Over the past two months, a new IoT botnet has emerged. Spotted by the Netlab team at Qihoo 360, the botnet exploits a vulnerability that has been known for five years. The infection mechanisms are quite complex: this flaw allows an attacker to design an IoT botnet by executing malicious code remotely on an unsecured router. No authentication is required. Infected devices are used as a pivot to infect others. This snowball effect is not the only specificity of malware. According to Netlab, another feature would allow the IoT botnet to use compromised routers as proxy nodes and therefore as relays for connections to servers from the hacker(s) to remote IPs. The botnet reportedly connected to IP addresses belonging to email services, including Yahoo, Hotmail and Outlook. These connections, all made from TCP port 25, would indicate that the IoT botnet is used to bombard users of these mailboxes with spam. Netlab has nicknamed this last botnet BCMUPnP_Hunter. The name comes from the constant scans of the botnet looking for routers with exposed UPnP interfaces (port 5431). 100,000 routers to send spam to Hotmail, Outlook and Yahoo email addresses.