{
	"id": "0dcff5d5-25b9-49e9-af0e-d14e23c2e835",
	"created_at": "2026-04-06T00:16:16.662769Z",
	"updated_at": "2026-04-10T13:11:28.157883Z",
	"deleted_at": null,
	"sha1_hash": "1c4a240f7c2633d2a63ddfa6f8a749aa7e901f04",
	"title": "Mirai-based Botnet - Moobot Targets Hikvision Vulnerability | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4131709,
	"plain_text": "Mirai-based Botnet - Moobot Targets Hikvision Vulnerability |\r\nFortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2021-12-06 · Archived: 2026-04-05 14:24:16 UTC\r\nLast September 18th, a threat researcher released a write-up about a remote code execution vulnerability that\r\naffects various products from Hikvision, one of the largest video surveillance brands in the world. Hikvision is a\r\nCVE CNA and quickly assigned the CVE number, CVE-2021-36260 and released a patch for the vulnerability on\r\nthe same day as the threat researcher’s disclosure. Shortly after, FortiGuard Labs developed an IPS signature to\r\naddress it. \r\nDuring our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the\r\nstatus of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries\r\nto drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet\r\nbased on Mirai. In this blog we explain how an attacker delivers this payload through the Hikvision vulnerability,\r\nalong with details of the botnet.\r\nAffected platforms: Hikvision Product\r\nImpact parties: IP Cam/NVR\r\nImpact: Attacker can exploit the vulnerability to launch a command injection attack by sending some messages\r\nwith malicious commands in the web server \r\nSeverity: Critical\r\nStage 0 – Exploitation and Propagation\r\nCVE-2021-36260 results from insufficient input validation, allowing unauthenticated users to inject malicious\r\ncontent into a \u003clanguage\u003e tag to trigger a command injection attack on a Hikvision product. Below is an example\r\nof a request leveraging this exploit:\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 1 of 10\n\nFigure 1. Exploit traffic of CVE-2021-36260\r\nWe collected a number of payloads leveraging this vulnerability, and eventually found a downloader. After tracing\r\nthe traffic capture, the complete payload is shown in the following  figure:\r\nFigure 2. Payload from CVE-2021-36260\r\nFirst, because the final Moobot will be saved as “macHelper,” it first tries to remove any file already named\r\n“macHelper.” It then echoes code into “downloader,” which is a small ELF 32-bit LSB ARM file. After\r\ndownloader completes downloading, it executes Moobot with the parameter “hikivision”. Finally, it changes\r\ncommonly used commands, such as “reboot,” to prevent an administrator from invoking reboot on the affected\r\ndevice. \r\nStage 1 - Downloader \r\nThe attacker leverages this vulnerability to drop a downloader (SHA256:\r\n1DCE6F3BA4A8D355DF21A17584C514697EE0C37B51AB5657BC5B3A297B65955F). It has only one job:\r\ndownload the main botnet. It downloads the malware with “/arm5” URI form server 199.195.250[.]233:80 and\r\nprints “RAY” if the downloading process was successful. The following image shows the disassembled code:\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 2 of 10\n\nFigure 3. Downloader\r\nFrom the IP address we not only get the moobot variants for different architectures, we also get the historic\r\nmalware from directory “/h/“.\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 3 of 10\n\nFigure 4. Sample list from downloader’s IP\r\nStage 2 - Moobot\r\nBased on our analysis, the malware (SHA256:\r\n38414BB5850A7076F4B33BF81BAC9DB0376A4DF188355FAC39D80193D7C7F557) downloaded in the\r\nprevious stage is Moobot, which is Mirai-based. Its most obvious feature is that it contains the data string\r\n“w5q6he3dbrsgmclkiu4to18npavj702f”, which is used in the “rand_alphastr” function. It is used to create random\r\nalphanumeric strings with different purposes, such as for a setup process name or to generate data for attacking.\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 4 of 10\n\nFigure 5. Alphanumeric string function from Moobot\r\nIt also has some elements from Satori, which is another Mirai variant botnet. It contains a “downloader” that\r\ntargets a victim’s IoT devices, and it prints a “9xsspnvgc8aj5pi7m28p” string after execution. This variant also\r\nforks itself with the process name “/usr/sbin*” to try to look like a normal process while wiping out the original\r\nfile, “macHelper”.\r\nFigure 6. Code snippet from Moobot\r\nSince it is based on Mirai, the botnet also contains a data section to store its configuration. The plaintext\r\nconfiguration can be decoded after XOR with 0x22:\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 5 of 10\n\nFigure 7. Decoded data containing configuration\r\nAfter getting the C2 server (life.zerobytes[.]cc) from its configuration, it starts sending heartbeat (\\x00\\x00)\r\npackets and then waits for the next control command from the C2 server. Once the victim system receives the\r\ncommand, it starts a DDoS attack to a specific IP address and port number. One example of the DDoS attack\r\ntraffic is shown below:\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 6 of 10\n\nFigure 8. SYN flood\r\nThe DDoS attack command is 24 bytes and can be seen in the Data section in Figure 8. This detail is illustrated in\r\nthe following figure, which includes the flood method and the target IP/Port. Except for SYN flood, the C2 server\r\nhas other attacking commands, such as 0x06 for UDP flood, 0x04 for ACK flood, and 0x05 for ACK+PUSH\r\nflood.\r\nFigure 9. Command\r\nThe complete attack scenario from trying to infect Hikvision product to deploying Moobot is shown in figure 10:\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 7 of 10\n\nFigure 10. Attack scenario\r\nWe also noticed that a DDoS service provider based the packet capture from our machine in Figure 11. We tracked\r\ndown a telegram channel named “tianrian,” which provides a DDoS service. They use a specific string,\r\n“openmeokbye”, in their login interface, shown in Figure 12. This channel was created on June 11, 2021, and\r\nstarted its service in August. From the chatting channel we can see that the service is still updating. Users should\r\nalways look out for DDoS attacks and apply patches to vulnerable devices. \r\nFigure 11. Traffic capture from infected machine\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 8 of 10\n\nFigure 12. Telegram channel\r\nConclusion\r\nHikvision is one the biggest provider of IP cam/NVR products in the global market. CVE-2021-36260 is a critical\r\nvulnerability that makes Hikvision products a target for Moobot. In this blog we showed how an attacker can\r\nleverage CVE-2021-36260 and elaborated in detail each stage of the process.\r\nAlthough a patch has been released to address this vulnerability, this IoT botnet will never stop looking for a\r\nvulnerable end point. Because of this, users should upgrade affected devices immediately as well as apply\r\nFortiGuard protection.\r\nFortinet Protections\r\nFortinet released IPS signature Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection for CVE-2021-\r\n36260 to proactively protect our customers. The signature is officially released in IPS definition version 18.192.\r\nThe downloader and all related malware from that site are detected and blocked by FortiGuard AntiVirus: \r\nELF/Mirai.AE!tr\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 9 of 10\n\nELF/Mirai.BO!tr\r\nELF/Mirai.D!tr\r\nELF/Mirai.AYU!tr\r\nELF/Mirai.WJ!tr\r\nLinux/Mirai.WJ!tr\r\nBoth the downloading URL and C2 server have been rated as \"Malicious Websites\" by the FortiGuard Web\r\nFiltering service.\r\nIOCs\r\nSHA256: \r\n1DCE6F3BA4A8D355DF21A17584C514697EE0C37B51AB5657BC5B3A297B65955F\r\n38414BB5850A7076F4B33BF81BAC9DB0376A4DF188355FAC39D80193D7C7F557\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nhttps://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability"
	],
	"report_names": [
		"mirai-based-botnet-moobot-targets-hikvision-vulnerability"
	],
	"threat_actors": [],
	"ts_created_at": 1775434576,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1c4a240f7c2633d2a63ddfa6f8a749aa7e901f04.pdf",
		"text": "https://archive.orkl.eu/1c4a240f7c2633d2a63ddfa6f8a749aa7e901f04.txt",
		"img": "https://archive.orkl.eu/1c4a240f7c2633d2a63ddfa6f8a749aa7e901f04.jpg"
	}
}