Attack Chain

1. The attacker sends a POST request to the /goform/set_prohibiting endpoint on the D-Link DIR-823X router.
2. The POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.
3. The injected commands change directories across writable paths on the router.
4. A shell script named dlink.sh is downloaded from an external IP address.
5. The dlink.sh script is executed on the compromised router.
6. The script installs a Mirai-based malware variant named “tuxnokill”.
7. “tuxnokill” establishes persistence and begins scanning for new targets.
8. The compromised device is then used to launch DDoS attacks, leveraging Mirai’s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.

Impact

Successful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.

Recommendation

• Monitor network traffic for POST requests to the /goform/set_prohibiting endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.
• Deploy the Sigma rule Detect Mirai dlink.sh Download to identify attempts to download the malicious shell script.
• If using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.
• Block the external IP address hosting the dlink.sh script if it can be reliably determined and is observed on your network.