Skip to main content
close search
site logo
Dive Brief

Eleven11bot estimates revised downward as researchers point to Mirai variant

The botnet has been involved in DDoS activity targeting telecom companies and gaming platforms.

Published March 7, 2025
David Jones's headshot
Reporter
Close-up Portrait of Software Engineer Working on Computer, Line of Code Reflecting in Glasses.
gorodenkoff via Getty Images

Dive Brief:

  • Security researchers have revised their estimates of the size of Eleven11bot, which has exploited IoT devices for DDoS attacks against telecom, gaming platforms and other industries. 
  • GreyNoise on Wednesday said the number of compromised devices was less than 5,000 around the globe. However, Nokia Deepfield said Friday that upward of 30,000 devices are actively involved in DDoS activity and has shared its findings with other firms tracking the botnet.
  • GreyNoise now says the botnet is a Mirai variant that utilizes a single new exploit targeting HiSilicon-based devices, most of which are running TVT-NVMS-9000 software. 

Dive Insight:

Researchers from Nokia Deepfield said they communicated their findings to other researchers and noted the firms have slight variations in how they calculate their Eleven11bot estimates. 

“The 30K count is directly derived from attack data, enriched with our active crawling (for which we see the specific device characteristics for every IP on the internet),” Jerome Meyer, a security researcher at Nokia Deepfield, said via email. 

The previous estimates of tens of thousands of devices was based on normal HiSilicon device signature traffic being misidentified as botnet activity, according to GreyNoise. 

GreyNoise analyzed a list of about 1,400 IPs provided by researchers at Censys, according to the blog post. GreyNoise said 1,042 were engaged in exploitation and scanning. Researchers said these were primarily connected to embedded systems that are usually not involved in outbound internet communications. 

GreyNoise based its revised estimates in part on a May 2024 security advisory about a critical vulnerability in NVMS9000. The company said its revised estimates are based on figures for deployed hardware but conceded the actual totals could be higher.

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
BeyondTrust Pathfinder Delivers a One-Platform Approach to Identity-Centric Security
From BeyondTrust
February 26, 2025
Whalebone Secures €13.35M in Funding to Accelerate Global Growth and Innovation
From Whalebone
February 18, 2025
DISA Data Breach Investigation
From Migliaccio & Rathod LLP
February 25, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.