HomeWinBuzzer NewsMicrosoft Defender for IoT Research Finds New Form of Zerobot Threat

Microsoft Defender for IoT Research Finds New Form of Zerobot Threat

Microsoft Defender for IoT researchers say that Zerobot 1.1 is an evolution of the botnet with new attack capabilities.


[UPDATE 17.07.2023 – 09:02 CET] We have been contacted by John Alvarez, founder of ZeroBot.ai, with the following clarification that his product is completely unrelated to the Zerobot malware: “Our product, ZeroBot.ai, is the industry’s first internet-accessible verbal chatbot and is in no way associated with the ‘ZeroBot’ malware. We are steadfast in our commitment to delivering a secure and innovative experience for all users.”

[22.12.2022 – 14:33 CET] 

In a new blog post, a Microsoft Defender for IoT security research team says it has found new Zerobot capabilities and how it continues to evolve. The company says the latest version of the botnet malware (Zerobot 1.1) has new “features” and attack methods.

If you’re unfamiliar with Zerobot, it is a type of botnet that spreads across web applications and IoT by exploiting vulnerabilities. It is a malware as a service, which means it evolves over time. In fact, the Microsoft Defender for IoT security team says the botnet has been updated multiple times since it has been tracking the malware.

Malware as a service is a relatively new concept in the cybercrime world. It allows threat actors to easily access malware packages that are already established and use ready-mad tools for their attacks. In other words, it opens up cyberattack activity to people who may not have the skill to build attacks themselves.

Microsoft points out Zerobot is a defining example of malware as a service and is constantly evolving and improving. This includes version 1.1 of the botnet:

“Zerobot 1.1, including newly identified capabilities and further context to Fortinet’s recent analysis on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware’s reach to different types of devices.”


This means the botnet is better than ever at infiltrating IoT devices such as cameras, routers, and others. It places compromised hardware onto a distributed denial of service (DDoS) botnet. Because it has access to multiple modules, Zerobot can tailor its attacks to target different types of architecture and operating systems.

“Upon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture.

The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.”

In its blog post, Microsoft details new capabilities it has observed from Zerobot 1.1:

The following are the previously known Zerobot capabilities:

Attack method



Sends UDP packets without data.


Meant for DDoS on Minecraft servers. Sends a handshake and status request.


Floods with TCP handshakes.


Continuously sends random payloads on an open TCP socket. Payload length is customizable.


Continuously sends random payloads on an open TLS socket. Payload length is customizable.


Sends HTTP GET requests using a Golang standard library.


Formats and sends HTTP GET requests.


Sends HTTP GET requests with spoofed headers.


HTTP headers are each one random byte (not necessarily ascii).

Previously undisclosed and new capabilities are the following:

Attack method



Sends UDP packets where the payload is customizable.


Supposed to be an ICMP flood, but the packet is built incorrectly.


Sends TCP packets where the payload and flags are fully customizable.


Sends SYN packets.


Sends ACK packets.


Sends SYN-ACK packets.


Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.

Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.

Last Updated on July 17, 2023 9:07 am CEST

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News