{
	"id": "d8522a77-7431-47bf-9238-cc4c5d3cef81",
	"created_at": "2026-04-06T00:06:52.548026Z",
	"updated_at": "2026-04-10T13:11:36.32673Z",
	"deleted_at": null,
	"sha1_hash": "1de83a6952186a412e72e768b3f617f105e1d8e8",
	"title": "Muhstik Botnet Exploits Highly Critical Drupal Bug",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 216056,
	"plain_text": "Muhstik Botnet Exploits Highly Critical Drupal Bug\r\nBy Lindsey O'Donnell\r\nPublished: 2018-04-23 · Archived: 2026-04-02 11:45:05 UTC\r\nA botnet has exploited a highly critical Drupal CMS vulnerability, which was previously disclosed by Drupal in\r\nMarch.\r\nResearchers are warning a recently discovered and highly critical vulnerability found in Drupal’s CMS platform is\r\nnow being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS\r\nattacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware\r\nof any public exploits.\r\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of\r\nthe Drupal bug. They said multiple scans on infected Drupal instances reveal attackers are exploiting the\r\nvulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute\r\ncommands on targeted servers running Drupal.\r\nThe Muhstik botnet exploits Drupal vulnerability (CVE-2018-7600), impacting versions 6,7, and 8 of Drupal’s\r\nCMS platform. “This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could\r\nresult in the site being completely compromised,” warned MITRE’s Common Vulnerabilities and Exposures\r\nbulletin on March 28.\r\nDrupal, which also released a patch for the vulnerability in March, warned that over one million sites running\r\nDrupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected\r\nCMS platforms, Drupal said.\r\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were\r\nexploiting the vulnerability.\r\n“We noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been\r\nactive for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the\r\ncommunication IRC channel,” wrote Netlab 360 researchers.\r\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux\r\nservers and Linux-based IoT devices.\r\nMuhstik has the capability to install two coinminers – XMRig (XMR) and CGMiner – to mine the open-source,\r\npeer-to-peer Dash cryptocurrency, according to Netlab.\r\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining\r\npool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins\r\nusing multiple mining tools (with username reborn.D3), they said.\r\nhttps://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/\r\nPage 1 of 2\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address\r\n46[.]243[.]189[.]102.\r\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC\r\ncommunication protocol to invoke commands for the botnet: “We observed multiple IRC Channels, all starting\r\nwith ‘muhstik,'”said  Netlab researchers in a report. “At present, we can not confirm which specific channels are\r\nopen on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a\r\ncommunication instruction from the corresponding channel can we confirm it’s present.”\r\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This\r\nmodule “scans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,” according to\r\nNetLab.\r\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-\r\n10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server\r\napplications.\r\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the\r\nrepurcussions once it’s used, “the race is on to find vulnerable Drupal installations.”\r\n“I recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the\r\npatched version doesn’t retroactively ‘unhack’ your site. I recommend website operators check their installation\r\n(server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,” he said.\r\nSource: https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/\r\nhttps://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/"
	],
	"report_names": [
		"131360"
	],
	"threat_actors": [],
	"ts_created_at": 1775434012,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1de83a6952186a412e72e768b3f617f105e1d8e8.pdf",
		"text": "https://archive.orkl.eu/1de83a6952186a412e72e768b3f617f105e1d8e8.txt",
		"img": "https://archive.orkl.eu/1de83a6952186a412e72e768b3f617f105e1d8e8.jpg"
	}
}