HEH Botnet Wipes Routers, Servers, and IoT Devices

  • HEH is an IoT P2P botnet written in GO language that wipes data from infected systems.
  • Learn more about Modus Operandi, Mitigation, Impact and Indicators of Compromise (IOCs)

Share this Threat Intel:

HEH is an IoT P2P botnet written in GO language that wipes data from infected systems. This botnet has been active since October 2020 and has been spotted targeting routers, servers, and IoT devices. It can also infect weakly-secured infrastructure such as Telnet ports, Windows systems, etc. However, it only works on NIX platforms.

Modus operandi

  • The botnet is disseminated by launching brute-force attacks on exposed SSH ports (23 and 2323). 
  • The device then downloads one of seven binaries that install the HEH malware which can further be executed on CPU architectures x86(32/64), ARM (32/64), MIPS(MIPS32/MIPS-III), and PPC. 
  • Its main function allows attackers to run Shell commands on the compromised device. This ensures devices stay infected and controls them to perform SSH brute-force attacks across the internet to amplify the botnet attack intensity. 
  • Another feature allows it to wipe data, but it doesn’t have the ability to launch DDoS attacks, install crypto-miners, or code to run proxies and relay traffic for threat actors.


Technical Impact

  • Unauthorized access to filesystem and operating system functionalities.
  • Confidentiality of data is lost as script commands to delete the data.

Business Impact

  • Compromising of users information leads to loss of trust and reputation.
  • If data recovery is not possible, it could result in financial loss.


  • Regular monitoring of logs.
  • Checking privileges and permissions allotted to users.
  • Using firewalls for filtering traffic.
  • Securing ports with complex passwords.
  • Using antivirus software.


Indicators of Compromise (IOCs)


  • eff1ce72eddc9de694901f410a873a9d1ed21339
  • 6fa68865f1a2ddd1cf22f1eba583517c05b6f6c3 


  • 43de9c5fbab4cd59b3eab07a81ea8715 
  • 6c815da9af17bfa552beb8e25749f313 
  • 984fd7ffb7d9f20246e580e15fd93ec7 
  • 4c345fdea97a71ac235f2fa9ddb19f05 
  • 6be1590ac9e87dd7fe19257213a2db32 
  • bd07315639da232e6bb4f796231def8a 
  • c1b2a59f1f1592d9713aa9840c34cade 
  • c2c26a7b2a5412c9545a46e1b9b37b0e 
  • 66786509c16e3285c5e9632ab9019bc7 



  • d302749a080dd73e25673560857495ba14fa382857f64d26138acb044e2d9242 
  • 4f9b895a2785f9788fcae8743ab04a24b62e0962b1f8a28dc1206c52327b7916 


  • wpqnbw[.]txt


  • pomf[.]cat

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.