Skip to main content

HKCERT Unveils Q3 Hong Kong Security Watch Report Spotlights on Emerging Malware “911 S5”

HKCERT Media Message:HKCERT Unveils Q3 Hong Kong Security Watch Report Spotlights on Emerging Malware “911 S5”

(Hong Kong, 1 November 2024) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) has released the Hong Kong Security Watch Report for the third quarter of 2024. The data shows significant increases in phishing websites and botnet events in Hong Kong, with respective increases of 155.8% and 83.4%. Specifically, botnet events rose from 2,754 cases in the previous quarter to 5,051 cases in the current quarter. This surge is primarily attributed to the discovery of a botnet named "911 S5" which accounts for over half of the total botnet events, with more than 2,700 cases.

According to the threat intelligence cited in the report, the first "911 S5" event was recorded back to May 2024. This was triggered by a joint operation led by the United States Department of Justice, which successfully dismantled the "911 S5" infrastructure. Subsequently, details about infected devices were disclosed, revealing the true scale and impact of this botnet for the first time.

Although "911 S5" has been dismantled by overseas law enforcement agencies, many infected devices remain uncleared. Since "911 S5" is a type of backdoor malware, the possibility of other cyber criminals exploit these backdoors to regain control over the infected devices cannot be ruled out. Therefore, to prevent the malicious utilisation of backdoor malwares again, ongoing monitoring and removal are essential.

Over 2,700 Local Devices Infected with "911 S5" Botnet, Potentially Used for Cyber Criminal Activities
The "911 S5" botnet has been operational since 2014 and was renamed "CloudRouter" in 2023. It has infected over 19 million devices across more than 190 countries worldwide. This botnet embeds a malicious backdoor in certain VPN applications, allowing hackers to use the infected devices to connect to the internet while concealing their own network footprints. This facilitates various criminal activities such as financial crimes, cyber attacks and data theft.

The VPN applications connected to the "911 S5" infrastructure include MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. These VPNs are often embedded in pirated games or software. Upon downloading these games or software, the VPN application and the backdoor are installed without victims’ consent, inadvertently making their devices part of the "911 S5" botnet. HKCERT has initiated immediate monitoring of the "911 S5" infection situation in Hong Kong and has notified the relevant IP owners of the infected devices for remediation.

HKCERT urges the public and organizations to remain vigilant against any malware attacks and to adopt the following defence recommendations:

  • Avoid downloading VPN applications from unknown or untrusted sources
  • Avoid downloading pirated or cracked software and games
  • Regularly check your system for unusual activity or unknown applications
  • Ensure your operating system and applications are updated with the latest security patches
  • Install antivirus software to detect and prevent malware infections
  • Regularly monitor network traffic for any unusual activity to promptly indicate potential security breaches
  • Develop a clear event response plan for responding to cybersecurity events


HKCERT has also published methods for removing "911 S5" for public reference. For detailed information, please refer to below link:
https://www.hkcert.org/blog/massive-911-s5-botnet-affecting-nearly-19-million-ip-addresses-worldwide-was-dismantled

Hong Kong Security Watch Report (Q3 2024):
https://www.hkcert.org/watch-report/hong-kong-security-watch-report-q3-2024

Businesses or members of the public who wish to report to HKCERT on cyber security related events can do so by completing the online form at: https://www.hkcert.org/event-reporting, or call the 24-hour hotline at 8105 6060. For further enquiries, please contact HKCERT at hkcert@hkcert.org.

- Ends -