Menu
Browse

Cyber Threat Actor: Meris

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
2 incidents
Profile

The threat actor known as Meris, also referred to as the Meris Botnet, is believed to operate from Russia. It emerged in mid‑2021 as a newly identified Internet of Things botnet that compromises network equipment to launch distributed denial‑of‑service attacks. The actor is described as a new botnet distinct from earlier families such as Mirai. Its primary infrastructure consists of hijacked MikroTik routers running various versions of RouterOS.

Meris has been observed targeting organizations that provide critical internet services, including content delivery networks, DNS providers, and major online platforms. The attacks have affected entities in the United States, Europe, and Russia, reflecting a global reach of the compromised device pool. The observed attacks are volumetric DDoS incidents. No public reporting links the botnet to espionage, extortion, or profit‑motivated crime.

The botnet gains initial access by exploiting unspecified vulnerabilities in MikroTik RouterOS firmware, allowing the installation of the Meris malware on the devices. Once compromised, the routers are used to generate high‑volume HTTP request floods, a tactic that distinguishes the tooling style from classic TCP‑based amplification methods. The malware family itself is named Meris and has been observed across a wide spectrum of RouterOS versions, from older releases to those preceding the current stable build. This reliance on compromised routing hardware constitutes the core of the actor’s technical approach.

Representative operations include a September 9 2021 attack on KrebsOnSecurity that exceeded two million requests per second, a September 5 2021 assault on Yandex estimated at 21.8 million requests per second, and a mid‑summer 2021 incident against Cloudflare measured at 17.2 million requests per second. These events demonstrate the botnet’s capacity to scale traffic far beyond earlier IoT threats such as Mirai. The attacks were notable for their use of HTTP‑based request floods rather than traditional bandwidth‑amplification techniques. Each campaign was mitigated by the targets’ DDoS protection services, resulting in no reported service outage or data compromise.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
2 sources