A sophisticated botnet operation employing a Loader-as-a-Service model was uncovered through exposed command and control logs spanning six months. The campaign systematically targets SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces. Key attack vectors include exploiting unsanitized POST parameters, leveraging default credentials, and targeting known CVEs in various systems. The operation showed a 230% attack spike from July-August 2025, deploying multi-architecture malware including Morte binaries and cryptomining payloads. With rapid infrastructure rotation and diverse malware, the threat is evolving rapidly, necessitating early detection and robust defense measures. Author: AlienVault
Related Tags:
cve-2019-16759
cve-2019-17574
soho routers
cve-2012-1823
Morte
RondoDoX
command injection
T1609
Mirai
Associated Indicators:
AD4A9A1EAD2962CCAEB223A50DCE69B127D64576AA03D32411E66F4DB5D435E8
A327768ADB64D39A7EA725FBBE155EBCEA98253DC60515CE453D32DADBC34032
92333FE4188232FBEA1EE063999CBCF7C65320F7EEF11E3D06A8A6B4F4250F90
C6CFA8BEF8BEEDB731BBD10A299D3B8DFA5B0AF4FCE65F6357DC3CE2C9A95721
B1882BAC20AE446706DDFCC900481013436D6E0C68ABB2D1D50F96FD12C42AD4
1E4A09452A2589E2A7A45861C2D0D9AB64A10B7CF85C5305626CEDA42F04AAD7
CD1858739F92EE5570A86A18CE74E42347B3290FF724DF951C75C73223403700
9024F131C98D1AAAB334247AE832C549DE40F8BB3F28111ECFEEB08928DFD77E
BC978E183115CEAF9F1040A7BD15C9AD6E3E28B654919D4B0EAEAFF9CBA1FE92