Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

Morte

Morte is an IoT malware family observed as a payload delivered by a large loader-as-a-service botnet operation disclosed by CloudSEK in September 2025. The operation distributed Morte alongside RondoDox and Mirai by exploiting weak passwords and outdated vulnerabilities across routers, IoT devices, and enterprise applications/software. Reporting also states that RondoDox later doubled as a loader for the Mirai and Morte IoT malware families. High-confidence context indicates Morte is associated with botnet activity affecting Internet-facing routers, IoT systems, and related network appliances, with observed outcomes in these campaigns including botnet enrollment, DDoS participation, and cryptomining. No malware-family-specific technical details, infection chain internals, persistence mechanisms, command-and-control details, or unique indicators of compromise for Morte are provided in the available content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-55182React2ShellExploited in the wild

Researchers from CloudSEK noticed the ramp up in botnet activity to exploit the highly targeted React open source software flaw — tracked as CVE-2025-55182 and that also affects the Next.js platform — which began via attacks in December... "Enterprises running Next.js Server Actions... face critical RCE exposure with active exploitation observed recently,"

via dark readingdarkreading.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to deliver a Mirai variant called Nexcorium.

T1203Exploitation for Client ExecutionEvidence1

The attack activity outlined by Fortinet involves the exploitation of CVE-2024-3721 to obtain and drop a downloader script, which then launches the botnet payload based on the Linux system's architecture.

Impact

1 technique
T1498Network Denial of ServiceEvidence1

The malware supports various DDoS attacks, including UDP and TCP floods, and connects to a C2 server to receive commands.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
security affairsNews
Apr 18, 2026
Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks

A named malware family mentioned as one of the payloads distributed by a loader-as-a-service operation exploiting weak passwords and outdated vulnerabilities.

Read more
the hacker newsNews
Apr 18, 2026
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

A malware payload distributed by a loader-as-a-service botnet through weak credentials and old vulnerabilities affecting routers, IoT devices, and enterprise applications.

Read more
dark readingNews
Jan 5, 2026
RondoDox Botnet Expands Scope With React2Shell Exploitation

IoT malware family referenced as a secondary payload family that RondoDox can load onto compromised devices.

Read more
the hacker newsNews
Oct 2, 2025
ThreatsDay Bulletin: CarPlay Exploit, BYOVD Tactics, SQL C2 Attacks, iCloud Backdoor Demand & More

Morte is a botnet malware used for DDoS attacks and cryptomining, distributed via loader-as-a-service operations targeting routers and IoT devices.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.

Morte | Mallory