HEH Botnet Wipes Routers, Servers, and IoT Devices

HEH is an IoT P2P botnet written in GO language that wipes data from infected systems. Learn about Mitigation, Impact and IOCs of HEH Botnet.
Updated on
April 19, 2023
Published on
December 4, 2020
Subscribe to the latest industry news, threats and resources.
HEH is an IoT P2P botnet written in GO language that wipes data from infected systems. This botnet has been active since October 2020 and has been spotted targeting routers, servers, and IoT devices. It can also infect weakly-secured infrastructure such as Telnet ports, Windows systems, etc. However, it only works on NIX platforms.

Modus operandi

  • The botnet is disseminated by launching brute-force attacks on exposed SSH ports (23 and 2323). 
  • The device then downloads one of seven binaries that install the HEH malware which can further be executed on CPU architectures x86(32/64), ARM (32/64), MIPS(MIPS32/MIPS-III), and PPC. 
  • Its main function allows attackers to run Shell commands on the compromised device. This ensures devices stay infected and controls them to perform SSH brute-force attacks across the internet to amplify the botnet attack intensity. 
  • Another feature allows it to wipe data, but it doesn’t have the ability to launch DDoS attacks, install crypto-miners, or code to run proxies and relay traffic for threat actors.


Technical Impact

  • Unauthorized access to filesystem and operating system functionalities.
  • Confidentiality of data is lost as script commands to delete the data.

Business Impact

  • Compromising of users information leads to loss of trust and reputation.
  • If data recovery is not possible, it could result in financial loss.


  • Regular monitoring of logs.
  • Checking privileges and permissions allotted to users.
  • Using firewalls for filtering traffic.
  • Securing ports with complex passwords.
  • Using antivirus software.

Indicators of Compromise (IOCs)


  • eff1ce72eddc9de694901f410a873a9d1ed21339
  • 6fa68865f1a2ddd1cf22f1eba583517c05b6f6c3 


  • 43de9c5fbab4cd59b3eab07a81ea8715 
  • 6c815da9af17bfa552beb8e25749f313 
  • 984fd7ffb7d9f20246e580e15fd93ec7 
  • 4c345fdea97a71ac235f2fa9ddb19f05 
  • 6be1590ac9e87dd7fe19257213a2db32 
  • bd07315639da232e6bb4f796231def8a 
  • c1b2a59f1f1592d9713aa9840c34cade 
  • c2c26a7b2a5412c9545a46e1b9b37b0e 
  • 66786509c16e3285c5e9632ab9019bc7 


  • d302749a080dd73e25673560857495ba14fa382857f64d26138acb044e2d9242 
  • 4f9b895a2785f9788fcae8743ab04a24b62e0962b1f8a28dc1206c52327b7916 


  • wpqnbw[.]txt


  • pomf[.]cat

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations