HEH Botnet Wipes Routers, Servers, and IoT Devices

HEH is an IoT P2P botnet written in GO language that wipes data from infected systems. Learn about Mitigation, Impact and IOCs of HEH Botnet.
Updated on
February 27, 2023
Published on
December 4, 2020
Read time
Subscribe to the latest industry news, technologies and resources.
HEH is an IoT P2P botnet written in GO language that wipes data from infected systems. This botnet has been active since October 2020 and has been spotted targeting routers, servers, and IoT devices. It can also infect weakly-secured infrastructure such as Telnet ports, Windows systems, etc. However, it only works on NIX platforms.

Modus operandi

  • The botnet is disseminated by launching brute-force attacks on exposed SSH ports (23 and 2323). 
  • The device then downloads one of seven binaries that install the HEH malware which can further be executed on CPU architectures x86(32/64), ARM (32/64), MIPS(MIPS32/MIPS-III), and PPC. 
  • Its main function allows attackers to run Shell commands on the compromised device. This ensures devices stay infected and controls them to perform SSH brute-force attacks across the internet to amplify the botnet attack intensity. 
  • Another feature allows it to wipe data, but it doesn’t have the ability to launch DDoS attacks, install crypto-miners, or code to run proxies and relay traffic for threat actors.


Technical Impact

  • Unauthorized access to filesystem and operating system functionalities.
  • Confidentiality of data is lost as script commands to delete the data.

Business Impact

  • Compromising of users information leads to loss of trust and reputation.
  • If data recovery is not possible, it could result in financial loss.


  • Regular monitoring of logs.
  • Checking privileges and permissions allotted to users.
  • Using firewalls for filtering traffic.
  • Securing ports with complex passwords.
  • Using antivirus software.

Indicators of Compromise (IOCs)


  • eff1ce72eddc9de694901f410a873a9d1ed21339
  • 6fa68865f1a2ddd1cf22f1eba583517c05b6f6c3 


  • 43de9c5fbab4cd59b3eab07a81ea8715 
  • 6c815da9af17bfa552beb8e25749f313 
  • 984fd7ffb7d9f20246e580e15fd93ec7 
  • 4c345fdea97a71ac235f2fa9ddb19f05 
  • 6be1590ac9e87dd7fe19257213a2db32 
  • bd07315639da232e6bb4f796231def8a 
  • c1b2a59f1f1592d9713aa9840c34cade 
  • c2c26a7b2a5412c9545a46e1b9b37b0e 
  • 66786509c16e3285c5e9632ab9019bc7 


  • d302749a080dd73e25673560857495ba14fa382857f64d26138acb044e2d9242 
  • 4f9b895a2785f9788fcae8743ab04a24b62e0962b1f8a28dc1206c52327b7916 


  • wpqnbw[.]txt


  • pomf[.]cat

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.