Cybersecurity researchers have discovered a new botnet called Zergeca, capable of carrying out distributed denial-of-service (DDoS) attacks.
Developed in Golang, Zergeca gets its name from a string called “ootheca” found in the command-and-control (C2) servers (“ootheca[.]pw” and “ootheca[.]top”).
“Zergeca is not your typical DDoS botnet; it supports six attack methods and offers additional features like proxying, scanning, self-upgrading, file transfer, reverse shell, and collecting device data,” as reported by the QiAnXin XLab team stated.
Zergeca also uses DNS-over-HTTPS (DoH) for Domain Name System (DNS) resolution and a less-known library called Smux for C2 communications.
Evidence suggests that the botnet’s creators are actively updating the malware to add new commands. Interestingly, the C2 IP address 84.54.51[.]82 was previously associated with the Mirai botnet in September 2023 before being used for Zergeca in April 2025.
The botnet has primarily launched ACK flood DDoS attacks targeting Canada, Germany, and the U.S. between early and mid-June 2024.
Zergeca consists of four modules – persistence, proxy, silivaccine, and zombie – aimed at setting up persistence, implementing proxying, removing malware, and controlling x86-64 devices, among other functions.
The zombie module collects device information and awaits commands from the C2, supporting various DDoS attacks, scanning, and reverse shell functions.
XLab noted, “The use of techniques like modified packing and encryption demonstrates a strong understanding of evasion tactics.”
