LILIN DVR devices targeted by a new BotenaGo malware strain

LILIN DVR Devices CCTV BotenaGo Malware Strain

BotenaGo’s new malware strain has been discovered by researchers targeting the LILIN security camera DVR devices. The researchers called the newly discovered malware variant “LILIN Scanner” since it is used by the threat actors in the source code during the latest attacks.

Based on reports, the new variant is coded in the Go language (Golang) and has not been identified or spotted by any threat detection engine. The strain developers have detached more than 30 exploits in BotenaGo’s first source code. Experts believe that removing the exploits is why BotenaGo’s elusive activity.

The payload used by the Emotet prioritises a single task, and the size is only 2.8 megabytes, which is small for an actual malicious code. In addition, the creators of this malware utilised again some parts to abuse a particular two-year-old critical flaw.

October last year, the source code of BotenaGo was leaked and exposed by researchers, which resulted in the development of newer variants based on the original code. After that, researchers spotted numerous variants of BotenaGo.


The LILIN scanner malware strain shares similarities and differences with its root malware, BotenaGo.


The researchers indicated that the LILIN scanner does not check the banner for the given IP addresses compared to BotenaGo. They also claimed that it uses other programs to manifest a list of LILIN devices by utilising services such as mass scanning tools.

Subsequently, the new malware strain recapitulated over the IP address it received from the standard input. Moreover, researchers in the pioneer BotenaGo source code can effortlessly spot parts of the code.

The instructions create one Goroutine, a thread used in Go per IP address operating the infectFunctionLILINDvr function following the same coding convention utilised by the operators of BotenaGo.

Updating and fortifying existing malware code and attempting to create new projects to enhance attack capabilities have become an expected behaviour among malicious threat groups, especially malware developers.

Experts suggest that the regular monitoring of the changes in these threats can aid researchers in creating more powerful detection tactics and defence mechanisms.

About the author

Leave a Reply