Murdoc
Murdoc is a Mirai-family botnet described as a Corona derivative. Reported activity from November 2025 shows it exploiting Four-Faith routers via CVE-2024-12856, with a bot population peaking at roughly 15,000 infected devices, primarily in China and the United States. The malware is associated with attacks against industrial environments, with reporting also citing impacts on manufacturing and telecommunications, including disruption of Malaysian manufacturing and Iranian telcos. Observed capabilities include brute-forcing Telnet, use of custom UPX packing, and Mirai-style commands for scanning and DDoS operations. High-confidence infection vectors mentioned are exploitation of vulnerable Four-Faith routers and weak/default Telnet exposure. No Murdoc-specific hashes, domains, or IP indicators are provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Murdoc is a Mirai-based botnet variant that targets IoT devices, especially Four-Faith routers, using brute-force and exploit-based propagation. It is used for DDoS attacks and features custom packing and persistence mechanisms.
Murdoc is a Mirai variant (Corona derivative) that targets IoT devices, especially Four-Faith routers, using brute-force and exploit-based propagation. It is used for DDoS attacks and features custom packing and persistence mechanisms.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.