Gayfemboy is amalware strain that infects corporate electronics including those fromDrayTek,TP-Link, Raisecom, andCisco by utilizingCVEs. It has affected companies inBrazil,France,Germany,Israel,Mexico, theUnited States,Switzerland, andVietnam, and is impacting sectors such asconstruction,manufacturing,technology, and media/communications.^[2]

The malware was first discovered in February 2024 by security researchers atFortinet after a large amount of attacks were done by the Gayfemboy malware in January where the malware used the infected machines as abotnet to launch a wave ofDDoS attacks against target websites.^[3] Known samples currently were obfuscated with aUPX packer but its header "UPX!" was replaced by non-printable characters in hexadecimal code "10 F0 00 00" making detection harder. Upon execution, the malware investigates the paths of each process located in "/proc/[PID]/exe" to gather information regarding active processes and their respective locations within the file system. It loads 47 command strings into memory and reviews all entries in "/proc/[PID]/cmdline". If a match is found, it terminates the corresponding process. These commands encompass "ls -l", "reboot", "wget", among others. The Monitor is employed for self-preservation and to detect sandboxes. If Gayfemboy identifies that the malware process has been terminated, it initiates a restart. Due to a delay of 50nanoseconds, the malware is capable of detecting a sandbox, which is unable to manage such a finely tuned delay, resulting in the failure of the invoked function and leading the malware to "misinterpret" the outcome, subsequently triggering a 27-hour dormant state for the malware.^[4]

The infections and targeting mirror that of the malware strainMirai and targets various system architectures, includingARM,AArch64,MIPS R3000,PowerPC, andIntel 80386. The Gayfemboy malware tracks threads and processes while incorporating persistence and sandbox evasion techniques, bind toUDPport 47272, launches DDoS attacks using UDP,TCP, andICMP protocols, and enables backdoor access by connecting to a remote server to receive commands, it also terminates itself if it receives the command from the server or detects sandbox manipulation. The attack primarily consists of searching for unauthenticatedRedis servers operating on port 6379. This is followed by the execution of legitimate CONFIG, SET, and SAVE commands to initiate a harmfulcron job intended to execute ashell script. This script is designed to disableSELinux, implement defense evasion measures, block external access to the Redis port to prevent rival entities from exploiting the initial access route, and terminate competing mining processes (such as Kinsing).^[5]

The Gayfemboy botnet, first detected in February 2024, has been utilizing sophisticated strategies, such as exploitingzero-day vulnerabilities to infiltrate devices. By November 2024, the botnet had broadened its scope, focusing on industrial routers and smart home devices, boasting more than 15,000 activenodes.^[6] The individuals operating Gayfemboy have also initiated DDoS attacks against researchers monitoring their operations. The malware incorporates unique file naming andobfuscation methods to evade detection, featuring four primary modules designed for various malicious purposes.^[7]

In July 2025, FortiGuard Labs discovered a Gayfemboy payload that exploited various vulnerabilities in devices. The attacks were traced back toIP addresses 87.121.84.34 and 220.158.234.135. Experts identified downloader scripts aimed at several devices targeted by the bot, which includedAsus,Vivo,Zyxel, andRealtek. The malicious code retrieved malware andMonerominers, with product names being sent as parameters to Gayfemboy for execution.^[8]

By August 2025, Fortinet implemented multi-layered protection against the Gayfemboy campaign through FortiGuardweb filtering services that actively block identified C2 domains in addition to IPS signatures to protect against all exploited vulnerabilities. The C2 domains include cross-compiling.org, i-kiss-boys.com,furry-femboys.top, twinkfinder.nl, and 3gipcam.com.^[9]

• Mirai

• 2024 in computing
• 2025 in computing
• Botnets
• Cyberattacks
• Cybercrime
• Denial-of-service attacks
• Hacking in the 2020s
• Internet of things
• Linux malware
• Malware
• Malware targeting industrial control systems

• Articles with short description
• Short description is different from Wikidata