A sophisticated botnet operation employing a Loader-as-a-Service model was uncovered through exposed command and control logs spanning six months. The campaign systematically targets SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces. Key attack vectors include exploiting unsanitized POST parameters, leveraging default credentials, and targeting known CVEs in various systems. The operation showed a 230% attack spike from July-August 2025, deploying multi-architecture malware including Morte binaries and cryptomining payloads. With rapid infrastructure rotation and diverse malware, the threat is evolving rapidly, necessitating early detection and robust defense measures. Author: AlienVault
Related Tags:
cve-2019-16759
cve-2019-17574
soho routers
cve-2012-1823
Morte
RondoDoX
command injection
T1609
Mirai
Associated Indicators:
282ADA9A29A5F3144114373EF3C5826BCC8FB5018CD0F2ECB97D2A7BEE1DF296
09EFD15FF0317424B9B964626DA5E42D68B3CE91F509B16DAD9892D156D3EABE
ABB0C4AD31F013DF5037593574BE3207A4C1E066A96E58CE243AAF2EF0FC0E4D
BE6E0EA1F6B58D8322B12E2D8B1AEA689A92A9DAB1AC6FBA03324E5BD5A3E199
AD4A9A1EAD2962CCAEB223A50DCE69B127D64576AA03D32411E66F4DB5D435E8
A327768ADB64D39A7EA725FBBE155EBCEA98253DC60515CE453D32DADBC34032
92333FE4188232FBEA1EE063999CBCF7C65320F7EEF11E3D06A8A6B4F4250F90
C6CFA8BEF8BEEDB731BBD10A299D3B8DFA5B0AF4FCE65F6357DC3CE2C9A95721
B1882BAC20AE446706DDFCC900481013436D6E0C68ABB2D1D50F96FD12C42AD4