tuxnokill

The actor also exploits CVE-2025-29635, CVE-2023-1389 (TP-Link AX21), and a ZTE ZXV10 H108L RCE.

CVE-2025-29635 (CVSS score: 7.5) - A command injection vulnerability in end-of-life D-Link DIR-823X series routers that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function.

The vulnerability exists because attacker-controlled input is copied into a command string using snprintf() and later executed using the system() function without proper sanitization or validation.

Attackers send a specially crafted POST request to the /goform/set_prohibiting endpoint of the router... This allows attackers to inject shell metacharacters and execute arbitrary operating system commands directly on the device.

Once executed, the malware decodes its embedded configuration using XOR Key: 0x30.

Multiple fallback methods such as busybox wget, curl, wget, tftp, and ftpget are used to ensure payload delivery even if some utilities are unavailable on the target device.

This indicates that attackers are broadly scanning and compromising various unsupported devices.

[Router Connects to C2 at 64.89.161[.]130:44300]-> [Mirai Botnet Receives DDoS Commands]

After successful command injection, the attacker downloads a shell script named dlink.sh. The downloader infrastructure was observed hosted at 88.214.20[.]14. Multiple fallback methods such as busybox wget, curl, wget, tftp, and ftpget are used to ensure payload delivery.

Researchers have uncovered an active Mirai botnet campaign... to recruit internet-exposed devices into a distributed denial-of-service (DDoS) botnet... [Compromised Router Participates in Large-Scale DDoS Attacks]

This variant supports multiple system architectures and retains the common DDoS attack capabilities of Mirai. Infected devices may later be used to launch DDoS attacks or perform other malicious activities.