It is suspected that the botnet originated in Australia, as the first activity from the botnet was detected here. Australian IT consultant Terry Baume first observed it infecting a Netcomm NB5 modem/router. You can read his full analysis here.
The botnet binary was further analysed by members of the website DroneBL (a real-time IP tracker that scans for and botnets and vulnerable machines) which came to the conclusion that the “psyb0t” or "Network Bluepill" botnet was mostly a test run to prove the technology. After the botnet's discovery and public outing, the botnet operator swiftly shut it down.
The first generation targeted very few models of router, though the current, most recently discovered generation (dubbed 'version 18' in the code) targets a wide range of devices.
Full Article Here.