Sunday, June 15, 2025
HomeMalwareHackers Using Mirai Variant MooBot to Exploit D-Link Devices Bugs

Hackers Using Mirai Variant MooBot to Exploit D-Link Devices Bugs

Published on

SIEM as a Service

Follow Us on Google News

In a new attack wave, MooBot, a variant of Mirai botnet malware, has been detected recently by the cybersecurity experts at Palo Alto Network’s Unit 42. 

At the beginning of last month, a new wave of attacks began to appear. This new wave of attacks targeted mostly vulnerable D-Link routers as part of this malicious campaign.

As a result of an analysis carried out by Fortinet analysts in December 2021, the Mirai variant, MooBot was discovered. It has been reported that the malware has updated the scope of its targeting now. 

- Advertisement - Google News

In fact, botnets are likely to seek out untapped puddles of vulnerable devices that they can use as bait in order to entrap their victims.

There are several vulnerabilities in D-Link devices but among them, MooBot targeted the four critical ones, and here they are mentioned below:-

  • CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability (CVSS Version 2.0: 10.0 High)
  • CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability (CVSS Version 3.0: 9.8 Critical)
  • CVE-2022-26258: D-Link Remote Command Execution Vulnerability (CVSS Version 3.0: 9.8 Critical)
  • CVE-2022-28958: D-Link Remote Command Execution Vulnerability (CVSS Version 3.0: 9.8 Critical)

The vulnerabilities could be exploited remotely by attackers to execute code on the host 159.203.15[.]179 and download MooBot downloader from the host.

There have been security updates released by the vendor to mitigate the impact of the flaws. However, not all of the updates have been applied by all users.

Technical Analysis

There is a low attack complexity associated with the flaws which are exploited by the operators of MooBot. A malicious binary is retrieved by using arbitrary commands when RCE is gained on the targets.

On the C2 that is under the control of the threat actors, all the newly captured routers are recorded. Once the malware has decoded the configuration file’s hardcoded address, this calculation is carried out.

The addresses for C2 in Unit 42’s report are different from those in Fortinet’s report, which is a significant difference to pay attention to. An indication that the infrastructure of the threat actor has been refreshed.

A compromised D-Link device may cause users to notice a number of symptoms like:-

  • Internet speed drop issues
  • Unresponsiveness
  • Router overheating
  • Uncertain DNS configuration changes

Recommendations

In order to avoid this problem, cybersecurity researchers have urged users to update patches and software whenever possible. It is recommended that you follow the following recommendations if you believe that you may have already been compromised:-

  • It is recommended that you reset your router.
  • The password for your admin account needs to be changed.
  • Make sure you have the latest security updates installed.

Download Free SWG – Secure Web Filtering – E-book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Interpol Dismantles 20,000 Malicious IPs and Domains Tied to 69 Malware Variants

In a landmark global cybercrime crackdown, INTERPOL’s Operation Secure has seen the takedown of...

New Secure Boot Vulnerability Allows Attackers to Install Malware in PC and Server Boot Processes

Security researchers from Binarly have uncovered a major software vulnerability in the Unified Extensible...