Botnets, Credential Stuffing and mitigation

Dark_Nexus Botnet

BitDefender researchers have recently identified a new botnet, dubbed “dark_nexus”. This botnet is similar to the Mirai botnet from back in 2016, but instead targets IoT devices to perform distributed denial of service (DDoS) attacks. This botnet grows primarily by using credentials stuffing attacks against different types of devices such as routers, video recorders, cameras and enlists them onto the botnet upon successful exploitation.

Credential stuffing involves injecting breached username and password pairs to gain access to a user or administrator account. Attackers collect credentials through leaks and insert these in mass quantities, similar to a brute force attack. Credential Stuffing attacks are possible primarily due to user error, exploiting the reused username and password combination across multiple services. The attacker locates username and password pairs, uses these to ‘credential stuff’ into different services to gain access.


With Dark Nexus, the attacker compromises devices using credential stuffing, and adds each to the pool of botnet devices. Once compromised, the attacker then rents devices to conduct malicious and often illegal activity.

You can mitigate credential stuffing is to ensure that each device, service, and account you access all have unique passwords. This will reduce the overall effectiveness of this attack by restricting the applicability of breached credentials to a single account.

Further Guidance

Our guidance is to continue practicing best security practice both within your organisation and personally and pay close attention to your procedures surround password reuse, especially for these attacks. For more help with how to protect your own organisation, take a look at our IT Health Check service, which provides you with valuable information to begin improving your business resiliency.