article featured image


A rapidly expanding malware is entrapping routers, DVRs, and servers all over the web in order to launch Distributed Denial-of-Service (DDoS) attacks on over 100 victims every day.

CNCERT and Qihoo 360’s Network Security Research Lab (360 Netlab) worked together and found this botnet they dubbed Fodcha.

According to a report by 360 Netlab, between March 29 and April 10, Fodcha malware has infected 62,000 devices, and daily numbers fluctuate around 10,000.



As per 360 Netlab security researchers, the top regions from which the bots come from are Shandong (12.9 %), Liaoning (11.8 %), and Zhejiang (9.9%). China Unicom (59.9%), China Telecom (39.4%), and China Mobile (0.5%) are the service providers from which these bots originate.

Based on direct data from the security community that we worked with, the number of daily live bots are more than 56000.

The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and also more than 100 DDoS victims being targeted on a daily basis.


Fodcha Spread Method

The specialists discovered that the Fodcha botnet compromises new devices with exploits created to abuse NDay vulnerabilities in multiple machines, as well as a brute-force cracking tool they named Crazyfia.

Below you can see a list of the main vulnerabilities provided by 360 Netlab and the devices and services targeted by the Fodcha malware:


After they managed to obtain access to vulnerable Internet-exposed devices samples, the developers of the Fodcha botnet use Crazyfia scan evaluation to distribute malware payloads.

An analysis shows that the botnet includes samples targeting mips, mpsl, arm, x86, and other CPU architectures.

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it changed to fridgexperts[.]cc after the cloud vendor removed the original one.

The shift from v1 to v2 is due to the fact that the C2 servers corresponding to the v1 version were shutdown by a their cloud vendor, so Fodcha’s operators had no choice but to re-launch v2 and update C2.”

The new C2 is mapped to more than a dozen IPs and is distributed across multiple countries including the US, Korea, Japan, and India, it involves more cloud providers such as Amazon, DediPath, DigitalOcean, Linode, and many others.


Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *