Pink Botnet infects millions of devices from China via DDoS attacks

Pink Botnet China DDoS attacks Traffic Overload Network Disruption Threat Actors

Millions of devices have recently been reported to have been infected by a botnet dubbed Pink being involved in a wide DDoS campaign. For the last six years, Pink has been known to be the largest observed botnet.

Based on a sample acquired by security experts last 2019, the Pink botnet is found to have contained several function names that begin with ‘pink’.

With about 96% of devices in China, the Pink botnet has a record of infecting over 1.6 million Chinese devices during its peak. To date, the botnet has been used to execute more than 100 DDoS attacks, and aside from it, threat actors also enclose advertisements into HTTP websites of unknowing victims. Pink botnets mainly target MIPS-based fibre routers with their robust design.

Despite the DDoS-infected devices being fixed and restored, it is observed that the Pink botnet remains to be active with about 100,000 nodes.

A combination of third-party services, including GitHub, P2P, and central C2s, are utilised by threat actors for the bots to controller communications. Furthermore, the threat actors have made numerous real-time updates on the fibre routers to preserve control over the infected devices, even with the vendors repeatedly fixing the issues. The Pink botnet is also known to have adopted the DNS-Over-HTTPS (DoH).

Lately, security researchers have found that the threat actors’ way of leveraging DDoS threats is continually transformed. The botnet has also been used as a backup tool in threatening victims.


Authorities from the UK and the US have alerted their respective territories regarding related DDoS campaigns.


The past two weeks have been critical for the UK and the US as the nations raised alerts to warn organisations about related DDoS campaigns emerging lately.

The FBI released a flash warning last week against the HelloKitty ransomware gang that threatens to launch DDoS attacks on victims that refuse on paying ransom demands. Meanwhile, the Comms Council UK have also notified and warned VoIP businesses about the rising DDoS extortion campaigns performed by international threat groups.

Attacks are recorded worldwide, with threat actors swamping on popular services and companies to distribute DDoS campaigns.

The KT telecom carrier from South Korea is included in the list, which had a short downtime recently due to a DDoS attack against its networks. Germany-based Posteo, Norway-based Runbox, and Australia-based Fastmail, all email providers, have suffered from a wide DDoS attack as well. Bandwith, an IP communications firm, has also experienced outages on their VoIP facility due to attacks.

The Pink botnet is a thriving flaw that security experts must team up to patch and disrupt its operations to being spread. DDoS attacks have been observed to be breaking records; hence all prone companies must implement an incident response plan to mitigate any chance of a DDoS attack.

About the author

Leave a Reply