{
	"id": "fb76671a-e3be-40d5-b8a5-c66827dd3ad7",
	"created_at": "2026-04-06T01:30:33.059758Z",
	"updated_at": "2026-04-10T03:20:23.717517Z",
	"deleted_at": null,
	"sha1_hash": "2a738ae0cc7ee266cca1aec244dfcc8a4f7a4a3c",
	"title": "Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1177238,
	"plain_text": "Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR\r\nVulnerability\r\nBy Hui Wang\r\nPublished: 2021-07-01 · Archived: 2026-04-06 00:18:33 UTC\r\nOverview\r\nOn 2021-06-22 we detected a sample of a mirai variant that we named mirai_ptea propagating through a new\r\nvulnerability targeting KGUARD DVR. Coincidently, a day later, on June 23, we received an inquiry from the\r\nsecurity community asking if we had seen a new DDoS botnet, cross-referencing some data, it was exactly this\r\nbotnet that we had just discovered.\r\nTimeline\r\n2021-03-22 Our historical data indicates the first probe against this vulnerability\r\n2021-06-22 We observed the mirai_ptea sample exploiting this vulnerability to spread\r\n2021-06-23 We got a tip from the security community that this botnet was being used for ongoing DDoS\r\nattacks.\r\n2021-06-25 mirai_aurora , another mirai variant, starts to use this vulnerability to propagate\r\nVulnerability analysis\r\nGiven that we have not found public information on this vulnerability, we will hide some of the key information\r\nhere to prevent the vulnerability from being further abused.\r\nOne program on the KGUARD DVR firmware listens on port ***** at 0.0.0.0 to remotely execute system\r\ncommands without authentication. The firmware released after 2017 seems to have this fixed by modifying the\r\nlistening address to 127.0.0.1 . Some of the exploited payloads are as follows.\r\nAnalysis of affected devices\r\nWe have discovered at least 3,000 or so online devices still have the vulnerability. The affected devices are as\r\nfollows:\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 1 of 17\n\nDeviceType ProductType HardVersion DefDeviceName\r\nD1004NR DVR4-1600 DM-268A DVR4-1600\r\nD1004NR HY-DVR DM-268 720P-HY04N\r\nD1004NR HY-DVR DM-268A 720P-HY04N\r\nD1004NR HY-DVR DM-274 720P-HY04N\r\nD1004NR HY-DVR DM-274B 720P-HY04N\r\nD1004NR NHDR DM-274 NHDR-3204AHD\r\nD1004NR RL-AHD4n DM-268 720P-HY04N\r\nD1008NR 1093/508N-DVRBM08H DM-292 720P-HY08N\r\nD1008NR DVR8-1600 DM-298 DVR8-1600\r\nD1008NR DVR8-HDA10L DM-292 DVR8-HDA10L\r\nD1008NR HD881 DM-292 HD881\r\nD1008NR HY-DVR DM-292 720P-HY08N\r\nD1008NR HY-DVR DM-298 720P-HY08N\r\nD1008NR NHDR DM-298 NHDR-3208AHD\r\nD1008NR RL-AHD8n DM-292 720P-HY08N\r\nD1016NR DVR16-HDA10L DM-303 DVR16-HDA10L\r\nD1016NR HD1681 DM-303 HD1681\r\nD1016NR HY-DVR DM-303A 720P-HY16N\r\nD1016NR HY-DVR DM-310 720P-HY16N\r\nD1016NR HY-DVR DM-310A 720P-HY16N\r\nD1016NR NHDR DM-310 NHDR-3216AHD\r\nD1016NR RL-MHD16n(21A) DM-310A 720P-HY16N\r\nD1104 HY-DVR DM-290A 1080P-HY04\r\nD1104 NHDR DM-307 NHDR-5304AHD\r\nD1104NR HD1T4 DM-291A 1080P-04\r\nD1104NR HD481 DM-291 HD481\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 2 of 17\n\nDeviceType ProductType HardVersion DefDeviceName\r\nD1104NR HRD-E430L DM-291A HRD-E430L\r\nD1104NR HY-DVR DM-284 1080P-HY04N\r\nD1104NR HY-DVR DM-291 \"Panda\r\nD1104NR HY-DVR DM-291 1080P-HY04N\r\nD1104NR HY-DVR DM-291A 1080P-HY04N\r\nD1104NR HY-DVR DM-291C LRA3040N\r\nD1104NR NHDR DM-307 NHDR-5104AHD\r\nD1104NR SDR-B73303 DM-291A SDR-B73303\r\nD1104NR SVR9204H DM-291A 1080P-HY04N\r\nD1108NR 1093/538P DM-290 1080P-HY08N\r\nD1108NR DVR8-4575 DM-290 DVR8-4575\r\nD1108NR DVR8-HDA10P DM-290 DVR8-HDA10P\r\nD1108NR HRD-E830L DM-290A HRD-E830L\r\nD1108NR HY-DVR DM-290 1080P-HY08N\r\nD1108NR HY-DVR DM-290A 1080P-HY08N\r\nD1108NR HY-DVR DM-290A LRA3080N\r\nD1108NR NHDR DM-307 NHDR-5108AHD\r\nD1108NR RL-AHD8p DM-290 1080P-HY08N\r\nD1108NR SDR-B74301 DM-290A SDR-B74301\r\nD1108NR SDR-B74303 DM-290A SDR-B74303\r\nD1116 HY-DVR DM-300 EHR-5164\r\nD1116NR HRD-E1630L DM-295 HRD-E1630L\r\nD1116NR HY-DVR DM-295 1080P-HY16N\r\nD1116NR HY-DVR DM-295 LRA3160N\r\nD1116NR HY-DVR DM-299 1080P-HY16N\r\nD1116NR SDR-B75303 DM-295 SDR-B75303\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 3 of 17\n\nDeviceType ProductType HardVersion DefDeviceName\r\nD1132NR HY-DVR DM-300 1080P-HY32\r\nD2116NR SDR-B85300 DM-300 SDR-B85300\r\nD973215U F9-DVR32 DM-195 F9-DVR32\r\nD9804AHD DVR DM-210 391115\r\nD9804NAHD AHD7-DVR4 DM-239 AHD7-DVR4\r\nD9804NAHD DVR DM-239 720P-DVR04ND\r\nD9804NAHD NHDR DM-239 NHDR-3104AHD-II\r\nD9808NRAHD AHD7-DVR8 DM-228 AHD7-DVR8\r\nD9808NRAHD DVR DM-228\r\nD9808NRAHD DVR DM-228 391116\r\nD9808NRAHD NHDR DM-228 NHDR-3108AHD-II\r\nD9808NRAHD NHDR DM-228 NHDR3108AHDII\r\nD9816NAHD DVR DM-233 720P-DVR016N\r\nD9816NAHD NHDR DM-233 NHDR3116AHDII\r\nD9816NRAHD AHD7-DVR16 DM-229 AHD7-DVR16\r\nD9816NRAHD DVR DM-229 720P-DVR016NB\r\nD9904 D9904 DM-237 1080P-DVR04\r\nD9904 DVR DM-237 1080P-DVR04\r\nD9904 NHDR DM-237 NHDR-5204AHD\r\nD9904NR DVR DM-244 1080P-DVR04N\r\nD9904NR DVR DM-244 BCS-VAVR0401M\r\nD9904NR HY-DVR DM-244 CVD-AF04S\r\nD9904NR N420 DM-244 1080P-DVR04N\r\nD9904NR NHDR DM-244 NHDR-5004AHD-II\r\nD9904NR NHDR DM-244 NHDR5004AHDII\r\nD9908 DVR DM-245 BCS-VAVR0802Q\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 4 of 17\n\nDeviceType ProductType HardVersion DefDeviceName\r\nD9908 NHDR DM-245 NHDR-5208AHD\r\nD9908AHD DVR DM-246 1080P-DVR08A\r\nD9908NR AHD10-DVR8 DM-237 AHD10-DVR8\r\nD9908NR DVR DM-237 1080P-DVR08N\r\nD9908NR DVR DM-237 SVR9008ATHD/C\r\nD9908NR HY-DVR DM-237 CVD-AF08S\r\nD9908NR N820 DM-237 1080P-DVR08N\r\nD9908NR NHDR DM-237 NHDR-5008AHD-II\r\nD9916NR DVR DM-245 1080P-DVR016NAT;UI\r\nD9916NR DVR DM-245 HR-31-211620;UI\r\nD9916NR HY-DVR DM-245 CVD-AF16S\r\nD9916NR NHDR DM-245 NHDR-5016AHD-II\r\nD9916NRAHD DVR DM-246 1080P-DVR016NA\r\nD9916NRAHD N1620 DM-246 1080P-DVR016NA\r\nH1104W SNR-73200W DM-339 SNR-73200W\r\nH1106W LHB806 DM-291B LHB806\r\nH1106W LHB906 DM-291B LHB906\r\nBot scale analysis\r\nWe are able to see a portion of the infected bots, the following is a daily active trend：\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 5 of 17\n\nThe geographic distribution of Bot source IPs is as follows, mainly concentrated in the United States, Korea and\r\nBrazi：\r\nSample Analysis\r\nLet’s take a look a the the following samples\r\nVerdict:mirai_ptea\r\nMD5:c6ef442bc804fc5290d3617056492d4b\r\nELF 32-bit LSB executable, ARM, version 1, statically linked, stripped\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 6 of 17\n\nPacker:No\r\nLib:uclibc\r\nc6ef442bc804fc5290d3617056492d4b is a variant of Mirai, which we call Mirai_ptea based on its use of Tor\r\nProxy to communicate with C2 and the TEA algorithm (Tiny Encryption Algorithm) to hide sensitive resource\r\ninformation. When ptea runs, it prints out in the Console: come at me krebs rimasuta go BRRT .\r\nThis sample is very similar to Mirai at the host behavior level, so we will not cover it here; At the network traffic\r\nlevel, Tor proxy is used, with a large number of proxy nodes embedded in the sample, and Tor-C2 is encrypted. In\r\nthe following section we will focus on the encryption method and communication protocol.\r\nEncryption algorithm\r\nMirai_ptea encrypts all sensitive resource information and stores it in a certain order. The string information\r\nseen when the sample is opened in IDA is shown below, with almost no readable information.\r\nThe following code snippet is from the decryption-related functions in the sample, which can be determined to use\r\nthe TEA algorithm by the constants 0xC6EF3720 \u0026 0X61C88647 .\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 7 of 17\n\nThe key is：\r\n0xC26F6A52 0x24AA0006 0x8E1BF2C5 0x4BA51F8C\r\nWe wrote a decryption script(see appendix), through which we can obtain all the decrypted sensitive resources\r\nand their table entry information, part of the resource information is shown below.\r\nMirai_ptea has two ways of operation when using encrypted resources\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 8 of 17\n\nThe traditional Mirai way: Decrypt an encrypted item, take the value, re-encrypt the decrypted item, i.e.\r\nvar_unlock--\u003evar_get--\u003evar_lock . For example, the console information is taken by this method.\r\nThe value of table entry 0x11 is exactly: come at me krebs rimasuta go BRRT .\r\nMirai_ptea’s way: Decrypt multiple encrypted items, taking the value, and re-encrypt the decrypted items,\r\ni.e. rangeVar_unlock--\u003evar_get--\u003erangeVar_lock . For example, this method is used when getting the\r\ndisguised process name.\r\nThe values of the table entries 0x2c to 0x2c+10 shown below are the exact 11 pseudo-process names that can be\r\nchosen.\r\nindex 0x2c, value = /bin/sh\r\nindex 0x2d, value = telnetd\r\nindex 0x2e, value = upnpc-static\r\nindex 0x2f, value = wsdd\r\nindex 0x30, value = proftpd\r\nindex 0x31, value = mini_httpd\r\nindex 0x32, value = udevd\r\nindex 0x33, value = /sbin/udhcpc\r\nindex 0x34, value = boa\r\nindex 0x35, value = /usr/sbin/inetd\r\nindex 0x36, value = dnsmasq\r\nCommunication Protocol\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 9 of 17\n\nAn overview of the network traffic in Mirai_ptea is provided below.\r\nThe whole process can be divided into 3 steps as follows.\r\n1: Establishing a connection with the proxy node\r\n2: Establishing a connection with Tor C2\r\n3: Communicate with C2 via ptea's custom protocol to receive attack commands from C2.\r\n0x1.Establishing a connection with the proxy\r\nThe Mirai_ptea sample has two sets of proxies built into it, with table entries 0x2a and 0x2b in the encrypted\r\nresource. When the Bot sample runs, one of the two sets of proxies is selected at random, and then one proxy node\r\nof the selected sets is connected by the following code snippet.\r\nThere are 38 proxy nodes in 0x2a in the format of ip:port\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 10 of 17\n\nAnd there are 334 proxy nodes in 0x2b , in the format of ip , and the port of this group of proxies is fixed at\r\n9050 .\r\nSee the appendix for a detailed list of proxies.\r\n0x2. Connecting to C2 via the Tor-Proxy protocol\r\nYou can see that C2 has the table entry 0xD in the encrypted resource, and after decrypting it, get the following\r\nstring.\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 11 of 17\n\nrkz2f5u57cvs3kdt6amdku2uhly2esj7m2336dttvcygloivcgsmxjjnuickasbuatxajrovi4lvd2zjuejivzrb3vobuoezbc6z3gtu6b3r5tc\r\nExcluding the .onion at the end of the above string and splitting it by length 16, then splicing it with the\r\n.onion string at the end, we get the following 7 C2s.\r\nrkz2f5u57cvs3kdt.onion\r\n6amdku2uhly2esj7.onion\r\nm2336dttvcygloiv.onion\r\ncgsmxjjnuickasbu.onion\r\natxajrovi4lvd2zj.onion\r\nuejivzrb3vobuoez.onion\r\nbc6z3gtu6b3r5tce.onion\r\n0x3. Communicate with the C2s via custom protocols for registration, heartbeat, and attack as\r\nfollows\r\nRegistration\r\nmsg parsing\r\n----------------------------------------------------------------\r\n3e c7 e3 1e 37 47 61 20 -----\u003ehardcoded msg from Bot\r\nb1 2f de ce cb 89 e1 a0 -----\u003ecmd from C2,ask Bot to upload info\r\n3a 31 34 b5 02 00 -----\u003ehardcoded 6 bytes msg from Bot\r\nb4 a3 e1 16 -----\u003eip of infected de\r\n04 -----\u003egroup st\r\n74 65 73 74 -----\u003egroup string\r\n79 -----\u003epadding\r\nHeartbeat\r\nmsg parsing\r\n----------------------------------------------------------------\r\n2a 23 -----\u003e random 2 bytes msg from Bot\r\n2a 23 -----\u003e random 2 bytes msg from C2\r\nAttack command The first 4 bytes of the attack command, AD AF FE 7F are fixed phantom numbers, and\r\nthe rest of the attack command is similar to mirai's attack command format\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 12 of 17\n\n00000000: AD AF FE 7F 1E 00 00 00 00 01 B9 98 42 65 20 00 ............Be .\r\n00000010: 42 65 20 00\r\nDDoS attack activity\r\nThis botnet has been busy launching DDoS attacks, the following figure shows some DDoS attack instructions of\r\nthe botnet that we observed.\r\nReaders are always welcomed to reach us on twitter , or email to netlabat[at]360.cn .\r\nIoC\r\nTor-C2\r\nbc6z3gtu6b3r5tce.onion:3742\r\ncgsmxjjnuickasbu.onion:992\r\nuejivzrb3vobuoez.onion:5353\r\nrkz2f5u57cvs3kdt.onion:280\r\natxajrovi4lvd2zj.onion:110\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 13 of 17\n\n6amdku2uhly2esj7.onion:513\r\nm2336dttvcygloiv.onion:666\r\nSample MD5\r\nc6ef442bc804fc5290d3617056492d4b\r\nf849fdd79d433e2828473f258ffddaab\r\nDownloader URL\r\nhttp://193[.177.182.221/boot\r\nScanner IP\r\n205.185.117.21 AS53667|FranTech_Solutions United_States|Nevada|Las_Vegas\r\n205.185.114.55 AS53667|FranTech_Solutions United_States|Nevada|Las_Vegas\r\n68.183.109.6 AS14061|DigitalOcean,_LLC United_States|New_York|New_York_City\r\n67.205.163.141 AS14061|DigitalOcean,_LLC United_States|New_York|New_York_City\r\n165.227.88.215 AS14061|DigitalOcean,_LLC United_States|New_York|New_York_City\r\nProxys\r\n---------proxys at index 0x2a，count=38---------\r\n149.202.9.7:9898\r\n91.134.216.103:16358\r\n84.32.188.34:1157\r\n51.178.185.237:32\r\n65.21.16.80:23560\r\n149.202.9.14:19765\r\n146.59.11.109:5089\r\n195.189.96.61:29582\r\n84.32.188.37:1454\r\n51.195.209.80:26848\r\n5.199.174.242:27931\r\n95.179.158.147:22413\r\n146.59.11.103:1701\r\n185.150.117.10:29086\r\n149.56.154.210:24709\r\n135.148.11.151:3563\r\n51.195.152.255:25107\r\n45.79.193.124:7158\r\n135.148.11.150:5560\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 14 of 17\n\n185.150.117.41:20790\r\n135.125.250.120:14498\r\n172.106.70.135:692\r\n195.189.96.60:9700\r\n172.106.70.134:25054\r\n149.56.154.211:21299\r\n108.61.218.205:29240\r\n51.178.185.236:21685\r\n51.81.139.251:6255\r\n51.255.237.164:963\r\n51.81.139.249:32380\r\n139.162.45.218:5165\r\n65.21.16.94:28056\r\n207.148.74.163:32389\r\n172.104.100.78:1039\r\n45.32.8.100:19759\r\n141.164.46.133:2205\r\n172.105.36.167:10843\r\n172.105.180.239:19531\r\n---------proxys at index 0x2b，count=334，port=9050---------\r\nToo many, not list here, you can get them via the IDA script\r\nAppendix（IDA Decrypt script）\r\n# IDAPYTHON SCRIPT for md5 c6ef442bc804fc5290d3617056492d4b only.\r\n# Tested at ida 7.0\r\nfrom ctypes import *\r\nimport struct\r\nprint \"-------------------decryption start------------------------\"\r\nkey=[0xC26F6A52,0x24AA0006,0x8E1BF2C5,0x4BA51F8C]\r\ndef tea_dec(buf,key):\r\n rbuf=\"\"\r\n fmt = '\u003e' + str(len(buf)/4) + 'I'\r\n tbuf= struct.unpack_from(fmt,buf)\r\n j=0\r\n for i in range(0,len(tbuf)/2):\r\n \r\n v1=c_uint32(tbuf[i+j])\r\n v2=c_uint32(tbuf[i+1+j])\r\n sum=c_uint32(0xC6EF3720)\r\n while(sum.value):\r\n v2.value -= ((v1.value\u003e\u003e5)+key[3]) ^(v1.value+sum.value)^ ((v1.value\u003c\u003c4)+key[2])\r\n v1.value -= ((v2.value\u003e\u003e5)+key[1]) ^(v2.value+sum.value)^ ((v2.value\u003c\u003c4)+key[0])\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 15 of 17\n\nsum.value+=0x61C88647\r\n rbuf +=struct.pack(\"\u003eI\",v1.value)+struct.pack(\"\u003eI\",v2.value)\r\n j+=1\r\n return rbuf\r\ndef getbuff(addr):\r\n buf = \"\"\r\n while idc.get_bytes(addr, 2) != \"\\x00\\x00\":\r\n buf += idc.get_bytes(addr, 1)\r\n addr += 1\r\n return buf\r\n# pay attention to function at 0x0000D074\r\na=getbuff(idc.get_wide_dword(0x00019C9C))\r\n \r\nbuf=[]\r\n#0x19c9c-0x199f0 --\u003e 684\r\nfor i in range(0,684,12):\r\n offset=idc.get_wide_word(0x000199F4+i)\r\n length=idc.get_wide_word(0x000199F4+i+2)\r\n buf.append(a[offset:offset+length])\r\n \r\nc2=[]\r\n#684/12 --\u003e 57\r\nfor i in range(57):\r\n decbuf=tea_dec(buf[i],key)\r\n if(\".onion\" in decbuf):\r\n c2.append(decbuf)\r\n print \"index %x, value = %s\" %(i,decbuf)\r\nprint \"-------------------decryption end---------------\"\r\nproxya=tea_dec(buf[0x2a],key)\r\npacnt=struct.unpack(\"\u003cH\",proxya[2:4])\r\nproxy=[]\r\nport=[]\r\ntmp=proxya[4:4+6*(pacnt[0])]\r\nprint \"------------proxys at index 0x2A, count= %d------------\" %(pacnt[0])\r\nfor i in range(0,len(tmp),6):\r\n proxy.append(struct.unpack(\"\u003eI\",tmp[i:i+4])[0])\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 16 of 17\n\nport.append(struct.unpack(\"\u003cH\",tmp[i+4:i+6])[0])\r\nfor i in range(pacnt[0]):\r\n a=struct.pack(\"\u003eI\",proxy[i])\r\n ip=\"\"\r\n for j in range(4):\r\n ip+=str(ord(a[j]))\r\n if j!=3:\r\n ip+=\".\"\r\n \r\n print\"%s:%d\" %(ip,port[i])\r\nproxyb=tea_dec(buf[0x2b],key)\r\npbcnt=struct.unpack(\"\u003cH\",proxyb[2:4])\r\nfmt = '\u003e' + str(pbcnt[0]) + 'I'\r\ntmp=proxyb[4:4*(pbcnt[0]+1)]\r\nprint \"------------proxys at index 0x2B, count= %d------------\" %(pbcnt[0])\r\nxxxxx=struct.unpack(fmt,tmp)\r\nfor i in xxxxx:\r\n a=struct.pack(\"\u003eI\",i)\r\n ip=\"\"\r\n for i in range(4):\r\n ip+=str(ord(a[i]))\r\n if i!=3:\r\n ip+=\".\"\r\n print ip\r\nprint \"-------------------------onion info--------------\"\r\nif len(c2)!=0:\r\n for i in c2:\r\n \r\n pos=i.find(\".onion\")\r\n for j in range(0,pos,16):\r\n print i[j:16+j]+\".onion\"\r\nelse:\r\n print \"Don't find the onion c2\"\r\nSource: https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nhttps://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/\r\nPage 17 of 17\n\nDeviceType https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/ ProductType HardVersion DefDeviceName\nD1004NR DVR4-1600 DM-268A DVR4-1600\nD1004NR HY-DVR DM-268 720P-HY04N\nD1004NR HY-DVR DM-268A 720P-HY04N\nD1004NR HY-DVR DM-274 720P-HY04N\nD1004NR HY-DVR DM-274B 720P-HY04N\nD1004NR NHDR DM-274 NHDR-3204AHD\nD1004NR RL-AHD4n DM-268 720P-HY04N\nD1008NR 1093/508N-DVRBM08H DM-292 720P-HY08N\nD1008NR DVR8-1600 DM-298 DVR8-1600\nD1008NR DVR8-HDA10L DM-292 DVR8-HDA10L\nD1008NR HD881 DM-292 HD881\nD1008NR HY-DVR DM-292 720P-HY08N\nD1008NR HY-DVR DM-298 720P-HY08N\nD1008NR NHDR DM-298 NHDR-3208AHD\nD1008NR RL-AHD8n DM-292 720P-HY08N\nD1016NR DVR16-HDA10L DM-303 DVR16-HDA10L\nD1016NR HD1681 DM-303 HD1681\nD1016NR HY-DVR DM-303A 720P-HY16N\nD1016NR HY-DVR DM-310 720P-HY16N\nD1016NR HY-DVR DM-310A 720P-HY16N\nD1016NR NHDR DM-310 NHDR-3216AHD\nD1016NR RL-MHD16n(21A) DM-310A 720P-HY16N\nD1104 HY-DVR DM-290A 1080P-HY04\nD1104 NHDR DM-307 NHDR-5304AHD\nD1104NR HD1T4 DM-291A 1080P-04\nD1104NR HD481 DM-291 HD481\n  Page 2 of 17 \n\nDeviceType https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/ ProductType HardVersion DefDeviceName\nD1104NR HRD-E430L DM-291A HRD-E430L\nD1104NR HY-DVR DM-284 1080P-HY04N\nD1104NR HY-DVR DM-291 \"Panda\nD1104NR HY-DVR DM-291 1080P-HY04N\nD1104NR HY-DVR DM-291A 1080P-HY04N\nD1104NR HY-DVR DM-291C LRA3040N\nD1104NR NHDR DM-307 NHDR-5104AHD\nD1104NR SDR-B73303 DM-291A SDR-B73303\nD1104NR SVR9204H DM-291A 1080P-HY04N\nD1108NR 1093/538P DM-290 1080P-HY08N\nD1108NR DVR8-4575 DM-290 DVR8-4575\nD1108NR DVR8-HDA10P DM-290 DVR8-HDA10P\nD1108NR HRD-E830L DM-290A HRD-E830L\nD1108NR HY-DVR DM-290 1080P-HY08N\nD1108NR HY-DVR DM-290A 1080P-HY08N\nD1108NR HY-DVR DM-290A LRA3080N\nD1108NR NHDR DM-307 NHDR-5108AHD\nD1108NR RL-AHD8p DM-290 1080P-HY08N\nD1108NR SDR-B74301 DM-290A SDR-B74301\nD1108NR SDR-B74303 DM-290A SDR-B74303\nD1116 HY-DVR DM-300 EHR-5164\nD1116NR HRD-E1630L DM-295 HRD-E1630L\nD1116NR HY-DVR DM-295 1080P-HY16N\nD1116NR HY-DVR DM-295 LRA3160N\nD1116NR HY-DVR DM-299 1080P-HY16N\nD1116NR SDR-B75303 DM-295 SDR-B75303\n  Page 3 of 17 \n\nDeviceType https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/ ProductType HardVersion DefDeviceName\nD1132NR HY-DVR DM-300 1080P-HY32\nD2116NR SDR-B85300 DM-300 SDR-B85300\nD973215U F9-DVR32 DM-195 F9-DVR32\nD9804AHD DVR DM-210 391115\nD9804NAHD AHD7-DVR4 DM-239 AHD7-DVR4\nD9804NAHD DVR DM-239 720P-DVR04ND\nD9804NAHD NHDR DM-239 NHDR-3104AHD-II\nD9808NRAHD AHD7-DVR8 DM-228 AHD7-DVR8\nD9808NRAHD DVR DM-228 \nD9808NRAHD DVR DM-228 391116\nD9808NRAHD NHDR DM-228 NHDR-3108AHD-II\nD9808NRAHD NHDR DM-228 NHDR3108AHDII\nD9816NAHD DVR DM-233 720P-DVR016N\nD9816NAHD NHDR DM-233 NHDR3116AHDII\nD9816NRAHD AHD7-DVR16 DM-229 AHD7-DVR16\nD9816NRAHD DVR DM-229 720P-DVR016NB\nD9904 D9904 DM-237 1080P-DVR04\nD9904 DVR DM-237 1080P-DVR04\nD9904 NHDR DM-237 NHDR-5204AHD\nD9904NR DVR DM-244 1080P-DVR04N\nD9904NR DVR DM-244 BCS-VAVR0401M\nD9904NR HY-DVR DM-244 CVD-AF04S\nD9904NR N420 DM-244 1080P-DVR04N\nD9904NR NHDR DM-244 NHDR-5004AHD-II\nD9904NR NHDR DM-244 NHDR5004AHDII\nD9908 DVR DM-245 BCS-VAVR0802Q\n  Page 4 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/"
	],
	"report_names": [
		"mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775439033,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a738ae0cc7ee266cca1aec244dfcc8a4f7a4a3c.pdf",
		"text": "https://archive.orkl.eu/2a738ae0cc7ee266cca1aec244dfcc8a4f7a4a3c.txt",
		"img": "https://archive.orkl.eu/2a738ae0cc7ee266cca1aec244dfcc8a4f7a4a3c.jpg"
	}
}