SAINT has added a critical vulnerability check to identify VStarcam cameras that are at risk for the latest set of DDoS attacks from Iran. Coverage for this latest vulnerability is supported with all SAINT scanning products, as of March 4th, 2025.  

The Attack: Eleven11bot Botnet 

Threat intelligence teams from various sources have identified a sophisticated attack campaign targeting VStarcam camera devices as part of a larger threat. According to research from Nokia Deepfield’s Emergency Response Team (ERT), this new botnet, tracked as “Eleven11bot,” has already compromised over 86,000 devices globally, primarily security cameras and network video recorders (NVRs), including VStarcam devices (Nokia Deepfield, November 26, 2024). As of March 2, 2025, most compromised devices are in the US (almost 25,000), and the UK is second with nearly 11,000 infected devices. 

The botnet exploits default and weak device credentials to gain unauthorized access to these internet-connected cameras. Attackers scan for exposed Telnet and SSH ports, which are often left unprotected on IoT hardware. Once compromised, these devices are being weaponized in distributed denial of service (DDoS) attacks against telecom providers and gaming platforms, with some attacks persisting for multiple days and causing widespread service disruptions. There is a high probability that this latest attack is from an Iranian group and is seen as one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022″.  

How SAINT Can Help Defense Against this Attack 

The latest SAINT update includes dedicated vulnerability checks, specifically designed to identify VStarcam devices with default credentials still in place, and weak or commonly used passwords. 

Immediate Recommended Actions 

1. Update SAINT: Ensure your SAINT vulnerability management solution is updated to version 10.4, Content Version 100436 or higher. 
2. Run Targeted Scans: Immediately conduct scans focused on identifying VStarcam devices across your network infrastructure. 
3. Remediate Findings: For any vulnerable devices identified, follow the detailed remediation steps provided in the SAINT Tutorial guidance. 
4. Review Network Segmentation: Consider isolating IoT devices like security cameras on separate network segments with restricted access. 
5. Update firmware. Perform firmware updates to the latest version to reduce your risk exposure to this and other potential vulnerabilities. 

Don’t wait. Update your SAINT solution today and defend your organization from this rapidly expanding global threat. As always, our security team is available to assist with any questions or concerns. 

References: 

• CyberNews.com. Eleven11bot botnet is nearly three times bigger than initial estimates 

• Nokia Deepfield Emergency Response Team (ERT). (2025). Eleven11bot Botnet Technical Analysis. 

• Meyer, J. (2025). Nokia Deepfield security research.