Networkforensic

BIMP-BotNet

BIMP-BotNet
It all started back in December 2021, when i discovered password attacks on mail systems. What I saw was 1 login attempt from 1 IP but with 3-5 diffrent ip's within 1-2 minutes in between. So this was / still is "low and slow" password attacks. And they continue to this day aginst anything with a open servise with a login promt exposed to the Internet, but with a "big love" for anything mail related.

We know for a fact that many danish companyes have allready been "hacked" by this network.



The name
BIMP-BotNet, which is an abbreviation for Bruteforce, IOT, Malware, Phishing botnet.

The hunt.
I have been writing a lot about the BIMP-BotNet over the years. I can recommend publications from SektorCERT

What is new
I belive that BIMP-BotNet is just a part of a large proxy network created by OT/IOT devices, that has been hacked. Often with an indication that a SSH keys overwrite, that give full access for a device quite easy. And quite often we see BusyBox systems with the Dropbear SSH server implementation being part of the proxy network.

A lot of different kinds of system seams to have been infected by this botnet. So it is not just the GR241AG i see.
The list is long..

BIMP-BotNet is just using that big botnet to do the attacking. We have monitored a hacked IOT network device "GR241AG Gateway Router" for some time now, and the infected device gave us 130GB of traffic pr week to look at. That is a lot of traffic... And a lot of the traffic is proxy ssh traffic from Vietnam, US and so on..

Picture below  - GR241AG Gateway Router - Manual

From this giant proxy network we see a lot of attacking on many systems. We eaven foud infected devises from some "NATO special forces military units" being part of this networkk. We see C2 backend russian infrastructure IP's for unknown malware. And funny enough will the identifyed C2 IP's in the proxy network not show up as listed for any known bad stuff.

So the BIMP-BotNet is what we belive part of a giant APT proxy network running globally. We can say that 7.000+ IP's from the proxy network is running the BIMP-BotNet. So how big this proxy network actually is is hard to say. But at first when i discovered the BotNet i found more the 12.000+ infected IP's. But right now i can say that i see arround 100+ new IP'a i haven't seen before.

And it is all based on OT/IOT devises on the internet and someone is running this netwok....

Shift in attacks
On Marts 1 2026 I have seen a shift in how the TLS traffic is handled by the BIMP-BotNet, that is when they do bruteforce network attacks. This meant that about half were not blocked by SNORT DROP IDS Rules. I have then created new SNORT IDS Drop and alerts rules to capture that shift.

Prevention
- Do NOT leave any system with a BusyBox/Dropbear exposed to the internet
- Use 2FA on everything
- Do not expose logins pages of any kind to the Internet at all, if you don't need it.
- Use GEO protection for exposed servises
- Use "point to point" Firewall rules
- Use inline IDS (IPS systems) to drop attack traffic. Don't use it as IDS but IPS
- Only allow SSH traffic on your network to trusted sources / destinations. DO NOT LEAVE IT OPEN TO ANY.
- Allways patch
- Remove EOL (End-of-life) devices from your network. (Cleanup firewall rules, NAT Rules, to those devices)

IOC
With the IOC's here you will locate the BIMP-BotNet that is part of the Proxy network. And this is a god way to start look at the network it self if you want to dig deeper into this proxy network. 

JA3
f17ca639ecdcaa65b4521c49e3515ef9

JA4
t12i860600_e18388e7f3a3_4446390ac224

IP-Block list with more then 7.019+ IP addresses for BIMP-BotNet attacks
Download

Suricata IDS Drop Rule
Download my IDS Rule set for Suricata

SNORT IDS Drop Rule
Download my IDS Rule set for SNORT. New IDS detection have been released (05-03-2026). I have seen this i relation to infected hardware where BIMP is used in the malware.

Happy Hunting...