Mirai botnet variant included several exploits to its arsenal

Mirai Botnet Variant Vulnerability Exploit TOTOLINK Router DDoS BeastMode

BeastMode, a Mirai botnet variant, has upgraded its arsenal by adding new exploits. Researchers have found that the botnet has included five new vulnerabilities to exploit between late February and March 2022. In addition, three out of the five new exploits affect several models of TOTOLINK routers.

According to the researchers that found the newly upgraded botnet, it attempts to compromise TOTOLINK routers by exploiting the vulnerabilities tracked by them as CVE-2022-26210, CVE-2022-26210, and CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084.

The analysis revealed that these three exploits could affect more than 15 versions of the TOTOLINK routers. Therefore, researchers advise TOTOLINK users to contact the operators of the routers to ask for more information regarding the issue.

The threat actors were also quick to react since they added these exploits just a week after researchers on GitHub published a proof-of-concept. This immediate reaction allowed the threat actors to infect numerous devices before TOTOLINK owners gained access to firmware updates.


The Mirai botnet variant uses brute-force tactics to exploit the flaws.


Like most DDoS botnets, Mirai’s BeastMode tries to compromise several devices by deploying brute-force campaigns or exploiting numerous vulnerabilities.

After the deployment, the botnet can run various DDoS campaigns, such as attack_tcp_syn, attack_udp_plain, attack_udp_vse, attack_udp_ovhhex, attack_app_http, attack_udp_stdhex, attack_udp_CLAMP, attack_app_http, and attack_tcp_ack.

Researchers indicated that they gathered the botnet samples in late February this year. It contained a typo in the URL, where the downloadFlile[.]cgi utilised by the threat actors on the device was substituted with downloadFile[.]cgi.

However, the adversaries had repaired the samples days after the discovery, which implies that the threat attack is in its in-development stage.

The campaign also targets outdated D-Link products aside from TOTOLINK products. Furthermore, there are also items from Huawei, TP-Link, NETGEAR, and NUUO NVRmimi2 targeted by this campaign. Researchers stated that the flaws affecting these products could enable malicious entities to inject malicious commands after the successful intrusion.

Numerous threat actors actively infect vulnerable devices and expand their botnets by quickly adopting newly published exploit codes.

All users should be more vigilant in employing firmware updates and constantly change the routers’ passwords to prevent infections from a threat that uses brute-force techniques.

About the author

Leave a Reply