LuaBot, similar to Mirai, is a trojan that targets Linux systems, loT devices, and web servers, turning infected systems into bots within a larger botnet controlled by the attacker. This malware appears as an ELF binary targeting ARM platforms, found typically in embedded loT devices. Initially, no malicious functions were found in LuaBot, besides adding devices to a botnet. Then, researchers discovered that a LuaBot module on one device allowed this trojan to perform Layer 7 DDoS attacks. Reverse-engineering the code of this malware reveals that the bot communicates with a C2 server hosted in the Netherlands on the infrastructure of WorldStream.NL. Code was also discovered in LuaBot stating "penetrate_sucuri," which hints at features capable of penetrating Sucuri's Web Application Firewall. Analysis revealed this malware allows the coder to use routers as proxies in order to relay malicious traffic.


  • September 2016: LuaBot discovered as the first DDoS-capable trojan coded in the Lua scripting language. (Softpedia)
  • September 2016: An interview with the LuaBot malware author is conducted and released. (Medium)
Trojan VariantsNJCCICLuaBot