The rise of the Internet of Things (IoT) has introduced levels of convenience never seen before, but also presents a significant cybersecurity challenge. Especially the insecure nature of many of these IoT devices fuels the emergence of advanced IoT botnets. The Gorilla botnet is a potent example of such IoT botnets and took the internet by surprise in September 2024. That month alone, Gorilla has been responsible for over 300,000 Distributed Denial-of-Service (DDoS) attacks across 100 countries. Although inspired by earlier botnets like Mirai and Gafgyt, Gorilla exhibits unique characteristics and attack strategies that remain largely unexplored.

This thesis conducts a detailed analysis of the Gorilla botnet, focusing on its communication patterns, infection strategies, and attack behaviors. By executing Gorilla’s malware samples in a controlled environment, the study captures insights into its command-and-control (C2) communication and attack strategies. Key findings include the identification of a flaw in Gorilla’s implementation, which could aid future detection efforts, and the discovery of its preference for UDP-based attacks targeting gaming-related services.

Through this work, we contribute a dataset and analysis framework that sheds light on Gorilla’s operations, highlighting its similarities to and deviations from the original Mirai botnet. The findings provide insightful observations, enabling improvements in defenses against IoT botnet threats.