Over 1.6 million Devices Infected by Pink Botnet

With the rise of remote and hybrid working, companies are finding it harder to secure the weak points in their infrastructures properly. Recently, there has been a rise in botnet attacks, the most famous of which is called Pink.

Short for robot network, Botnet refers to an extensive network of infected devices, also called Zombies. These devices usually have an exploitable getaway that allows the hacker to take control of them. Once infected, the zombie network is used to spread the malicious code to other devices, expanding the infected network.

The Pink botnet has been used to launch over 100 DDoS attacks to date, making it the largest in the past six years, according to Qihoo 360’s Netlab security team.

Researchers who have been tracking the network for some time found that it has infected over
1.6 million devices around the world, with the vast majority (96%) of them being in China. With that said, this number only shows the number of devices that are now botnet nodes, and not the actual number devices affected by the malicious behavior of Pink.

Researchers found over 103,000 to still be active towards the end of October 2021.


If your team is going remote and you need some extra protection for your networks, LIFARS has you covered with Gap Analysis testing as well as remediation guidance for your remote work cyber infrastructure. Protecting remote workers from cyber attacks.


The main focus of the Pink Botnet has been on orchestrating DDoS attacks. DDoS, short for
Distributed Denial of Service, is a malicious attempt to disrupt a targeted server, network, or organization by overwhelming it with an unusual amount of traffic. This causes it to crash or become unusable for genuine visitors.

Pink has mainly been breaking into computers in China, where it adds more devices to the network and exploits its zero-day vulnerabilities.

According to Netlab, “Pink targets mainly MIPS based fiber router, and has very strong and robust architecture, it uses a combination of third-party services, P2P and central C2s for its’ bots to controller communications”.

This makes Pink fairly difficult to take down. Whenever device vendors have tried to fix the issue, the botnet controller (hacker) has published firmware updates to retain control. Pink also has commands for downloading files and scanning devices.