Over the past year, FortiGuard Labs has been tracking a stealthy malware strain exploiting a range of vulnerabilities to infiltrate systems. Initially disclosed by a Chinese cybersecurity firm under the name “Gayfemboy,” the malware resurfaced in July with new activity, targeting vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco, and exhibiting signs of evolution in both form and behavior. This Fortinet research presents an in-depth analysis of Gayfemboy, revealing its technical details and exploring the implications of its evolving behavior.[1]
Incidents - In July 2025, FortiGuard Labs observed a related payload exploiting multiple vulnerabilities. All instances traced back to a common attack source at 87[.]121[.]84[.]34 and a consistent download host at 220[.]158[.]234[.]135.
Figure 1: TP-Link Archer AX21 exploit traffic
Figure 2: Raisecom exploit traffic
Figure 3: DrayTek exploit traffic
Once analysts obtained the downloader scripts, they found a pattern for this download source, shown in the following table.
Figure 4: Raisecom downloader script
|
URL Route |
Description |
|
x |
Downloader Scripts |
|
j |
Gayfemboy malwares |
|
xm |
XMRig coin miners |
Fortinet infers that the downloader scripts are named after specific products—such as “asus,” “vivo,” “zyxel,” and “realtek”—because each script executes Gayfemboy using the corresponding product name as a parameter.
Figure 5: Asus downloader script
Figure 6: Vivo downloader script
Figure 7: Zyxel downloader script
Figure 8: Realtek downloader script
The Gayfemboy campaign spans multiple countries, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam. Its targets also cover a broad range of sectors, such as Manufacturing, Technology, Construction, and Media or Communications.
Figure 9: Gayfemboy affected countries
Malware Analysis - Gayfemboy employs its first layer of obfuscation during the file download stage. Unlike Mirai and Gafgyt variants, which typically use Linux architecture names as file extensions, Gayfemboy assigns distinct names to each architecture, avoiding predictable naming conventions.
|
File Name |
Linux Architecture |
|
|
|
|
a4le |
ARM |
|
a5le |
ARM |
|
a6le |
ARM |
|
a7le |
ARM |
|
aale |
AArch64 |
|
mbe |
MIPS R3000 |
|
mle |
MIPS R3000 |
|
ppc |
PowerPC |
|
xle |
Intel 80386 |
|
xale |
Advanced Micro Devices X86-64 |
The following analysis focuses on the “xale1” variant, which targets the x86-64 Linux architecture.
Using the DiE (Detect It Easy) tool, analysts determined that Gayfemboy is packed using UPX. However, the malware modifies the standard UPX header “UPX!,” replacing it with a non-printable string represented by the hexadecimal value “10 F0 00 00” to evade detection.
Figure 10: Anti-unpacking via a modified UPX magic header
Upon execution, the malware displays the string “twinks :3.”
Figure 11: Pop-up string after execution
Gayfemboy then scans each subdirectory under /proc/[PID]/, inspecting the path of every corresponding /proc/[PID]/exe to gather information on running processes and their executable locations.
Figure 12: Scan process subdirectories
Next, it inspects each /proc/[PID]/exe path for telltale keywords—e.g., (deleted), /tmp/., /bot., dvrlocker, /.ai, and /.*—that are commonly associated with other malware. If any match is found, Gayfemboy immediately terminates the corresponding process to remove competing infections.
Figure 13: Keywords commonly associated with other malware
Gayfemboy includes four primary functions: Monitor, Watchdog, Attacker, and Killer. The Monitor function tracks threads and processes while incorporating basic anti-analysis techniques. It loads 47 command strings into memory and scans all /proc/[PID]/cmdline entries. If a match is found, the malware immediately terminates the associated process.
|
ls -l |
reboot |
wget |
tftp |
tftpget |
ftp |
|
scp |
sftp |
echo |
ping |
curl |
ELF |
|
mount |
umount |
cat |
sed |
tail |
halt |
|
netstat |
shutdown |
mv |
rm - |
traceroute |
fetch |
|
pgrep |
strings |
poweroff |
gcc |
g++ |
mknod |
|
pkill |
mkfifo |
ptrace |
strace |
chmod |
lsof |
|
base64 |
tcpdump |
ls |
id |
whoami |
uname |
|
df |
dd |
uptime |
nc |
|
|
Figure 14: A monitor function that kills specific processes
Within the Monitor function, Gayfemboy includes two dedicated sub-functions: Self-Persistence and Sandbox Evasion.
Self-persistence ensures the malware remains active. If Gayfemboy detects that its process has been terminated, it automatically re-executes itself.
Figure 15: Self-persistence in the monitor function
As part of its Sandbox Evasion technique, Gayfemboy introduces a deliberate 50-nanosecond delay.
If executed in a sandbox environment that cannot accurately handle such a fine-grained delay, the timing function fails, causing the malware to misinterpret the result and initiate a fallback sleep of approximately 27 hours.
Figure 16: Sandbox evasion in the monitor function
The Watchdog function begins by attempting to bind to a specific UDP port—47272. If the bind fails, it assumes another instance of the Watchdog is already running. In that case, Gayfemboy connects to 127.0.0.1:47272 and sends a packet containing the formatted string <[timestamp]|[PID]>. If this message is sent more than nine times without receiving a response, the malware concludes it is unresponsive or compromised and terminates itself.
Figure 17: Watchdog function
The Attacker function is responsible for launching DDoS attacks and enabling backdoor access. It preloads several attack methods into memory for on-demand use, including: UDP flood, UDP bypass, TCP flood, TCP SYN flood, ICMP flood, Heartbeat, and a Backdoor module.
Figure 18: UDP flood attack
Gayfemboy uses the string “meowmeow” as a trigger to activate its backdoor functionality.
Figure 19: Backdoor method
If Gayfemboy has not yet established a connection with its command-and-control (C2) server, it initiates communication by randomly selecting a predefined C2 domain from a list. To resolve these domains, the malware uses public DNS servers—such as 1.1.1.1, 8.8.8.8, or 8.8.4.4—instead of relying on the system’s configured resolver.
This technique helps bypass local DNS filtering or sinkholing, making it more difficult for defenders to block C2 communication through static IP blacklists. By dynamically resolving domain names through public resolvers, Gayfemboy can rotate its C2 infrastructure more flexibly and maintain persistence even if one or more domains are taken down.
The known C2 domains include:
- cross-compiling[.]org
- i-kiss-boys[.]com
- furry-femboys[.]top
- twinkfinder[.]nl
- 3gipcam[.]com
Figure 20: Resolved C2 server domain
Figure 21: Resolved C2 server domain traffic
Once a C2 domain is successfully resolved, Gayfemboy attempts to establish communication by scanning a predefined list of 15 ports. It systematically checks whether each port is open and can be used for C2 traffic, increasing its chances of successful connection even in environments with restrictive outbound filtering.
|
1900 |
80 |
443 |
|
23 |
53 |
69 |
|
21 |
123 |
1111 |
|
2222 |
3333 |
99 |
|
8080 |
2659 |
25 |
Once connected, the C2 server can issue various commands to the infected host. If the received packet is exactly four bytes long, it corresponds to one of four predefined commands, each identified by a specific hexadecimal sequence:
|
C2 Command (Hex) |
Behavior |
|
6C 6C 6F 66 |
Reset the socket connection |
|
55 55 55 55 |
Put the malware in a sleep state |
|
44 44 44 44 |
Set the internal connection flag to 1 |
|
11 11 11 11 |
Send the encoded system information back to the C2 server |
These commands enable basic control, persistence, and reconnaissance functionality with minimal overhead—likely designed to keep communication lightweight and harder to detect.
Figure 22: Four-byte-length command from the C2 server
If a command packet from the C2 server exceeds five bytes, Gayfemboy parses the message differently. It first extracts the two-byte length field, then interprets the remaining data based on a command format where:
The first byte is the main command ID, and
The second byte is the sub-command.
The malware then executes the appropriate behavior depending on the command type:
|
C2 Command (Hex) |
Behavior |
|
0E |
Download and execute a remote payload |
|
17 |
Terminate the botnet process |
|
18 |
Send an “ACK” response to the C2 server |
|
1C |
Open a reverse shell by executing /bin/sh |
|
1D |
Cease communication with the C2 server. |
|
1F |
Initiate a DDoS attack with parameters from the C2 (target IP, port, config) |
|
20 |
Reset connection and heartbeat status |
|
21 |
Clear the existing C2 domain list and reset the server address |
|
22 |
Modify firewall rules (via iptables) to allow C2 traffic |
|
23 |
Abort ongoing attacks if the string whattheflip is detected |
|
Others |
Trigger specific DDoS attacks as defined by the attacker |
This structure enables the attacker to issue more complex commands, remotely manage the bot, evade defenses, and dynamically control the attack behavior.
Figure 23: Loading an attack method
Figure 24: Triggering a UDP flood attack
The Killer function enforces self-protection through two mechanisms:
Time Check – It monitors the system clock and triggers self-termination if it detects a near 24-hour discrepancy, which may indicate sandbox manipulation or attempted system rollback.
Remote Kill Command – It listens for a C2-issued command containing the string ^kill^. Upon receiving it, the malware terminates itself immediately.
Conclusion - While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection. This evolution reflects the increasing sophistication of modern malware, reinforcing the need for proactive, intelligence-driven defense strategies. Staying ahead requires not only regular patching but also in-depth analysis and exposure of emerging threats to develop effective countermeasures and mitigate risk.
IOCs
Hosts
141[.]11[.]62[.]222
149[.]50[.]96[.]114
220[.]158[.]234[.]135
78[.]31[.]250[.]15
5[.]182[.]206[.]7
5[.]182[.]204[.]251
cross-compiling[.]org
i-kiss-boys[.]com
furry-femboys[.]top
twinkfinder[.]nl
3gipcam[.]com
Files
Downloader
1940296f59fb5fb29f52e96044eca25946f849183ceda4feb03e816b79fbaa81
269259e5c2df6b51719fd227fa90668dd8400d7da6c0e816a8e8e03f88e06026
87b6917034daa6f96f1f3813f88f2eb6d5e5c1b8f6b5b9ab337ab7065d4cb4c0
ca93203a9b795ffa66e5949e1ef643314bc3f3a3db4bed551ecd1c1e20b06089
26375b74e64d786ebc769cfd04e75eebec3b100da3637976e433a67ffa0cac79
2bfe2748bc594614dd03577053b58a5fb9fb8a6182fecc2025f1b715554d7fe1
39fdef9339c75723d865481283f3d4566f78969743eef38061beddcbf5a2690d
7eee9ad9bb0154c8e60201f3dbfe3cff84692f95f0515c6c66fab7240e864b64
ed3f85e537ada33c5f3b1f09b5df6e8b4345514e920f7e75fc0a6535b7e4a352
728dbb47e10a245b612453b8f9aaf3fb125760691d5f0397b01da2190f2e9709
9cc814ac2e15d1405fb4d35cb72d6341c0df8ae26741d1b08a243f236ef4f531
e764413c5ed6a9dba0d69b95a15841fb9b867f7aab3be7600381547eb5c2c1ab
400cc665fd3f23a6ca7a88c4c0f8cbb4f64b7a950786f202acc64623a8e452d7
b83b1484cf9dc6fe34a7d100c0ee582eaa2917f50bca1f7f9da7891698e3bedb
57861ee774b1ff56035f62e48590ce16246f484503bd0670c597ea102679d86b
737a795bfb19059062ee2f0a7b2ea0e88283413e76d1b796782423006f3b2cdf
7fda54c9a489fea2dc8f7248d7bf72e1e356e47366478c0d5f4ba421dddf4ab7
01c0a184c145ee382174937bb891bff90b3d574ee0616f40b3eb3ccfb68ba786
c3862c9b2d85c74dc5b2e38c600474e8df92677c064973b0a464a1aaa12f607e
9f77b86621c7cec885ab89a3dcf0548a7ee17c8c88f66780dfc7dcb2a13da146
Gayfemboy
e85291d70a144ebe2842aeba2c77029762ca8ebfd36008b7bb83cda3e5d5d99d
dd0c9a205b0c0f4c801c40e1663ca3989f9136e117d4dcb4f451474ceb67c3da
6ca219e62ca53b64e4fdf7bff5c43a53681ed010cbaa688fa12de85a8f3de5e7
0672a9aebc7597eef44490f40c42e203d5ddfebc9300b62f38b0d1312a852235
47785b773808d7e1d2f1064b054e7e13b8b2ce9a35c68b926cd32c006c78f655
48d2c2c68fa0bd44eb70c1a6cf572406442b289fb6030e946f0530ce6f9fad98
5a2d60ab5d281e0118603cc793f49f7e95a87de959a25bb3275c09ec8e8762e5
92f9bcf6c55008c60013b75b49e143a1c9673e838efe0971490d19a241146fe5
915ee7620406946b859dd4a00f9862d77fba8b452aebee5d94587e66c1085c88
e597b492a88f0524ea38121e6b8230d9515a82ea8ca28cdcc64413c33ed846c9
fed7a3cec01cad14d9a46804b43e64a8021e89d8d38a49a700cf8c2e0c2578f6
bcdbeb7eeb64d6daf5aa6e13f1f70acfe057df50ec4773f434ffab684b78aead
282ada9a29a5f3144114373ef3c5826bcc8fb5018cd0f2ecb97d2a7bee1df296
bba29011e0b51eb0907735933641c226f3441f79a8e49ab6047c1625dd0b5176
08a4bd4758e4cbf39fff22a0cc5fb28d9bdd9944a0cd2120fdbe9222aaecbcf4
f99b33bd086f9b331a0df40525a45326bb977fee5272111edaffbe4be56e78fa
49b1a220b9a7450e151f19eec3da496b26799612811e512d138da88e0ee596bc
493e33d9ade8781e93fe9cd982de42a8032d2fc6b07baf5b202e0761a0fbe89d
ac14a60064081215f5a308ebeb6de69d67e6cb52ebb38d60fef99137fc1ea93a
7863ba5267cb187ba3892060f3868dca8b0dfae712649a650847e22d47ccb60a
58af5c340d271ac41f4a6009281466c7ad996b1a029a27b88f03e5ec6d95c54b
b03cf96cf2583ea45e4c13833e7201c2c55b96a4931a909925624913e9ad8d33
b979fb79cf120f5d8789adb25fc016816c68e6d52bdc5749c817f4386e0c32da
77df7c3d6d364474d411845fa185b196dcda437134f7093126a3f3bd145bdeee
228b3f006d63b8d75dcb8f66951cbf75e2a4ebdf13af9e2f47ad1c1a9b2e5753
2c758b1eac4fda920f90c459b773e7c3017e90f9049502b41d8b5391a8b61621
834d7c6bb4fd6b5da03e36fed96d7a828342d7e8bf27222b17f9f39bc6aaed80
05cfcef1273063c0c8b0eadf429e850471223bc2403a7cc943c252306d72e561
fbc42240f07235d3a0290f3e82a06ef4376e845973c146e423f8de4913a1cce4
82b221177f2e31052245d761e9aca47a511ae3ee9d6602ddb1f9b5be25745638
1b6deb5f47ebfe3a0cbb35751f3df6a893c6570cb7863c74e4262397edd6552e
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.fortinet.com/blog/threat-research/iot-malware-gayfemboy-mirai-based-botnet-campaign/
Comments