new botnet named “Dark_nexus” that compromises Internet-of-Things (IoT) devices appeared about three months ago and has taken control of at least 1,300 bots so far, according to researchers from Bitdefender. The malware code contains some references to other well-known botnet malware Mirai and Qbot, but most of Dark_nexus is new work which contains features which could position it as a major threat in the future. The botnet can be used to launch Distributed Denial of Service (DDoS) attacks against websites and is capable of disguising the attack traffic to appear as if it is from web browsers. That makes the DDoS traffic more difficult to detect and block. Spam email messages or phishing messages containing malware can be sent from the bots—this is a common technique used by many threat groups to spread malware. The Dark_nexus botnet also contains a SOCKS5 proxy feature, which could allow the threat actors controlling the botnet to lease access to others to relay their attacks through the bots and disguise the attackers’ actual IP address. The researchers have suggested that the creator of the Dark_nexus botnet may be a well-known botnet author going by the name “greek.Helios,” who sells DDoS services in criminal forums. The bot uses a variety of techniques to find and infect other devices, including using exploits against known vulnerabilities and attempting to log in to devices via Telnet using known default passwords.