A recent joint threat advisory from the FBI, CNMF, NSA (18 September 2024), highlights the extent of Chinese-affiliated threat actors’ ongoing botnet campaigns which seek to compromise thousands of internet-connected edge devices over a sustained period. This campaign, known as Oriole, is just one of several such active campaigns observed since 2020.
JUMPSEC observations indicate that law enforcement has not yet disrupted the botnet, and indicators of compromise (IOCs) are likely ongoing. Organisations should therefore exercise caution regarding any subdomain associated with ‘w8510[,.]com’. Root domains should also be treated as suspicious as the threat actor likely has control of provisioning subdomains and has continued to create subdomains outside of the already disclosed IOCs [see Updated IoC Analysis below].
Why edge devices are a risk
If, understandably, another account of likely Chinese-affiliated espionage makes you think, ‘that’s pretty terrifying, but ultimately not my problem’, here’s 5 reasons to reconsider your position:
- This isn’t exclusively state-sponsored activity. If you’re vulnerable, the mitigations for edge device protection provided below should be implemented as standard practice, regardless of the specific threat actors most likely to exploit your systems.
- The wide scope of motivations and impact scenarios. While the most likely motive for ongoing Chinese-backed botnet compromise may be intelligence gathering or positioning for future malicious activities (including, but not limited to DDoS attacks), botnet compromise can be driven by financial motivated ransomware, crypto mining, malware distribution, phishing campaigns or geopolitical disruption.
- Manufacturers of internet-connected edge devices (e.g. SOHO routers, VPNs, IoT devices) typically aren’t doing enough to protect you out-of-the-box. They should be—but as long as they fail to, you need to take action to protect yourself or your organisation.
- Botnets as a broader national and personal security issue. The botnet in question compromised 260,000 known devices but this is not the largest botnet observed to date. As internet-connected edge devices are expected to grow exponentially, secure-by-design processes are needed along with users’ improved ability to limit their exposure.
- Monitoring challenges. As edge devices are typically technically diverse, enterprises struggle to monitor and ingest the logs of these services into their detection stacks. Additionally, IoT devices are usually not considered within the threat model of organisations as they are sometimes treated as external entities away from the corporate infrastructure. This leaves a gap where devices can be used as a persistence and pivot point inside the network to target further corporate resources.
While personal IoT devices like Amazon Alexa have integrated into everyday life, at the enterprise level, routers, switches, NAS, DVRs, and IoT devices—including industrial sensors, smart meters, and building automation systems—have become commonly vulnerable components that can expose an organisation’s internal network.
Many organisations are struggling to apply security updates to these devices, leaving them exposed to attackers who can exploit known vulnerabilities (CVEs). Furthermore, edge devices frequently have weak security measures—such as default credentials, outdated firmware, or minimal monitoring—making them more vulnerable to attacks. JUMPSEC have experienced these challenges with clients first hand, however, there are proactive steps that can be taken to reduce risk.
Below: Potentially observable IoT devices in the UK.

Not all the 15,000+ results necessarily represent vulnerable or exploitable IoT devices, as some may be secured with proper configurations, firewalls, and access control mechanisms. However, publicly accessible IoT devices (especially on unsecured ports or via weak protocols) increase the risk of exposure and exploitation.
Key Mitigations & IoC Analysis
Organisations that may not consider themselves a likely target of APTs should be aware that many of the mitigations below are already best security practice to reduce malicious abuse of exposed edge devices, which have seen increased exploitation in recent years.
- Disable unused services or ports on the edge device if those are not used or required.
- Implement network segmentation to reduce the spread of the malware within the internal network.
- Apply the principle of least privilege whilst segmenting the subnets, especially around IoT devices, to ensure that they pose known, limited and tolerable risk in large networks.
- Monitor for suspicious high network traffic volume to detect and mitigate DDoS attacks.
- Apply updates to all internet-facing edge devices as soon as those are released.
- Use automatic updates from trusted providers where possible.
- Replace default passwords with strong passwords.
- As these devices cannot retain data on their storage medium and have high up-time, rebooting them might help remove any malware that has been installed.
- Replace end-of-life equipment with supported devices.
The above provides an overview of high-priority mitigations which should be further investigated and acted upon by skilled network engineers or system administrators with consideration for organisation-specific requirements and context.
Updated IoC Analysis
The key takeaway: block *.8510.com
While full list IoCs were provided in the joint advisory, JUMPSEC would like to stress that IoCs of this kind are unlikely to be static, and therefore we have made several additional observations since publication.
As of 19/09/2024 (just after the initial advisory) the attackers are using new IP addresses that are not listed in the initial document, the five IPs are hosted in The Constant Company / Vultr.
- 108.61.156.6
- 155.138.223.173
- 216.128.128.245
- 45.32.67.198
- 45.77.93.198
Searching through the historical DNS records confirms that around the time of the advisory the attackers moved at least one of the confirmed malicious domain names to point to 155[.]138[.]223[.]173 and 6 days later (after the advisory) moved it again to point to five different A records.
In addition to this, new domain names are being used:
- lkkliscjaisdjhi[.]w8510[.]com
- aqwfasf[.]w8510[.]com
- zdacoi[.]w8510[.]com
- ca[.]w8510[.]com
- zdacwa[.]ca[.]w8510[.]com
- zdacwa[.]rf[.]w8510[.]com
- rf[.]w8510[.]com
- zdacw[.]rf[.]w8510[.]com
- www[.]w8510[.]com
- comaewreiuicajo[.]w8510[.]com
- w8510[.]comaewreiuicajo[.]w8510[.]com
- awbpxtpi[.]w8510[.]comaewreiuicajo[.]w8510[.]com
- pppppoiiua[.]w8510[.]com
- tuisascxz[.]w8510[.]com
- mjiuwajhkf[.]w8510[.]com
- kliscjaisjhi[.]w8510[.]com
- ocmnusjik[.]w8510[.]com
- ftiscaswe[.]w8510[.]com
- apfhhjcxcb[.]w8510[.]com
- qacassfawemp[.]w8510[.]com
- zasfgas[.]w8510[.]com
- zacxz[.]w8510[.]com
- zacasc[.]w8510[.]com
- a4g4[.]w8510[.]com
- ppppoiia[.]w8510[.]com
- cccccasdasdq[.]w8510[.]com
- cccasdasdq[.]w8510[.]com
- edwxardjones[.]w8510[.]com
- adftiscasdwe[.]w8510[.]com
The attackers are using a number of common SSL certificates, as recent as of publication (08/10/2024):
- Fingerprint: 3e9ec13515b80cf82baeaf074a6f9ff70da18497
- Fingerprint: 5f0e3c3fae76285ab3865f5bd669fba3aa099832
- Fingerprint: df5c7e5e58f2d36d1068a0a471a9a4ce7c0de143
- Fingerprint: 397c40d8b5f21bb9407c1260c72f6d73cc846b9e
It is apparent that following the initial investigations the attackers are still using the w8510[.]com root domains are part of the campaign and hence it is important that this is continually monitored.
This demonstrates to us that the threat actor has not yet abandoned their initial infrastructure, and is establishing new subdomains to coordinate the attacks from. The IoCs above have developed since this initial advisory and may evolve again as the threat actor seeks to evade detection.
Case Study: IoT Penetration Testing
On a recent engagement testing a new suite of enterprise grade IoT devices, JUMPSEC experienced first hand the understands the key technical challenges associated with reducing edge device risk. Most companies lack the awareness or resources to manually check for embedded malware, apply updates, or harden certificate encryption.
For example, we gained access to a misconfigured AWS IoT device policy, which allowed our team the potential to control hundreds of devices across the network. This vulnerability was due to misconfigured policies, over-privileged accounts, weak encryption, and unverified software updates. The compromise techniques we used mirrored those of a botnet controller attempting to gain control by sending arbitrary commands. The key insight: a motivated attacker could easily exploit these vulnerabilities.
While the IoT devices in question were manufactured in China (which we deemed to increase the security risk), the firmware was open-source, and the additional software layer was provided by a UK-based supplier. This demonstrates how global supply chain complexity adds layers of additional risk, given the excessive level of checks required by the average organisation.
Continued vigilance
Organisations with threat-hunting capabilities should continue monitoring, as threat actors are likely to further exploit exposed devices in the coming years. For example, JUMPSEC’s Detection and Response Team (DART) has investigated a select number of client environments and identified several exploitable devices across various sectors. While DART’s investigations have not uncovered any active botnet infections thus far, the identification of numerous exploitable devices indicates that continued proactive actions are necessary.
From the origins of the infamous Mirai botnet’s financially motivated efforts to disrupt Minecraft server competitors, nation-state actors and more maliciously motivated cybercriminals have increasingly developed and leveraged botnets. As geopolitical tensions persist globally—particularly between the US and its allies and China—we are witnessing the continued evolution of botnets into assets for nation-states seeking to exert influence, gather intelligence, and disrupt adversaries’ critical infrastructure. The lines between financial gain, espionage, economic competition, and cyber warfare are becoming increasingly blurred.
Below: A timeline of the largest (known) edge device botnets of the past decade demonstrates a range of motives.

The risks associated with edge device botnets, highlighted by campaigns like Oriole, expose a significant weakness in global cybersecurity—our ongoing reliance on internet-connected edge devices that are neither secure by design nor governed by stringent regulatory standards.
Many manufacturers prioritise functionality and speed-to-market over robust security. Moreover, as long as the globalised supply chain of edge devices persists, recent regulatory efforts are arguably unenforceable (e.g. the necessary but limited UK Product Security and Telecoms Bill). The result is an ecosystem of edge devices—routers, IoT gateways, and consumer electronics—deployed with weak encryption, hardcoded passwords, and outdated protocols, making them prime targets for botnet recruitment.
Beyond the mitigations mentioned above, the NIST IoT Cybersecurity Program provides a framework for more robust edge device security, which should be adopted by organisations, particularly those in government, manufacturing, telecommunications (ISPs), research & development, and critical infrastructure sectors. Equally, the privacy concerns surrounding personal IoT devices extend far beyond state-backed cyber espionage campaigns, and are certainly not limited to Chinese state-sponsored threat actors. With billions of connected devices embedded in our daily lives, these technologies pose an increasing risk to individual privacy.
References & more resources
NSA Press release: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3909590/
Full Advisory: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
Microsoft blog: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/
The UK Product Security And Telecommunications Infrastructure Act 2022: https://www.legislation.gov.uk/ukpga/2022/46/notes/division/2/index.htm
NIST IoT Cybersecurity Program: https://csrc.nist.gov/CSRC/media/Presentations/nist-cybersecurity-for-iot-update/images-media/NIST%20%20Cybersecurity%20for%20IOT%20Update%20Megas.pdf