A stealthy yet highly disruptive botnet named Eleven11bot is rapidly becoming one of the most sophisticated cyber threats of 2025. With origins suspected in Iran and an escalating focus on disrupting global telecommunications, this Mirai-variant malware has already infected tens of thousands of devices. Investors in tech and cybersecurity should take serious note—this botnet is more than just another name on the threat landscape.
Discovered in late February 2025 by Nokia’s Deepfield Emergency Response Team, the Eleven11bot has swiftly become a high-priority threat across the cybersecurity sector. Though new, its impact has been immediate and alarming. With over 86,000 infected Internet of Things (IoT) devices, it has scaled up Distributed Denial-of-Service (DDoS) attacks targeting sensitive digital infrastructure.
Eleven11bot is a variant of the Mirai botnet, but it brings new sophistication. It exploits vulnerabilities in HiSilicon-based IoT devices—common in security cameras and network video recorders—allowing it to spread quickly and strike hard. The scope and precision of its attacks indicate the work of a highly capable operator, and cyber intelligence circles are increasingly convinced it is the product of a state-backed initiative.
The botnet has focused its energy on telecommunications targets, disrupting latency-sensitive services such as VoIP and cloud gaming. This behaviour is not random. The careful selection of targets, coupled with the use of encrypted command-and-control infrastructure to deploy attack payloads, is characteristic of advanced persistent threat (APT) actors. Furthermore, nearly two-thirds of the IP addresses tied to the botnet have been traced to Iran, supporting the suspicion that this is a state-aligned operation.
The broader context cannot be ignored. Since Russia’s 2022 invasion of Ukraine, there has been a significant uptick in geopolitical cybercrime. The World Economic Forum’s Global Risks Report 2025 highlighted state-sponsored cyberattacks as a top short-term global risk. Confirming these concerns, the UK’s National Cyber Security Centre (NCSC) has identified Iran, China, Russia and North Korea as leading threats to national cybersecurity.
Eleven11bot’s methods are not groundbreaking, but its scale and strategic targeting make it unusually dangerous. It leverages common security failings—specifically, default or weak passwords on IoT devices. The majority of infected systems are found in countries with high IoT penetration, including the United States, United Kingdom, Canada, Mexico, and Australia.
For investors, this threat reinforces the urgency of increased security spending and the importance of companies that offer robust mitigation tools. There is a clear and growing market for services that can detect, prevent, and respond to botnet activity—particularly for enterprise networks and telecom infrastructure.
From a practical standpoint, the mitigation steps are clear. Device owners and network operators must ensure all IoT endpoints are updated with the latest firmware, especially those using HiSilicon chipsets. They should disable unnecessary remote access features like Telnet and SSH and change default login credentials immediately. Implementing network-level security such as firewalls and intrusion prevention systems (IPS) to block traffic from known malicious IPs is also essential.
Segregating IoT networks from critical infrastructure limits the scope of any potential breach, while deploying SIEM tools enables early detection of anomalous behaviour—such as brute force login attempts or unexpected data transmissions. Finally, strengthening DDoS mitigation frameworks will be key in withstanding future attacks from this and other evolving threats.
Eleven11bot may still be in its early stages, but it represents a broader trend in cybersecurity: the weaponisation of everyday internet-connected devices for geopolitical ends. This is not just a technical issue but a business-critical risk, particularly for industries reliant on low-latency digital services.
Tern plc (LON:TERN) backs exciting, high growth IoT innovators in Europe. They provide support and create a genuinely collaborative environment for talented, well-motivated teams.
