Saturday, May 31, 2025
HomeBotnetMurdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Published on

SIEM as a Service

Follow Us on Google News

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.

Mass Campaign Leveraging Two Key Vulnerabilities

The campaign exploits two known vulnerabilities:

  • CVE-2024-7029: An unpatchable command injection vulnerability affecting end-of-life AVTECH IP cameras and also exploited by the Corona Mirai variant last year allows remote code execution (RCE) and malware deployment on compromised devices.
  • CVE-2017-17215: An arbitrary command execution flaw in Huawei HG532 routers that has been frequently targeted in prior campaigns.

These vulnerabilities enable attackers to co-opt vulnerable devices into a Mirai-based botnet infrastructure.

- Advertisement - Google News

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Current Observations and Infection Data

Using scans from Censys, researchers have noted 221 Murdoc-infected hosts, predominantly located in Indonesia, the United States, and Taiwan, as of January 22, 2025.

While some sources report over 1,300 infections, this count likely includes false positives such as misconfigured devices or pseudoservices behaving abnormally across open ports.

Among the infected hosts, 93 appear to function as Mirai command-and-control (C2) servers, actively targeting other vulnerable devices to propagate the malware further.

Murdoc Botnet
A compromised AVTECH camera acting as a Mirai C2

For detection, researchers have provided Censys search queries:

  • Murdoc-infected hosts: services.http.response.body:"murdoc_botnet"
  • Mirai C2s: services.http.response.body:"murdoc_botnet" and services.http.response.body:"$(echo -ne"

GreyNoise sensors have also documented aggressive exploit activity for both vulnerabilities.

Specifically, they have observed 17 distinct malicious IPs exploiting CVE-2024-7029 (targeting AVTECH cameras) and a staggering 37,796 IPs attempting to exploit CVE-2017-17215 (targeting Huawei HG532 routers).

Malicious activity for the Huawei flaw peaked on January 16, 2025, according to GreyNoise data.

Despite being end-of-life and discontinued, over 36,182 AVTECH cameras remain exposed on the internet, many potentially vulnerable to CVE-2024-7029.

These devices no longer receive security updates and should not be publicly accessible.

Organizations and individuals are urged to take immediate action to mitigate this threat.

Recommended steps include isolating such devices from external networks or replacing them with hardware that is actively supported and updated.

Failure to secure these devices leaves networks highly susceptible to exploitation in these increasingly sophisticated botnet campaigns.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Microsoft Reveals Techniques for Defending Against Evolving AiTM Attacks

Microsoft has exposed the escalating sophistication of phishing attacks, particularly focusing on Adversary-in-the-Middle (AiTM)...

Hackers Use AI-Generated Videos on TikTok to Spread Info-Stealing Malware

TrendMicro has uncovered a sophisticated campaign where threat actors are exploiting TikTok to distribute...

Weaponized PyPI Package Executes Supply Chain Attack to Steal Solana Private Keys

A chilling discovery by Socket’s Threat Research Team has exposed a meticulously crafted supply...