https://feed.craftedsignal.io/tags/ddos/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.A new Mirai-based malware campaign has been observed exploiting CVE-2025-29635, a high-severity command injection vulnerability affecting D-Link DIR-823X routers. Discovered by Akamai’s SIRT in March 2026, the campaign involves attackers sending malicious POST requests to vulnerable D-Link routers to execute arbitrary commands. This vulnerability allows attackers to download and execute a shell script, ultimately leading to the deployment of Mirai-based malware. The affected D-Link routers reached end-of-life in November 2024, meaning a patch is unlikely. The same actor is also exploiting CVE-2023-1389 impacting TP-Link routers, and an RCE flaw in ZTE ZXV10 H108L routers, deploying the same Mirai payload.

Attack Chain

1. The attacker sends a POST request to the /goform/set_prohibiting endpoint on the D-Link DIR-823X router.
2. The POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.
3. The injected commands change directories across writable paths on the router.
4. A shell script named dlink.sh is downloaded from an external IP address.
5. The dlink.sh script is executed on the compromised router.
6. The script installs a Mirai-based malware variant named “tuxnokill”.
7. “tuxnokill” establishes persistence and begins scanning for new targets.
8. The compromised device is then used to launch DDoS attacks, leveraging Mirai’s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.

Impact

Successful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.

Recommendation

• Monitor network traffic for POST requests to the /goform/set_prohibiting endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.
• Deploy the Sigma rule Detect Mirai dlink.sh Download to identify attempts to download the malicious shell script.
• If using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.
• Block the external IP address hosting the dlink.sh script if it can be reliably determined and is observed on your network.

]]>criticaladvisorymiraiddosrceiothttps://feed.craftedsignal.io/briefs/2024-01-iot-ddos-disruption/Fri, 20 Mar 2026 05:50:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-iot-ddos-disruption/Law enforcement has disrupted significant IoT botnets responsible for launching record-breaking distributed denial-of-service (DDoS) attacks, impacting the availability of targeted systems.Authorities have dismantled a globally distributed network of compromised Internet of Things (IoT) devices that were being leveraged to conduct large-scale DDoS attacks. The botnets consisted of a large number of IoT devices. These attacks overwhelmed target systems, rendering them inaccessible. While the specific devices, malware, and attribution remain undisclosed in the provided source, the disruption of these botnets is a significant event for defenders, as it reduces the overall capacity for attackers to launch extremely large DDoS attacks. The botnets were responsible for record-breaking attacks.

Attack Chain

1. Compromise IoT Devices: Attackers exploit vulnerabilities (e.g., default credentials, unpatched firmware) on IoT devices such as routers, cameras, and DVRs.
2. Install Malware: Malicious software specifically designed for the IoT architecture is installed on the compromised devices.
3. Botnet Formation: The malware turns the IoT devices into bots, which are controlled remotely by a command-and-control (C2) server.
4. C2 Communication: The bots maintain persistent communication with the C2 server, awaiting instructions for launching attacks.
5. DDoS Attack Initiation: The C2 server issues commands to the bots, instructing them to flood a target system with malicious traffic.
6. Traffic Amplification: The bots, now acting in unison, send high volumes of traffic to the target, overwhelming its resources.
7. Service Disruption: The target system becomes unavailable to legitimate users due to the sheer volume of malicious traffic.
8. Impact: Disruption of services for targeted organizations, potentially leading to financial losses and reputational damage.

Impact

The DDoS attacks launched by these IoT botnets caused significant service disruptions for targeted organizations. The scope of the attacks was described as “record-breaking”, suggesting a large number of victims and potential financial losses. Sectors affected are not detailed in the source, but DDoS attacks can impact any organization with an online presence. Successful attacks lead to website and application unavailability, impacting business operations and customer access.

Recommendation

• Monitor network traffic for unusual spikes in volume and traffic patterns indicative of DDoS attacks.
• Implement rate limiting and traffic filtering on network infrastructure to mitigate the impact of DDoS attacks.
• Although no specific IOCs are available, investigate any alerts related to high-volume network traffic originating from internal devices.
• Enable logging on network devices to capture potential indicators of compromise and attack activity.

]]>highadvisoryiotddosbotnetdisruption