our stories

tech never sleeps, so neither do we

tech world

Should we be worried about Eleven11bot?

Eleven11bot is quite a recent development – but one which has caused significant concern in the cybersecurity world. That’s because of its rapid expansion and the scale of its attacks. But should we be worried about the Eleven11bot?

The Eleven11bot was first discovered in late February 2025 by Nokia’s Deepfield Emergency Response Team. Since then, it has rapidly grown in size and impact, infecting thousands of IoT devices and launching large-scale DDoS attacks.

What is the scope of Eleven11bot?

It is estimated that Eleven11bot has infected over 86,000 Internet of Things (IoT) devices.

The botnet is primarily used for Distributed Denial-of-Service (DDoS) attacks, which can overwhelm target servers and cause disruptions. It is a Mirai variant leveraging a novel exploit against HiSilicon-based IoT devices, including security cameras and network video recorders.

Who is behind Eleven11bot?

The botnet is believed to be operated by an Iranian threat actor. State-sponsored cybercrime activity increased sharply after Russia’s invasion of Ukraine and the World Economic Forum’s Global Risks Report 2025 cited geopolitical cybercrime as a top short-term risk. In its 2025 cybersecurity review, the UK’s National Cyber Security Centre (NCSC) warns that state-sponsored cybercrime is likely to increase and it cites China, Russia, North Korea, Iran as the key threats to the UK.

It is thought Eleven11bot originated by a state actor because Eleven11bot has prioritised targets in the telecommunications sector, with attacks disrupting latency-sensitive services like VoIP and cloud gaming. This targeting pattern aligns with the interests of state-sponsored actors. Plus, the botnet’s command-and-control infrastructure uses encrypted channels to distribute attack payloads, which is a common
tactic used by sophisticated threat actors.

Analysis reported by Cyber Security News revealed that 61% of the IP addresses associated with the botnet originate from Iran, although it cautioned against direct attribution.

Should we be worried about the Eleven11bot?

Given its size and capabilities, Eleven11bot is indeed a significant concern.

The majority of compromised endpoints are located in the United States, United Kingdom, Mexico, Canada and Australia, so anyone in these regions should pay extra attention to hardening their endpoints against attack.

How can we protect ourselves against Eleven11bot?

Eleven11bot has been targeting devices with weak or default credentials. It is essential to take precautions to protect your devices, such as changing default passwords, updating firmware and disabling unnecessary remote access.

In detail, this includes:

  • Network-level blocking by deploying firewalls or intrusion prevention systems (IPS) to block traffic from the 1,042 malicious IPs identified as sources for attack.
  • Ensuring devices run the latest firmware versions, prioritising applying firmware updates for HiSilicon-based devices.
  • IoT hardening by disabling remote administration and changing default credentials of IoT devices.
  • Disabling all unnecessary remote access. For example, if remote access features like Telnet and SSH are not needed, you should disable them to reduce the potential attack surface.
  • Isolating IoT devices from critical IT infrastructure through network segregation can limit the impact of potential breaches.
  • Monitoring suspicious behaviour on your network using SIEM tools to flag repeated login attempts on Telnet/SSH ports and unexpected outbound traffic from IoT devices.
  • Beefing up your DDoS mitigation strategies.

By securing your IoT devices, you can help mitigate the risk posed by this botnet.

Looking to bring in that smart investor?

We can help