300,000 obeying devices: Hajime is conquering the Internet of Things world

300,000 obeying devices: Hajime is conquering the Internet of Things world

Kaspersky Lab has published the results of its investigation into the activity of Hajime – a mysterious evolving Internet of Things (IoT) malware that builds a huge peer-to-peer botnet. The botnet has recently been propagating extensively, infecting multiple devices worldwide. To date, the network includes almost 300,000 malware-compromised devices, ready to work together, to perform the malware author’s instructions without their victims’ knowledge. Still, Hajime’s real purpose remains unknown.


Hajime, meaning ‘beginning’ in Japanese, showed its first signs of activity in October 2016. Since then, it has been evolving, developing new propagation techniques. The malware is building a huge peer-to-peer botnet – a decentralized group of compromised machines discreetly performing spam or DDoS attacks.

However, there is no attacking code or capability in Hajime – only a propagation module. Hajime, an advanced and stealthy family, uses different techniques – mainly brute-force attacks on device passwords – to infect devices, and then takes a number of steps to conceal itself from the compromised victim. Thus, the device becomes part of the botnet.

Hajime does not exclusively attack a specific type of device, but rather any device on the Internet. Nevertheless, malware authors are focusing their activities on some devices. Most of the targets have turned out to be Digital Video Recorders, followed by web-cameras and routers.

According to Kaspersky Lab researchers however, Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defense, and a number of private networks.

Infections had primarily come from Vietnam (over 20%), Taiwan (almost 13%) and Brazil (around 9%) at the time of research.

Distribution of Hajime infectors by country

Distribution of Hajime infectors by country

Most of the compromised devices are located in Iran, Vietnam and Brazil.


Distribution of infected devices by country

Overall, throughout the research period, Kaspersky Lab revealed at least 297,499 unique devices sharing the Hajime configuration.

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible,” said Konstantin Zykov, Senior Security Researcher, Kaspersky Lab.