{
	"id": "37849217-6ca0-418c-806a-5d6ca42ff4db",
	"created_at": "2026-04-06T00:08:39.324957Z",
	"updated_at": "2026-04-10T03:20:42.221052Z",
	"deleted_at": null,
	"sha1_hash": "258f147f85b45098976bc74b741b5be5e8adde9a",
	"title": "Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 538780,
	"plain_text": "Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns\r\nTarget VMware Vulnerability\r\nBy Cara Lin\r\nPublished: 2022-10-21 · Archived: 2026-04-05 23:13:18 UTC\r\nIn April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of\r\nsanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code\r\nexecution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report\r\nabout it and also developed IPS signature in April.\r\nWe observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example,\r\npasswords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had the intention\r\nof deploying Mirai targeting exposed networking devices running Linux, RAR1ransom that leverages legitimate WinRaR to\r\ndeploy encryption, and GuardMiner that is a variant of xmrig used to “mine” Monero.\r\nIn this blog, we will elaborate on how these malware leveraged the VMware vulnerability and the behavior after exploitation\r\nin more detail.\r\nAffected platforms: VMware Workspace ONE Access and Identity Manager\r\nImpacted parties: VMware users\r\nImpact: Attacker can exploit the vulnerability to launch a command injection attack by sending some messages with\r\nmalicious commands\r\nSeverity level: Critical\r\nFigure 1 CVE-2022-22954 Activity\r\nMirai Variant\r\nThe complete payload from Mirai is shown in Figure 2, it enters temp directory and downloads Mirai variant from\r\nhttp[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64, then executes with parameter “VMware”.\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 1 of 13\n\nFigure 2 Attacking traffic capture\r\nFigure 3 Decoded command\r\nLike most Mirai botnets, this variant’s main jobs include deploying DoS and launching a brute force attack. We can decode\r\npart of the configuration after we XOR the data with 0x54 and get C2 server is “cnc[.]goodpackets[.]cc”. Following is the\r\ndecoded strings:\r\nFigure 4 Decoded configuration string\r\nWe also identify the brute force function with encoded account and password strings:\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 2 of 13\n\nFigure 5 Functions for brute force attack\r\nThe decoded passwords are listed below, they are commonly used passwords and also some default credentials for well-known IoT devices:\r\nhikvision 1234 win1dows S2fGqNFs\r\nroot tsgoingon newsheen 12345\r\ndefault solokey neworange88888888 guest\r\nbin user neworang system\r\n059AnkJ telnetadmin tlJwpbo6 iwkb\r\n141388 123456 20150602 00000000\r\nadaptec 20080826 vstarcam2015 v2mprt\r\nAdministrator 1001chin vhd1206 support\r\nNULL xc3511 QwestM0dem 7ujMko0admin\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 3 of 13\n\nbbsd-client vizxv fidel123 dvr2580222\r\npar0t hg2x0 samsung t0talc0ntr0l4!\r\ncablecom hunt5759 epicrouter zlxx\r\npointofsale nflection admin@mimifi xmhdipc\r\nicatch99 password daemon netopia\r\n3com DOCSIS_APP hagpolm1 klv123\r\nOxhlwSG8    \r\nAfter being executed, the variant shows hardcoded string “InfectedNight did its job”, and sends heartbeat along with\r\nparameter “VMware”, then it will wait for further commands from C2 server. Below is the traffic session from heartbeat and\r\nbrute force attack. \r\nFigure 6 Heartbeat traffic capture\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 4 of 13\n\nFigure 7 Brute force attack session\r\nInitialization Script for RAR1Ransom and GuardMiner\r\nAnother noticeable payload is from 67[.]205[.]145[.]142. It contains two sessions, each has different commands depending\r\non the victim’s operation system. One leveraged PowerShell to download “init.ps1”, the other uses curl, wget, and urlopen\r\nin Python library to download “init.sh”.\r\nFigure 8 Attack traffic capture for Windows\r\nFigure 9 Attack traffic capture for Linux\r\nFrom the PowerShell script file “init.ps1”, it includes a few links to cloudflare-ipfs[.]com for further attack and each file has\r\nits own backup link to crustwebsites[.]net. \r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 5 of 13\n\nFigure 10 Download links in init.ps1\r\nThere are 7 files for initialization:\r\nphpupdate.exe: Xmrig Monero mining software\r\nconfig.json: Configuration file for mining pools\r\nnetworkmanager.exe: Executable used to scan and spread infection\r\nphpguard.exe: Executable used for guardian Xmrig miner to keep running\r\ninit.ps1: Script file itself to sustain persistance via creating scheduled task\r\nclean.bat: Script file to remove other cryptominers on the compromised host\r\nencrypt.exe: RAR1 ransomware\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 6 of 13\n\nFigure 11 \"start encrypt\" section in init.ps1\r\nIn the “start encrypt” section shown in Figure 11, it first checks “flag_encrypt.flag” before launching RAR1ransom, if the\r\nflag file existed and the “encrypt.exe” was also download before, it will delete “encrypt.exe” and go to the next stage.\r\nOtherwise, it checks the file size to determine if the file path should be updated or not. Finally, it executes the ransomware\r\nafter checking process. The detail of RAR1 ransomware will be elaborated in the next section.\r\nThen, the script starts the GuardMiner attack. GuardMiner is a cross-platform mining Trojan, which has been active since\r\n2020. And FortiGuard Labs has a detailed report covering it. In this version, it also drops the script file “init.sh” for Linux\r\nsystem. \r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 7 of 13\n\nFigure 12 “init.sh” for Linux\r\nWe also noticed that GuardMiner updates “networkmanager.exe” with the more recently vulnerability. From the name of\r\neach exploit module, it might collect the exploit list from Chaitin Tech Github which is for security testing purposes.\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 8 of 13\n\nFigure 13 rdata section contains vulnerability list in networkmanager.exe\r\nWe extract the complete vulnerability list below:\r\neyou-email-system-rce maccms-rce\r\nthinkphp5-controller-rce seacms-rce\r\nterramaster-tos-rce-cve-2020-28188 spon-ip-intercom-ping-rce\r\nthinkphp5023-method-rce yonyou-grp-u8-sqli-to-rce\r\nyccms-rce gitlist-rce-cve-2018-1000533\r\nphpunit-cve-2017-9841-rce pandorafms-cve-2019-20224-rce\r\nyonyou-nc-bsh-servlet-bshservlet-rce CVE-2022-22947-spring-clond-Gateway-RCE\r\nCVE-2022-22954-VMware-RCE amtt-hiboss-server-ping-rce\r\ninspur-tscev4-cve-2020-21224-rce dlink-dsl-2888a-rce\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 9 of 13\n\nphpstudy-backdoor-rce Confluence-CVE-2022-26134\r\nseacms-before-v992-rce apache-flink-upload-rce\r\ndedecms-cve-2018-7700-rce solr-velocity-template-rce\r\nwebmin-cve-2019-15107-rce jumpserver-unauth-rce\r\nHotel-Internet-Manage-RCE drupal-cve-2018-7600-rce\r\nseacms-v654-rce S2-045-rce\r\ntamronos-iptv-rce ecshop-rce\r\nsatellian-cve-2020-7980-rce opentsdb-cve-2020-35476-rce\r\nzeroshell-cve-2019-12725-rce struts2-062-cve-2021-31805-rce\r\ndlink-cve-2019-16920-rce h3c-imc-rce\r\nRAR1Ransom\r\nRAR1ransom drops “rar.exe” in C:/Windows/Temp folder which is legitimate WinRaR software to compress a victim’s files\r\nwith a password. It uses several default options in WinRaR to complete the encryption for efficiency, we can locate these\r\nprocesses from Process Explorer in Figure 14.\r\nFigure 14 Processes while RAR1Ransom encrypted files\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 10 of 13\n\nThe whole command is below, options “df” and “m0” mean delete files after adding files to archive without compression,\r\n“mt10” means it will use ten threads, and “ep” means exclude path from name. The “hp” is to encrypt both file data and\r\nheaders with password.\r\nC:/Windows/Temp/rar.exe a -df -m0 -mt10 -ep -\r\nhpVbDsLHSfbomQiQ6YuP7m1ZaNP0LQqYpzrkjwvuNSjsnQlicOxNPi0iKzKeQO1Besbpbx1iKWNeOfFQDEw8qaoAGmN1Nx9i0vbU\r\n\"C:/Python27/Lib/json/MVXGG33EMVZC44DZ.rar1\" \"C:/Python27/Lib/json/MVXGG33EMVZC44DZ\"\r\nRAR1Ransom targets a compromised victim’s file with particular extensions as in Figure 15. \r\nFigure 15 Target file extension\r\nAll the encrypted files will have an unique filename and “.rar1” extension, and it drops a text file\r\n“READ_TO_DECRYPT.txt” in the same folder with message in Figure 17.\r\nFigure 16 Encrypted files\r\nFigure 17 Ransom note\r\nFrom the wallet string in the ransom note, which is identical with the one in the miner’s configuration shown in Figure 17.\r\nWe can tell the attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for\r\nextortion, but also to spread GuardMiner to collect cryptocurrency. \r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 11 of 13\n\nFigure 18 Configuration”config.json” for GuardMiner\r\nConclusion\r\nAlthough the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns\r\ntrying to exploit it. Users should always keep systems updated and patched and be aware of any suspicious process in\r\nenvironment. These Mirai variants, RAR1Ransom, and GuardMiner are not extremely complicated samples, but their\r\nmethods are always changing and evolving. FortiGuard Labs will continue to monitor and provide the latest updates.\r\nFortinet Protections\r\nFortinet released IPS signature VMware.Workspace.ONE.Access.Catalog.Remote.Code.Execution for CVE-2022-22954 to\r\nproactively protect our customers. The signature is officially released in IPS definition version 20.297.   \r\nThe scripts and malwares are detected and blocked by FortiGuard Antivirus, and FortiEDR services:\r\nAdware/Miner\r\nW32/PossibleThreat\r\nRiskware/Agent\r\nBASH/CoinMiner.RZ!tr\r\nPowerShell/CoinMiner.BW!tr\r\nELF/GuardMiner.A!tr\r\nW64/GuardMiner.A!tr\r\nBAT/Cleaner.CC41!tr\r\nIOCs\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 12 of 13\n\nSHA256:\r\n66db83136c463441ea56fb1b5901c505bcd1ed52a73e23d7298f7055db2108d1\r\n4761e5d9bd3ebe647fbd7840b7d2d9c1334bde63d5f6b05a4ed89af7aa3a6eab\r\n9c00823295f393358762542418bb767b44cfe285c4ab33e7e57902c6e1c2dacb\r\n23270d23f8485e3060f6ea8c9879177781098b1ed1b5117579d2f4d309aeffd2\r\n4b3578ee9e81f356a89ff2e1aff6bbee8441472869b0c6c4792fc9fd486a0df5\r\n0212b447c25e9db55f7270e1e2a45846e2261445474845997a314cb1ddeea4f7\r\na372e07a691f8759e482615fd7624bfca2a2bc2cd8652a47ff9951ff035759a5\r\nf2a6827ea5f60cefc2f6528269b2d1557a7cc1e68f84edca4029e819dd0509cb\r\n4b4c0d3cb708612b1fdb0394e029e507e4c0f6136fc44e415200694624ed5b68\r\n7fc7c242ad1fa439e515725561a9e304b3d94e40ba91f61df77471a4c2ff2b39\r\nLearn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s\r\nFortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.\r\nSource: https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nhttps://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability"
	],
	"report_names": [
		"multiple-malware-campaigns-target-vmware-vulnerability"
	],
	"threat_actors": [],
	"ts_created_at": 1775434119,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/258f147f85b45098976bc74b741b5be5e8adde9a.pdf",
		"text": "https://archive.orkl.eu/258f147f85b45098976bc74b741b5be5e8adde9a.txt",
		"img": "https://archive.orkl.eu/258f147f85b45098976bc74b741b5be5e8adde9a.jpg"
	}
}