Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.
Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets.
Recommended read:
References :
- securityaffairs.com: US CISA warns that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.
- www.bleepingcomputer.com: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- securityonline.info: CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
- The DefendOps Diaries: Understanding and Mitigating the Edimax IP Camera Vulnerability
- www.techradar.com: Edimax IC-7100 camera was found vulnerable to a command injection flaw currently being used in remote code execution attacks.
- www.scworld.com: Edimax IP camera zero-day
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months.
CISO2CISO Editor 2@ciso2ciso.com
//
Cloudflare successfully mitigated a record-breaking 5.6 Tbps Distributed Denial of Service (DDoS) attack on October 29, 2024. The attack, launched by a Mirai-variant botnet, targeted an internet service provider (ISP) in East Asia. The botnet comprised of 13,000 compromised IoT devices flooding the target with malicious data, which aimed to cripple the ISP’s operations.
The attack lasted only 80 seconds, but Cloudflare's autonomous defence systems promptly identified and mitigated the anomalous traffic without human intervention, intercepting and neutralizing the malicious data at Cloudflare's edge nodes. Each IP address within the botnet generated an average traffic of approximately 4 Gbps. The successful defense highlights the escalating sophistication and scale of DDoS threats, with hyper-volumetric attacks exceeding 1 Tbps dramatically increasing. This incident underscores the importance of robust DDoS mitigation strategies and the need for continuous evolution in network security.
Recommended read:
References :
- ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
- securityaffairs.com: New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routers
- The Hacker News: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
- Techzine Global: Mirai variant Murdoc_Botnet targets cameras and routers
- ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
- discuss.privacyguides.net: New botnet network targets Avtech cameras and Hauwei HG532 routers
- hackread.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
- bsky.app: Interesting research from Qualys here where they found a botnet that’s infected vulnerable AVTECH cameras and Huawei routers.
- cyberpress.org: New IoT Botnet Launching large-scale DDoS attacks Hijacking IoT Devices
- gbhackers.com: New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices
- securityonline.info: IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations
- ciso2ciso.com: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers – Source:thehackernews.com
- ciso2ciso.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
- Pyrzout :vm:: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
- ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices.
- ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices
- ciso2ciso.com: Details about the mitigation of the DDoS attack.
- gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
- ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
- gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
- securityonline.info: Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
- hackread.com: Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack
- gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
- BleepingComputer: The largest distributed denial-of-service (DDoS) attack to date peaked at 5.6 terabits per second and came from a Mirai-based botnet with 13,000 compromised devices.
- gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
- securityonline.info: On October 29, 2024, Cloudflare revealed details of a DDoS attack orchestrated using a Mirai botnet comprising 13,000
- Pyrzout :vm:: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
- blog.cloudflare.com: In 2024, Cloudflare's autonomous DDoS defense systems blocked 21.3M DDoS attacks, up 53% YoY, and 420 DDoS attacks in Q4 2024 exceeded 1 Tbps, up 1,885% QoQ (The Cloudflare Blog)
- Pyrzout :vm:: Cloudflare thwarts a massive 5.6 Tbps Mirai-variant DDoS attack targeting one of its customers
Matan Mittelman@Cato Networks
//
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.
This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns.
Recommended read:
References :
- bsky.app: New Ballista botnet found -Author seems to be from Italy -Targets TP-Link Archer routers -Used for DDoS accounts -Unique code, not based on Mirai or Mozi
- Secure Bulletin: The Ballista Botnet: a new IoT threat with italian roots
- securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
- Cato Networks: Cato CTRL™ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
- The Hacker News: Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
- CyberInsider: TP-Link Archer Routers Under Attack by New IoT Botnet ‘Ballista’
- Blog: New Ballista botnet targets vulnerabilities in popular TP-Link routers
- www.cybersecuritydive.com: Emerging botnet exploits TP-Link router flaw posing risk to US organizations
- www.cybersecurity-insiders.com: Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers. The CVE-2023-1389 flaw is an unauthenticated command injection […]
- community.emergingthreats.net: The Ballista Botnet: a new IoT threat with italian roots
- www.techradar.com: This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
- securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
- Schneier on Security: TP-Link Router Botnet
Bill Mann@CyberInsider
//
A newly discovered botnet, Eleven11bot, has infected over 30,000 internet-connected devices. These compromised devices, primarily security cameras and Network Video Recorders (NVRs), are being actively used to launch Distributed Denial of Service (DDoS) attacks. The botnet's malicious activity has been directed towards critical telecom infrastructure and gaming websites, causing significant disruptions.
The activity of Eleven11bot has been traced back to Iran, with the infected devices distributed globally. Security researchers have discovered the botnet is being used to carry out brute force attacks on login pages. Weak or reused passwords are being exploited to take control of vulnerable devices. Regular updates to device firmware, frequent password changes, and disabling remote access can significantly reduce the risk of these breaches.
Recommended read:
References :
- CyberInsider: Massive DDoS Botnet Eleven11bot Infects 30,000+ IoT Devices
- www.cybersecurity-insiders.com: DDoS attacks by 30k botnets and IBM n Vodafone safe internet from quantum computing attacks
- securityaffairs.com: New Eleven11bot botnet infected +86K IoT devices
- www.scworld.com: Over 86K devices impacted by novel global Eleven11bot botnet
- www.techradar.com: Another huge new botnet is infecting thousands of webcams and video recorders for DDoS attacks
- aboutdfir.com: Massive botnet that appeared overnight is delivering record-size DDoSes A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.
- The GreyNoise Blog: A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks.
- WIRED: Eleven11bot infects webcams and video recorders, with a large concentration in the US.
@Talkback Resources
//
A new variant of the Vo1d botnet has resurfaced, infecting 1.6 million Android TV devices worldwide. Security researchers at XLab have identified the malware, noting enhanced capabilities that sustain its rapid growth. The infected devices are recruited into a botnet controlled by a command-and-control server, enabling cybercriminals to perform malicious activities.
The recruited Android TV bots are then recruited by the command-and-control server for illegal activities, including DDoS attacks and ad click fraud. Protection against Vo1d begins at the purchase of an Android TV device — make sure you buy from a reputable brand and retailer. Malware can be pre-installed on Android TV devices, either by the device manufacturer or introduced by a middleman along the production chain.
Recommended read:
References :
- CyberInsider: Vo1d Botnet Resurfaces, Infects 1.6 Million Android TVs Worldwide
- securityaffairs.com: Enhanced capabilities sustain the rapid growth of Vo1d botnet
- PCWorld: New botnet malware infects 1.6 million Android TV devices worldwide
- The420.in: Vo1d Botnet Expands to 1.59 Million Infected Android TVs, Fueling Massive Cybercrime Operations
- Cyber Security News: Vo1d Botnet Hacks 1.6 Million Android TVs Worldwide
- Talkback Resources: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes [net] [mal]
- Techzine Global: Android TV botnet Vo1d grows explosively and bypasses security
- Talkback Resources: Recent cybersecurity incidents highlight the importance of network security, government regulations, and vulnerability management, including the PolarEdge botnet targeting network edge devices and Xerox VersaLink printer flaws potentially leading to credential compromise.
- Talkback Resources: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes
- Talkback Resources: Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries [net] [mal]
- The Hacker News: Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries
- heise online English: New version of Vo1d botnet on hundreds of thousands of devices with Android TV
- www.cysecurity.news: Android TV Users Watch Out: Dangerous Vo1d Botnet Hits 1.6 Million Devices
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, CVE-2025-1316, affecting Edimax Internet of Things (IoT) devices is being exploited to spread Mirai malware. According to reports, multiple botnets are actively targeting Edimax IP cameras, exploiting the flaw to compromise devices and incorporate them into their networks. The attacks involve leveraging default credentials to facilitate the deployment of Mirai, known for orchestrating distributed denial-of-service (DDoS) attacks.
Initial exploitation attempts were observed as early as May 2024, with increased activity in September and again from January to February 2025. Although a proof-of-concept exploit has been available since June 2023, the intrusions highlight the ongoing risk posed by unpatched vulnerabilities in IoT devices. Edimax has stated that the affected IP cameras are end-of-life for over 10 years and they are unable to provide patches. Organizations are urged to update software and firmware.
Recommended read:
References :
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- cyble.com: One of the most concerning vulnerabilities in the new CISA catalog is , which affects the Edimax IC-7100 IP Camera. This vulnerability, identified on March 4, 2025, is an OS Command Injection Vulnerability that allows attackers to execute arbitrary commands on the device remotely.
- chemical-facility-security-news.blogspot.com: CISA Adds Edimax Vulnerability to KEV Catalog
- securityaffairs.com: U.S. CISA adds Edimax IC-7100 IP Camera, NAKIVO,Â
and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog
@www.bleepingcomputer.com
//
A new Mirai botnet variant, named Aquabot, has emerged, actively exploiting a command injection vulnerability, identified as CVE-2024-41710, in Mitel SIP phones. This malware targets Mitel 6800, 6900, and 6900w series phones, including the 6970 Conference Unit, and is being used to construct a botnet for launching distributed denial-of-service (DDoS) attacks. The Aquabot malware utilizes a proof-of-concept code previously published to spread to vulnerable devices.
The Aquabot botnet stands out due to its novel ability to communicate with its command and control server when it detects a kill signal attempting to terminate the malware on an infected device. This behaviour is new for a Mirai variant, and could be a method for the botnet author to monitor its health. The exploit, discovered in January 2025, roughly six months after the vulnerability was publicly disclosed by Mitel, injects a shell script that downloads and executes the Mirai malware onto targeted systems.
Recommended read:
References :
- ciso2ciso.com: Aquabot Botnet Targeting Vulnerable Mitel Phones – Source: www.securityweek.com
- ciso2ciso.com: A Mirai-based malware family, Aquabot, started targeting vulnerable Mitel SIP phones to build a botnet for DDoS attacks.
- The Register: A new variant of the Mirai-based malware Aquabot is actively exploiting a vulnerability in Mitel phones to build a remote-controlled botnet, according to Akamai's Security Intelligence and Response Team.
- go.theregister.com: Why is my Mitel phone DDoSing strangers?
- Pyrzout :vm:: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet – Source: go.theregister.com
- ciso2ciso.com: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
- The Hacker News: New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks
- www.theregister.com: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
- www.bleepingcomputer.com: New Aquabotv3 Botnet Malware Targets Mitel Command Injection Flaw
- AAKL: The Register: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
- gbhackers.com: New Aquabot Malware Actively Exploiting Mitel SIP phones injection vulnerability
- securityaffairs.com: Aquabot, a new variant of Mirai-based malware, actively targeting Mitel SIP phones.
- gbhackers.com: New Aquabot Malware Actively Exploiting Mitel SIP phones injection vulnerability
- BleepingComputer: New Aquabotv3 botnet malware targets Mitel command injection flaw
Pierluigi Paganini@securityaffairs.com
//
A sophisticated botnet has been discovered exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to distribute malware through spam campaigns. The botnet leverages a simple DNS misconfiguration, specifically in Sender Policy Framework (SPF) records, allowing malicious emails to appear as if they are coming from legitimate domains. This bypasses email protection techniques, enabling the distribution of trojan malware and other malicious content. The botnet is masking its traffic by using the compromised routers as SOCKS proxies.
The misconfigured SPF records, using "+all" instead of "-all", effectively permits any server to send emails on behalf of the domain, nullifying SPF protections. Attackers are using this weakness to spoof sender domains and send out emails that often mimic shipping companies like DHL, using subject lines referencing invoices or tracking information. These emails contain zip file attachments containing obfuscated JavaScript files that execute PowerShell scripts, connecting victims to a command-and-control server associated with Russian cybercriminal activity.
Recommended read:
References :
- : A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques. This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains.
- securityaffairs.com: MikroTik botnet relies on DNS misconfiguration to spread malware
- securityonline.info: 13,000 MikroTik Routers Hijacked for Global Malspam Operation
- cyberpress.org: New Botnet Exploits DNS Flaw to Deliver Malware
- blogs.infoblox.com: Infoblox : A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques.
- Cyber Security News: New Botnet Exploits DNS Flaw to Deliver Malware
- securityboulevard.com: MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware
- Security Boulevard: MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware
- www.bleepingcomputer.com: BleepingComputer news on MikroTik botnet uses misconfigured SPF DNS records to spread malware
@securityonline.info
//
The BADBOX botnet has infected over 190,000 Android devices, including high-end products like Yandex 4K QLED TVs. This botnet's widespread infection is attributed to supply chain vulnerabilities, potentially involving pre-installed malware embedded during the manufacturing or distribution phases. This discovery highlights the significant security risks associated with compromises in the supply chain of Android devices.
A recent investigation revealed over 160,000 unique IP addresses communicating with BADBOX command-and-control servers daily. These infections are concentrated in countries like Russia, China, India, Brazil, Belarus, and Ukraine. The BADBOX malware is believed to originate from the Triada family of Android malware, known for its stealth. Once activated, infected devices are transformed into residential proxies, enabling cybercriminals to route internet traffic through them for illegal activities and ad fraud.
Recommended read:
References :
- Cyber Security News: CyberPress article about the BADBOX botnet infection of Android devices, including LED TVs.
- gbhackers.com: GBHackers article reporting on the BADBOX botnet.
- securityonline.info: Security Online article on the BADBOX botnet infecting Android devices with pre-installed malware.
- cyberpress.org: Cyberpress.org article on BADBOX botnet and the affected devices.
- securityonline.info: SecurityOnline article about BADBOX botnet and pre-installed malware targeting Android devices.
- gbhackers.com: The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over 192,000 systems globally.
Cybereason Security Services Team@Blog
//
The Phorpiex botnet, previously known for spam and cryptocurrency mining, has been observed distributing LockBit Black ransomware, also known as LockBit 3.0. This new attack vector signifies a significant shift in the botnet's operations, now focusing on automated ransomware deployment through compromised websites and phishing emails. The malicious activity begins with phishing emails that contain malicious SCR files. When these files are executed, they establish a connection with a command-and-control server, download the LockBit binary, and execute the ransomware payload to begin file encryption.
Unlike traditional ransomware tactics that involve human operators and attempts at lateral movement within a network, this variant focuses on immediate execution of LockBit, reducing the attack's footprint and making it harder to detect. Phorpiex and LockBit employ various anti-detection strategies, such as deleting URL caches, obfuscating function calls, removing Zone.Identifier metadata, and modifying the Windows registry, all to ensure the ransomware runs automatically. This shift highlights the increasing trend of botnets being used as a tool for ransomware attacks.
Recommended read:
References :
- cyberpress.org: Phorpiex botnet Host on Hacked Website to Launch LockBit Ransomware on Windows
- securityonline.info: Phorpiex Botnet Now Deploying LockBit Ransomware in Automated Attacks
- Virus Bulletin: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).
- Blog: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).
|
|
FlagThis - #botnet