The threat actors behind FreakOut aka Necro botnet have added new exploit tools to its arsenal. This new update to the Python-based botnet is believed to cause more havoc on Windows and Linux systems.

A preview of the previous version 

  • The botnet had first appeared on the threat landscape in November 2020 with attacks aimed at compromising the target systems for launching DDoS and crypto-mining attacks.
  • In June, this multi-platform Python-based botnet was upgraded with worm-like capabilities along with the addition of new exploits for vulnerabilities affecting VMware vSphere, SCO OpenServer, Vesta Control Panel.
  • Although the core functionality of the botnet included mining of Monero cryptocurrency, the inclusion of new exploits allowed attackers to ensnare more devices to form an army of bots.

What’s the latest update?

  • Towards the end of September 2021, researchers at Juniper Threat Labs observed new activity from FreakOut aka 3Cr0m0rPh that resulted in the takeover of Visual Tools DVR.
  • Among the several new features, one of them includes an exploit for vulnerability targeting Visual Tools DVR VX16 from 
  • Successful exploitation of the flaw can enable threat actors to download into the DVR device and install a Monero miner.  
  • Additionally, the device could be incorporated into the botnet’s DDoS swarm.

Additional new tricks

  • Another interesting aspect of the new botnet is the use of the Domain Generation Algorithm (DGA) to communicate with its C2 servers. 
  • The botnet also appears to be generating 253 unique pseudo-random domains to evade domain flagging and take-downs that reduce its effectiveness.
  • Some other new features include the new DDoS-supporting TOR Socks proxies and the exclusion of SMB scanners.


The new developments in the FreakOut botnet increase the chances for threat actors to spread across more systems and devices. Therefore, users need to make sure to regularly apply the latest security updates to all applications, and operating systems to reduce the scope of attacks. Furthermore, they must monitor logs for signs of infection.

Cyware Publisher