CYBERSECURITY THREAT REPORT: Hajime Botnet Infrastructure Cluster
Analysts have identified a cluster of 76 IP addresses linked to an active malware distribution campaign associated with the Hajime botnet. Hajime is a peer-to-peer botnet known for compromising Internet of Things (IoT) devices, including home routers, IP cameras, and digital video recorders, by exploiting default or weak credentials. All 76 entities in this cluster have been flagged for malware activity, and a significant subset — including addresses such as 113.196.206.245, 117.5.38.14, 185.118.128.34, 79.117.6.227, and 211.194.20.7 — carry multiple corroborating tags including "censys," "elf," and "hajime," indicating they have been actively scanned by Censys infrastructure monitoring tools and confirmed to host ELF binary payloads consistent with the Hajime malware family.
The infrastructure cluster spans a geographically diverse range of IP address blocks, reflecting the decentralized nature of the Hajime botnet. Addresses such as 5.167.40.122 and 31.28.107.131 fall within European address space, while 113.196.206.245, 117.5.38.14, 203.251.133.225, 121.231.201.180, 118.38.58.242, 211.51.58.126, 175.249.148.186, 59.3.45.42, and 121.149.93.105 are associated with Asia-Pacific address ranges spanning countries including South Korea, Taiwan, and Thailand. Additional nodes such as 66.229.228.126 fall within North American address space, and 217.128.128.60 and 94.183.49.100 are linked to European and Middle Eastern blocks. This global distribution is consistent with Hajime's known tactic of propagating laterally across compromised devices worldwide without relying on a centralized command-and-control server, making it particularly difficult to disrupt through conventional takedown methods.
The shared tagging across these 76 nodes — particularly the consistent co-occurrence of the "hajime" tag alongside "elf" and "censys" identifiers — indicates that these addresses function as interconnected nodes within the same botnet mesh. The ELF tag confirms that Linux-based executable payloads have been detected on these hosts, which is the standard infection mechanism Hajime uses to recruit IoT devices into its peer-to-peer network. Addresses flagged with only the "hajime" tag, such as 213.155.195.65, 203.251.133.225, and 219.85.82.211, represent nodes that have been identified through botnet traffic pattern analysis rather than direct binary detection, suggesting they may be participating in botnet communications at a network level even where payload artifacts have not yet been fully confirmed.
Consumer and small business impact from Hajime infections is significant even when not immediately visible. Compromised devices can be used to conduct distributed denial-of-service attacks, serve as proxy nodes for other criminal activity, intercept local network traffic, or be retooled for future campaigns. Residential users whose routers or cameras are recruited into the botnet typically experience no obvious symptoms, meaning infections often persist for extended periods. The decentralized architecture of Hajime means that removing one node does not disrupt the broader network, and reinfection of improperly secured devices is common after remediation.
Consumers and small businesses can take several steps to protect themselves. Immediately change default usernames and passwords on all internet-connected devices including routers, cameras, and smart home devices, using strong and unique credentials. Ensure that firmware on all devices is kept up to date, as manufacturers frequently release patches addressing the vulnerabilities Hajime exploits. Disable remote management features on routers unless specifically required. If you believe a device on your network may be compromised, disconnect it, perform a factory reset, update its firmware, and change all credentials before reconnecting. You can check whether an IP address has been flagged for malicious activity using free tools such as VirusTotal at virustotal.com or AbuseIPDB at abuseipdb.com. Report suspicious activity or scam contacts to the FTC at reportfraud.ftc.gov and to the FCC at fcc.gov/consumers/guides/filing-informal-complaint.
This cluster represents a high-severity threat due to the confirmed presence of active malware payloads across 76 geographically distributed nodes and the self-propagating nature of the Hajime botnet. Recommended next steps include blocking all 76 identified IP addresses at the network perimeter level where feasible, reporting these addresses to the relevant regional internet registries and abuse contacts, and conducting internal audits of any IoT devices that may have had exposure to the identified address ranges. Network administrators should implement ingress and egress filtering consistent with BCP38 standards to limit botnet traffic propagation. Ongoing monitoring of these and associated address ranges is strongly advised as Hajime infrastructure is known to shift and expand over time.