Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
The campaign exploits two known vulnerabilities:
These vulnerabilities enable attackers to co-opt vulnerable devices into a Mirai-based botnet infrastructure.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Using scans from Censys, researchers have noted 221 Murdoc-infected hosts, predominantly located in Indonesia, the United States, and Taiwan, as of January 22, 2025.
While some sources report over 1,300 infections, this count likely includes false positives such as misconfigured devices or pseudoservices behaving abnormally across open ports.
Among the infected hosts, 93 appear to function as Mirai command-and-control (C2) servers, actively targeting other vulnerable devices to propagate the malware further.
For detection, researchers have provided Censys search queries:
services.http.response.body:"murdoc_botnet"
services.http.response.body:"murdoc_botnet" and services.http.response.body:"$(echo -ne"
GreyNoise sensors have also documented aggressive exploit activity for both vulnerabilities.
Specifically, they have observed 17 distinct malicious IPs exploiting CVE-2024-7029 (targeting AVTECH cameras) and a staggering 37,796 IPs attempting to exploit CVE-2017-17215 (targeting Huawei HG532 routers).
Malicious activity for the Huawei flaw peaked on January 16, 2025, according to GreyNoise data.
Despite being end-of-life and discontinued, over 36,182 AVTECH cameras remain exposed on the internet, many potentially vulnerable to CVE-2024-7029.
These devices no longer receive security updates and should not be publicly accessible.
Organizations and individuals are urged to take immediate action to mitigate this threat.
Recommended steps include isolating such devices from external networks or replacing them with hardware that is actively supported and updated.
Failure to secure these devices leaves networks highly susceptible to exploitation in these increasingly sophisticated botnet campaigns.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
The Interlock ransomware intrusion set has escalated its operations across North America and Europe with…
Researchers have successfully infiltrated the digital fortress of one of the most prolific ransomware groups,…
CISA announced an eleventh-hour contract extension with MITRE Corporation to maintain the Common Vulnerabilities and…
Hackers have launched sophisticated schemes designed to defraud investors and steal their financial data. Utilizing…
Cybercriminals are exploiting an AI-powered presentation tool called Gamma to launch a multi-stage attack aimed…
Automated traffic generated by bad bots has for the first time surpassed human activity, accounting…