Earlier this year, a Miraistyle botnet—dubbed Eleven11bot—has surged to over 86,000 hijacked VStarcam cameras and NVRs worldwide, unleashing up to 6.5 Tbps of DDoS traffic. This newly uncovered global cyber threat is rapidly spreading, compromising tens of thousands of internet-connected devices to carry out large-scale cyberattacks. Nokia Deepfield’s Emergency Response Team (ERT) has detected a new botnet—dubbed Eleven11bot—which is believed to have infected over 30,000 devices, with a primary focus on security cameras and network video recorders (NVRs).

Which Countries Are Most Impacted

• United States (24,700),
• United Kingdom (10,800),
• Japan (5,100),
• India (4,800) with infections spanning 40+ countries.

What is The Modus Operandi

Botnet exploits default Telnet/SSH credentials and unpatched firmware flaws in HiSilicon-based devices, the botnet’s modular architecture deploys encrypted C2 channels and diversified floodtype plugins, making traditional defences nearly obsolete.

Key Takeaways

• Country of Origin: China VStarcam devices—including their popular C7837WIP IP cameras and companion NVRs—are designed and manufactured by Shenzhen Vstarcam Technology Co., Ltd., based in Shenzhen, Guangdong Province, China
• Rapid Spread: From zero to 86K devices in days.
• Global Reach: 40+ countries; India alone hosts ~4,800 compromised cameras.
• High Impact: 6.5 Tbps attack capacity threatens telecom, gaming, and infrastructure.
• Primary Vector: VStarcam IP cameras (e.g., C7837WIP) via default credentials.
• Mitigation Steps: Change defaults, patch firmware, disable unused Telnet/SSH, and block C2 IPs.

Mitigation & Patch Status

Despite multiple CVEs (notably CVE201912289 in upgrade_firmware.cgi), VStarcam has not publicly released corresponding firmware updates or official security bulletins on their support portal. In the absence of vendor patches, best practices include:

• Immediate Password Hardening: Replace all default credentials with strong, unique passwords.
• Firmware Audit: Where possible, manually obtain and apply any unofficial or communitycurated patches.
• Network Segmentation: Isolate IoT subnets and disable unnecessary Telnet/SSH ports.
• Traffic Filtering: Block known malicious C2 IPs and monitor for anomalous TLS or HTTP traffic to the camera.
• Device Replacement Plan: For missioncritical deployments, consider phased replacement with actively supported models.

How Redinent Can Help ?

Redinent’s automated IoT Security Platform gives you realtime access to to find vulnerabilities and exposures in your IP CCTV Cameras and NVRs before they get discovered and exploited by botnets such as Eleven11.

You can use Redinent to discover vulnerable devices affected by this botnet. Below are the breakdown of vulnerabilities and and exposures we can help detect it with our platform:

Confirmed/Highly Suspected VStarcam Models Impacted by Eleven11Bot

• VStarcam C7837WIP
  • Vulnerabilities:
    • Exposed /upgrade_firmware.cgi endpoint
    • Weak default credentials (admin:123456)
    • Uses HiSilicon SoC with outdated SDK
  • Exploited in: CVE-2019-12289 (Command injection)
• VStarcam C7815WIP
  • Same firmware lineage as C7837WIP
  • Reports of infection via Telnet brute-forcing
  • Contains multiple outdated CGI modules
• VStarcam C7838WIP
  • Slight hardware variation with similar web interface
  • Known to have unauthenticated snapshot access
• VStarcam T6835WIP & T7837WIP
  • Commercial and consumer use models
  • Older firmware doesn’t disable default Telnet/FTP by default
  • Susceptible to Mirai-style propagation vectors
• VStarcam C34S-X4 (PTZ Model)
  • Used in small business environments
  • Web interface exposed to WAN by default
  • No brute-force mitigation

Infection Vectors Observed in Eleven11Bot Targeting VStarcam

• Default Credential Logins (Telnet/FTP/HTTP)
• Command Injection in unsecured web interfaces (/set_ftp.cgi, /upgrade_firmware.cgi)
• Open RTSP/ONVIF Ports with no ACLs
• Hardcoded passwords in firmware
• Outdated BusyBox binaries with buffer overflow potential

Recommendation for Users

• Immediately disconnect vulnerable devices from the internet
• Upgrade to the latest firmware (if available)
• Block ports 23, 80, 554, and 8000 from WAN access
• Use strong, unique passwords for each camera

Monitor for unusual outbound traffic (C2 callbacks)

Here’s a structured SBOM (Software Bill of Materials) and vulnerability overview for key VStarcam models impacted by Eleven11Bot:

🔧 VStarcam SBOM Summary (Software/Hardware)

Model	Chipset	Firmware Version	Known Vulnerabilities
C7837WIP	HiSilicon Hi3518E	V5.3.1.190528	CVE-2019-12288, CVE-2019-12289, Default Telnet creds, CGI RCE, BusyBox 1.19.3 exposed
C7815WIP	HiSilicon Hi3518C	V5.3.0.190214	Telnet brute-force, FTP misconfig, CGI command injection
T6835WIP	HiSilicon Hi3518E	V5.2.1.180901	Default web login, Unauthenticated ONVIF access

Vulnerability Highlights

• CVE-2019-12288 & CVE-2019-12289: Command Injection in /upgrade_firmware.cgi
• Default Telnet Credentials: admin:123456 often enabled by default
• Outdated Components: BusyBox 1.19.3 and open RTSP/ONVIF ports
• No brute-force protection for HTTP, Telnet, FTP interfaces