HailBot analysis, the other variants to do a DDoS attack on Chinese AI startup DeepSeek

 

Summary

HailBot is the variant of the Marai botnet. This botnet is very popular in 2023 and later became faster, delivering and infecting large-scale. Recently, the other variant of this botnet was noted by the Chinese cybersecurity team on 2025/1/28, which did a large-scale malicious attack on Chinese AI startup deepseek.

 

 

Technical analysis

This HailBot is the ELF for ARM (executable).

The hash MD5: 74AE300E854410ABB8C71A9E5C6182FF

 

The HailBot kills the other botnet to ensure that it is the only one running on the victim host.

Figure1-Kill other botnet

 

The botnet kills other processes.

Figure2-Kill other processes

 

HailBot disguises itself to hide the process with the mount.

Figure3-Hide process

 

Supporting TCP and UDP DDoS attacks that are imbedded inside the botnet, which has more than 10 different DDoS attack ways.

Firgure4-DDoS attack mode

 

HailBot is the variant of the Marai botnet, which is focused on running DDoS attacks without any other functions like telnet brute force and without any other vulnerabilities to exploit.

 

 

IOCs

74AE300E854410ABB8C71A9E5C6182FF

 

Conclusion

HailBot is the variant of the Marai botnet, which is focused on running DDoS attacks, and the attacker is professional.

 End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.  

![Alipay QR Code] 支付宝

*I am deeply grateful from the bottom of my heart!*