Thursday, April 24, 2025
HomeBotnetHackers Spreading Hoaxcalls DDoS Botnet by Exploiting an Unpatched ZyXel RCE 0-Day...

Hackers Spreading Hoaxcalls DDoS Botnet by Exploiting an Unpatched ZyXel RCE 0-Day Bug Remotely

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered a new variant of Hoaxcalls Botnet that spreading through exploiting the unpatched remote code vulnerability that resides in ZyXEL Cloud CNM SecuManager.

Zyxel Cloud CNM secuManagr is a network management software designed to provide an integrated console to monitor and manage security gateways.

Hoaxcalls Botnet was initially uncovered by the Palo Alto research team on April 3 when the botnet was propagating via 2 patched vulnerabilities, while the Hoaxcalls carrying nearly 16 DDoS attack vectors.

- Advertisement - Google News

The previous version of the botnet utilized three DDoS attack vectors: UDP, DNS, and HEX flood to attack the victim’s network by exploiting the RCE and SQL injection vulnerabilities.

The newly upgraded variant has contained new attack capabilities compared to the previous sample and, it was uncovered while monitoring the XTC Mirai campaign.

Exploiting ZyXEL Cloud CNM SecuManager

April 20, Researchers from Radware uncovered the new campaign utilizing the unpatched vulnerability in ZyXEL Cloud CNM SecuManager through new malware sever (IP 78.33.64.107).

Also, the current method of propagating contains major changes with 19 DDoS attack vectors, and the threat group behind XTC and Hoaxcalls includes a number of variants using different combinations of propagation exploits and DDoS attack vectors.

Zyxel Cloud CNM contains an unauthorized remote code execution vulnerability that can be exploited remotely through API calls that abuse the path / live / CPEManager / AXCampaignManager / delete_cpes_by_ids? Cpe_ids =

According to Radware report “A Remote Code Execution (RCE) attack is possible by abusing an insecure API due to unsafe calls to eval():”

Botnet loader script is hosted on the malware sever to leverage the exploit from the C2 servers using the following C2 server command.

HTTPOPTION – http option flood
HTTPDELETE – http delete flood
HTTPTRACE – http trace flood
HTTPPOST – http post flood
HTTPHEAD – http head flood
HTTPGET – http get flood
HTTPPUT – http put flood
VSE 32 0 0 10 – vse flood
SYN 32 0 10 – syn flood
RST 32 0 10 – rst flood
PSH 32 0 10 – psh flood
TCP 32 0 10 – tcp flood
URG 32 0 10 – urg flood
ACK 32 0 10 – ack flood
FIN 32 0 10 – fin flood
UDP 32 10 – udp flood
HEX – hex flood
DNS – dns resolver flood
BLACKNURSE – blacknurse flood

Researchers believe that the attackers behind this campaign is working hard to find the new vulnerabilities leveraging new exploits to building a botnet that can be leveraged for large scale DDoS attacks.

You can read the complete report of Hoaxcalls DDoS Botnet operation here.

Also Read: Moobot Botnet Hacks Various Fiber Routers Using 0-day Vulnerability

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Verizon DBIR Report: Small Businesses Identified as Key Targets in Ransomware Attacks

Verizon Business's 2025 Data Breach Investigations Report (DBIR), released on April 24, 2025, paints...

Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities

A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group,...

ToyMaker Hackers Compromise Numerous Hosts via SSH and File Transfer Tools

In a alarming cybersecurity breach uncovered by Cisco Talos in 2023, a critical infrastructure...

Threat Actors Exploiting Unsecured Kubernetes Clusters for Crypto Mining

In a startling revelation from Microsoft Threat Intelligence, threat actors are increasingly targeting unsecured...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Malware Hijacks Docker Images Using Unique Obfuscation Technique

A recently uncovered malware campaign targeting Docker, one of the most frequently attacked services...

Hackers Deploy New Malware Disguised as Networking Software Updates

A sophisticated backdoor has been uncovered targeting major organizations across Russia, including government bodies,...

New Rust-Based Botnet Hijacks Routers to Inject Remote Commands

A new malware named "RustoBot" has been discovered exploiting vulnerabilities in various router models...