GPON Home Routers Are Over TheMoon Botnet

Written by

Dasan's gigabit-capable passive optical network (GPON) home routers are again the target of zero-day exploits using a new botnet called TheMoon, according to researchers at Qihoo 360 Netlab.

While activity of TheMoon botnet emerged in 2014, it's only been seen adding internet of things (IoT) device exploits into its code since 2017, Qihoo 360 Netlab researchers wrote in a 21 May post. TheMoon is the latest to "join the party" of botnets attacking GPON home routers. 

Earlier this year, Qihoo 360 Netlab researchers analyzed TheMoon, identifying it as a code for a family of malicious code. Since April 2017, researchers have been monitoring TheMoon family and its evolution.

In the most recent attacks, the researchers noted that the attacking payload looks different on TheMoon, which is why they have classified it as a zero-day. "We tested this payload on two different versions of GPON home routers, all work. All these make TheMoon totally different," the researchers wrote.

In an effort to prevent future attacks, the researchers chose not to disclose the details of the payload attack; however, they did identify features of this new dark side of TheMoon, which include the scanner IP ( Brazil/BR São Paulo "AS28573 CLARO S.A."), the scanning ports (80, 8080, 81, 82, 8888, with the GPON scan only on port 80) and the download server  (

This latest report confirms what has frequently been observed about the cycle of zero-day and botnet attacks on connected devices in the IoT world: they are vulnerable targets. "They are no match for ingenious hackers with automated discovery tools and a well-stocked experimental laboratory of potential victims, namely the internet," said Ashley Stephenson, CEO, Corero Network Security

"The larger the population of any particular device or software stack, the greater the motivation and reward for hacking it," he said. "In this case, a reported population of one million Internet accessible GPON devices makes for a huge potential payback if you can develop an exploit to pwn them into bots. We should expect additional exploit vectors to be discovered in the future.”

What’s hot on Infosecurity Magazine?