|
In 2016, the Mirai botnet swept the Internet, ushering in a new era of DDoS attacks. Over the following decade, spinoffs of the Mirai botnet transitioned from simple attack tools into commercial platforms, offering Distributed Denial of Service (DDoS) attacks for Hire. Such platforms enable users to launch large-scale DDoS attacks with minimal technical expertise. One notable example is the Gorilla Botnet, which was operational between Fall 2024 and Summer 2025, an unusually long lifetime compared to similar Mirai-based Botnets.
In this paper, we reverse-engineer the Mirai-based Gorilla Botnet and aim to understand its design, engineering decisions, and marketing strategies to enhance its resilience and success. We investigate its operational characteristics, including the types of attacks it supports, its underlying infrastructure, and the behavior of its bots. We find that Gorilla's longevity stems from targeted improvements, including two software development phases and learning from previous releases, setting it apart from typical Mirai-based botnets. In the process, we analyze the firepower and attack vectors of the Gorilla botnet and characterize the business types of its targets. |