The botnet utilized by APT28, a cyberespionage group linked to Russia’s GRU, consisted not only of Ubiquiti Edge OS routers but also included Raspberry Pi and other Linux devices. The cleanup operation following the US dismantling of the botnet in January 2024 failed to completely sever the hackers’ access, as additional undetected malware remained on the infected devices. Trend Micro’s investigation revealed that hundreds of Ubiquiti routers were repurposed for various malicious activities, such as SSH brute forcing, spam, and cryptocurrency mining, with some routers likely remaining infected post-takedown due to legal constraints. Moreover, the botnet’s operators shifted some bots to new command-and-control infrastructure, including over 350 datacenter VPS IP addresses. Besides APT28, other threat actors, including the Canadian Pharmacy gang and adversaries using Ngioweb malware, also exploited the infected devices for nefarious purposes, highlighting the extensive and multifaceted nature of the botnet’s operations.

read more: https://www.securityweek.com/botnet-disrupted-by-fbi-still-used-by-russian-spies-cybercriminals/