A new report released today from Aqua Security Software Ltd.’s Nautilus research team details a massive distributed denial-of-service campaign by a threat actor called Matrix.

The threat actor uses publicly available scripts and targets vulnerable internet of things and enterprise systems, with more than 35 million devices targeted globally. Matrix targets the devices using botnets ranging in size between 350,000 and 1.7 million compromised systems.

Matrix’s DDoS campaign uses various accessible and widely available tools, demonstrating how easily even unsophisticated threat actors can mount large-scale attacks. Central to the operation is the Mirai botnet, which compromises IoT devices through weak or default credentials, integrating them into a network capable of global disruption. The threat actor also employs additional tools, including Python-based scripts and brute-force mechanisms, to target devices such as routers, IP cameras and servers.

The campaign leverages advanced exploitation techniques against known vulnerabilities, including one designated CVE-2024-27348 in Apache HugeGraph and another CVE-2021-20090 in Arcadyan firmware. Beyond IoT, Matrix also targets enterprise software like Hadoop and exploits administrative protocols such as SSH and Telnet.

A particularly unique feature of the campaign is Matrix’s use of Discord bots and a Telegram store for operational and financial purposes. The DiscordGo framework is repurposed to launch encrypted DDoS commands, while the Telegram store facilitates the sale of attack services to customers.

Matrix monetizes its DDoS campaign through a Telegram-based store that offers various attack plans tailored to customer needs. The plans are categorized into tiers, including “Basic” and “Enterprise,” allowing buyers to launch Layer 4 and Layer 7 attacks, with payments processed in cryptocurrency for anonymity.

In terms of geography, the campaign heavily targets IoT-heavy regions in the Asia-Pacific area, with China and Japan accounting for the majority of attacks. The two countries are targeted not for political purposes but because of the widespread adoption of connected devices in these countries, making them prime targets for exploitation and botnet expansion.

The Aqua Nautilus researchers make several recommendations on how to mitigate against the risk of Matrix and similar attackers. Organizations are advised to update device firmware, disable default credentials and limit access to administrative interfaces on all IoT and enterprise systems. Deploying network monitoring tools and intrusion detection systems can also help identify anomalous activity indicative of an ongoing attack.

“Matrix’s campaign highlights how basic security lapses can lead to widespread vulnerabilities,” the researchers write. “Addressing these gaps, such as misconfigured devices and unpatched systems, is essential to reducing exposure to such large-scale threats.”

Image: SiliconANGLE/Ideogram