King of DDoS Attacks”. The NCSC has mapped, together with the affected organizations in Switzerland, the attack infrastructure used by Gorilla and shared the corresponding cyber threat intel- ligence (CTI) not only with operators of national critical infrastructure in Switzerland but also with international partners. In addition, the NCSC has contacted Telegram, a company operating out of Dubai, and asked them to take actions against the offensive Telegram channel. This apparently resulted in the shut down of the reported Telegram channel. However, we observed that the threat actor has already set up a new Tele- gram channel and Singal as backup. With this technical report, we shed some light on the malware used by Gorilla and their DDoS operations.
textTechnical Analysis of GorillaBot
textReport
text.init
text_lief
text_lief
text_lief
text.text
text_lief
text_lief
text_lief
text.fini
text_lief
text_lief
text_lief
text.rodata
text_lief
text_lief
text.ctors
text_lief
text_lief
text_lief
text.dtors
text_lief
text_lief
text_lief
text.data
text_lief
text_lief
text_lief
text.bss
text_lief
text_lief
text_lief
text.shstrtab
text_lief
text_lief
text4194708
text_lief
text_lief
text.init
text_lief
text_lief
text_lief
text.text
text_lief
text_lief
text_lief
text.fini
text_lief
text_lief
text_lief
text.rodata
text_lief
text_lief
text.ctors
text_lief
text_lief
text_lief
text.dtors
text_lief
text_lief
text_lief
text.data
text_lief
text_lief
text_lief
text.bss
text_lief
text_lief
text_lief
text.shstrtab
text_lief
text_lief
text134512996
text_lief
text_lief
textBash
textScript to download the GorillaBot binaries (Mirai variant)
textMalicious

Link

ValueDescriptionCopy
linkhttps://github.com/govcert-ch/CTI/blob/main/20241010_GorillaBot/20241010_NCSC-CH-GorillaBot.pdf

Size in-bytes

ValueDescriptionCopy
size-in-bytes616
size-in-bytes19
size-in-bytes80550
size-in-bytes14
size-in-bytes15312
size-in-bytes16
size-in-bytes16
size-in-bytes2208
size-in-bytes10696
size-in-bytes62
size-in-bytes99104
size-in-bytes28
size-in-bytes77654
size-in-bytes23
size-in-bytes14140
size-in-bytes8
size-in-bytes8
size-in-bytes1408
size-in-bytes9728
size-in-bytes62
size-in-bytes96112

Float

ValueDescriptionCopy
float4.7352556208588
float3.4058222502857
float6.2614147616808
float3.3787834934862
float5.4563632549439
float1
float1
float3.9962404616202
float3.5847266094526
float6.3228588477239
float3.6375375112661
float6.446127586329
float4.0018228256222
float5.764880966392
float1
float1
float5.8582486136718
float3.5847266094526
float6.4973160195996

Malware sample

ValueDescriptionCopy
malware-samplea9a56ecee25fb22a19757e98133aeb858312377f6fd9c2bbb747edf687ed8547|3c21544cfb3979b9d823eac46998f86a
malware-sample14fb8b3b89c5f626519950882f242dd53889b1067578a9321e721dbf4311a91f|6cfca1b6f1302235cf09a9942ba1d3c6
malware-sampled50acb9b20222c4e4a616a2ccc095eec2780141da7d4264a5ba2f82cae9c4670|4dc38c34e95ee063a4328a07871689ff

Mime type

ValueDescriptionCopy
mime-typetext/plain
mime-typeapplication/x-executable
mime-typeapplication/x-executable

Ssdeep

ValueDescriptionCopy
ssdeep12:PRGH9vPnccGsQP1qyAA5Sq7FeIKW1h+A1DFTFIbn:PsXnWsYdAA5bMIKW1hV1Zun
ssdeep3:4o/ns4U:fU4U
ssdeep1536:5JOA3BJHQbOqxM21+4M280LWcmTmNGeccRJ6p2laHu12F+pHxvBVuK:SARJHp8M2Q4B80icmTKVJ02lD12F+Tvj
ssdeep3:4mFtWU:RGU
ssdeep384:WsDvgVuIGwhxHePdOnxxxxxxxxxxxxxxxOxuxxxxxxxZxxxsxxUexAjjjjjjjjjc:WszgApwhxHI0nxxxxxxxxxxxxxxxOxu+
ssdeep3:RRR//:LRX
ssdeep3:RRR//:LRX
ssdeep24:H4OJYpAKbqmMepg/pPsnRkysDbuC1+Xja1gs+y1OXGK1Q/BEWIbvxHwfULmqAyDo:H8P8RZgWqAw5eCefcmqxDgDh21664
ssdeep3::
ssdeep3:dqMLwlApLQ4lLaCMLdsxlLB4K2in:kMF84MFsOin
ssdeep3072:pARJHp8M2Q4B80icmTKVJ02lD12F+TvBVn5s:pAfHp8M2Q4B80LJFbzbB9e
ssdeep3:ZB1/XN/X2kr:Vld
ssdeep1536:R+EVm3mt3zm4Yj1wORWWBsSJEiN+c0Ubt9B9o8LCoGULTswXSf:R+wkmt3zm4kV0iNtbTvo8WoG4IR
ssdeep3:ZBqvvlNpJn:2nHn
ssdeep192:qD4QkztZiIPzW0tdPFmF65lewVwQ7QRDFWaEnlRum67bqlOVyQSWB3jiGKl:qsT/BkuIGQRZaePuGKl
ssdeep3:RRtl:LX
ssdeep3:RRtl:LX
ssdeep24:0Xj4OtdrTq5k8V0XjkfULmqAyDxyND8W2kmvW5nr++8/1fLv:0jZtBq5k8V0XAfcmqxDgDn2LFb
ssdeep3::
ssdeep3:dqMLwlApLQ4lLaCMLdsxlLB4K2in:kMF84MFsOin
ssdeep1536:z+EVm3mt3zm4Yj1wORWWBsSJEiN+c0Ubt9B9o8LCoGULTswXSQVZQRZaLG:z+wkmt3zm4kV0iNtbTvo8WoG4IOVUaLG

Counter

ValueDescriptionCopy
counter9
counter9

Threat ID: 68493dbccacb3d99bea6dd66

Added to database: 6/11/2025, 8:26:36 AM

Last enriched: 7/1/2025, 1:55:18 PM

Last updated: 8/17/2025, 11:08:48 PM

Views: 40

Related Threats

ThreatFox IOCs for 2025-08-17

Medium
MalwareMon Aug 18 2025

ThreatFox IOCs for 2025-08-16

Medium
MalwareSun Aug 17 2025

ThreatFox IOCs for 2025-08-15

Medium
MalwareSat Aug 16 2025

ThreatFox IOCs for 2025-08-14

Medium
MalwareFri Aug 15 2025

ThreatFox IOCs for 2025-08-13

Medium
MalwareThu Aug 14 2025

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats