{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mirai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-29635"},{"cvss":8.8,"id":"CVE-2023-1389"}],"_cs_exploited":false,"_cs_products":["DIR-823X","ZXV10 H108L"],"_cs_severities":["critical"],"_cs_tags":["mirai","ddos","rce","iot"],"_cs_type":"advisory","_cs_vendors":["D-Link","TP-Link","ZTE"],"content_html":"\u003cp\u003eA new Mirai-based malware campaign has been observed exploiting CVE-2025-29635, a high-severity command injection vulnerability affecting D-Link DIR-823X routers. Discovered by Akamai\u0026rsquo;s SIRT in March 2026, the campaign involves attackers sending malicious POST requests to vulnerable D-Link routers to execute arbitrary commands. This vulnerability allows attackers to download and execute a shell script, ultimately leading to the deployment of Mirai-based malware. The affected D-Link routers reached end-of-life in November 2024, meaning a patch is unlikely. The same actor is also exploiting CVE-2023-1389 impacting TP-Link routers, and an RCE flaw in ZTE ZXV10 H108L routers, deploying the same Mirai payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on the D-Link DIR-823X router.\u003c/li\u003e\n\u003cli\u003eThe POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands change directories across writable paths on the router.\u003c/li\u003e\n\u003cli\u003eA shell script named \u003ccode\u003edlink.sh\u003c/code\u003e is downloaded from an external IP address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edlink.sh\u003c/code\u003e script is executed on the compromised router.\u003c/li\u003e\n\u003cli\u003eThe script installs a Mirai-based malware variant named \u0026ldquo;tuxnokill\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u0026ldquo;tuxnokill\u0026rdquo; establishes persistence and begins scanning for new targets.\u003c/li\u003e\n\u003cli\u003eThe compromised device is then used to launch DDoS attacks, leveraging Mirai\u0026rsquo;s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for POST requests to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mirai dlink.sh Download\u003c/code\u003e to identify attempts to download the malicious shell script.\u003c/li\u003e\n\u003cli\u003eIf using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.\u003c/li\u003e\n\u003cli\u003eBlock the external IP address hosting the \u003ccode\u003edlink.sh\u003c/code\u003e script if it can be reliably determined and is observed on your network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-mirai-dlink-rce/","summary":"A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.","title":"Mirai Campaign Exploiting CVE-2025-29635 in D-Link Routers","url":"https://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2024-45163","mirai","dos","iot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2024-45163 describes a remote denial-of-service vulnerability present within Mirai C2 infrastructure. While specific details regarding the vulnerability itself are not provided in this brief, the existence of a publicly known vulnerability in Mirai C2 servers is significant. Mirai is a well-known IoT botnet that has been used in numerous large-scale DDoS attacks. Exploitation of this vulnerability could allow attackers to disrupt Mirai botnet operations, potentially mitigating ongoing…\u003c/p\u003e\n","date_modified":"2026-03-16T12:00:00Z","date_published":"2026-03-16T12:00:00Z","id":"/briefs/2026-03-mirai-c2-dos/","summary":"CVE-2024-45163 is a remote denial-of-service vulnerability affecting Mirai command and control (C2) infrastructure, potentially disrupting botnet operations and related malicious activities.","title":"Mirai C2 Remote Denial-of-Service Vulnerability (CVE-2024-45163)","url":"https://feed.craftedsignal.io/briefs/2026-03-mirai-c2-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Mirai","version":"https://jsonfeed.org/version/1.1"}