{
	"id": "579cf56e-b3b0-4ceb-91fa-aa33ffad792d",
	"created_at": "2026-04-06T00:10:02.947683Z",
	"updated_at": "2026-04-10T03:30:57.360348Z",
	"deleted_at": null,
	"sha1_hash": "2f4c5a7f4f5f9128f4a8221e6ea2c392755d14bf",
	"title": "Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73176,
	"plain_text": "Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 |\r\nFortiGuard Labs\r\nBy Joie Salvio and Roy Tay\r\nPublished: 2023-06-20 · Archived: 2026-04-05 23:03:16 UTC\r\nAffected platforms: Linux\r\nImpacted parties: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity level: Critical\r\nFortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to\r\nspread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, which was disclosed\r\nin mid-March of this year. We have additionally observed an increasing number of Condi samples collected from\r\nour monitoring systems since the end of May 2023, indicating an active attempt to expand the botnet.\r\nThis blog details the capabilities of this botnet.\r\nCondi Botnet: Buy or Rent\r\nWhile pivoting from the Command and Control (C2) domain cdn2[.]duc3k[.]com in one of the malware samples,\r\nFortiGuard Labs researchers found a sibling domain admin[.]duc3k[.]com that previously displayed the message\r\n\"contact @zxcr9999 telegram”. A quick search revealed a Telegram channel, Condi Network, advertising a Condi\r\nbotnet with capabilities matching those observed in our sample (Figure 1).\r\nThe Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing\r\nDDoS-as-a-service and selling the malware source code (Figure 2).\r\nWe provide a technical analysis of the ARM malware sample\r\n509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084 in the following sections:\r\nKilling off the Competition\r\nThis malware employs several techniques to keep itself running in an infected system. At the same time, it also\r\nprevents infections from other botnets by attempting to terminate their processes.\r\nTypical to Mirai-based botnets, this malware cannot survive a system reboot. Because of this, it deletes the\r\nfollowing binaries used to shut down or reboot the system.\r\n/usr/sbin/reboot\r\n/usr/bin/reboot\r\n/usr/sbin/shutdown\r\n/usr/bin/shutdown\r\nhttps://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389\r\nPage 1 of 6\n\n/usr/sbin/poweroff\r\n/usr/bin/poweroff\r\n/usr/sbin/halt\r\n/usr/bin/halt\r\nIt also reads the /proc/\u003cPID\u003e/status for each running process and compares the Name field to the following strings\r\nto kill any processes with matching names:\r\n/bin/busybox\r\n/bin/systemd\r\n/usr/bin\r\ntest\r\n/tmp/condi\r\n/tmp/zxcr9999\r\n/tmp/condinetwork\r\n/var/condibot\r\n/var/zxcr9999\r\n/var/CondiBot\r\n/var/condinet\r\n/bin/watchdog\r\nWe assess that the developer intended to kill off older versions of Condi currently running on an infected device\r\ntogether with selected system processes. However, the implementation is flawed as the Name field only contains\r\nthe executable names of processes and not their full paths.\r\nAdditionally, it kills any processes with binary filenames containing the following extensions commonly used by\r\nother botnets:\r\nx86\r\nx86_64\r\narm\r\narm5\r\narm6\r\narm7\r\nmips\r\nmipsel\r\nsh4\r\nppc\r\nIt also generates a random string of at least ten characters from the custom alphanumeric character set\r\n\"lvrvup9w0zwi6nuqf0kilumln8ox5vgv@\" and attempts to kill any process with this string in its command line,\r\nhowever it is near certain this process will not exist. Which process the malware developer intended to terminate\r\nwith this code is unclear.\r\nhttps://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389\r\nPage 2 of 6\n\nFinally, it generates two numbers (one between 12 and 32, the other between 12 and 20) and kills any processes\r\nwith a command line length matching either number. Killing off random processes based on their command line\r\nlength is likely to wreak havoc and prevent the infected device from functioning correctly if the malware happens\r\nto terminate system processes.\r\nBotnet Propagation\r\nUnlike most DDoS botnets, this sample does not propagate by trying different credentials. Instead, it embeds a\r\nsimple scanner modified from Mirai’s original Telnet scanner to scan for any public IPs with open ports 80 or\r\n8080 (commonly used for HTTP servers) and then sends a hardcoded exploitation request (Figure 3) to download\r\nand execute a remote shell script at hxxp://cdn2[.]duc3k[.]com/t, which will infect the device with Condi if it is a\r\nvulnerable TP-Link Archer AX21 device.\r\nThe remote shell script is typical of Mirai-based loaders that try to download and execute binaries of each\r\narchitecture in turn (Figure 4). The first command-line argument provided to the malware binary, ”0days”, in this\r\ncase, is referred to as “id” (“source” in the original Mirai code), which DDoS botnet operators commonly use to\r\nidentify the method used to replicate the malware.\r\nWhile the sample we analyzed only contained the scanner for CVE-2023-1389, other Condi botnet samples were\r\nalso seen exploiting other vulnerabilities to propagate. The publicly available source code for older versions also\r\nincludes scanners for known vulnerabilities exploited by other Mirai variants.\r\nWe also observed shell scripts hosted on the same IP with different sources in the execution commands. Figure 5\r\nshows a script with an “adb” source, which refers to Android Debug Bridge (ADB).\r\nWe found source code for an older version of Condi that scans for devices with an open Android Debug Bridge\r\nport (TCP/5555), so it is possible that the botnet is currently being propagated via this means.\r\nC2 Protocol and Command List\r\nThe binary protocol used by Condi to communicate with the C2 server is a modified version of that initially\r\nimplemented in Mirai.\r\nThe initial registration packet sent by the bot to the C2 contains the bytes \\x33\\x66\\x99, commonly associated with\r\nMoobot, another Mirai variant. These bytes are followed by a one-byte length of the “id”. In the case of Condi,\r\n\"id” defaults to “c” if none was specified, or in our case, of an infection via CVE-2023-1389, “0days”. This\r\nsignals the C2 server that the malware is ready to receive commands.\r\nThe first three bytes of the C2 response indicate the command for the Condi bot:\r\n1.     \\x99\\x66\\x33: Likely to check if the malware is still active, in which case the malware sends a packet to C2\r\nwith \\x66\\x99\\x66\\x04 followed by “ping”\r\n2.     \\x99\\x66\\x66: Terminate the bot\r\n3.     \\x33\\x66\\x66: Start the webserver for serving malware binaries\r\nhttps://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389\r\nPage 3 of 6\n\n4.     \\x33\\x66\\x33: Update binaries served by the webserver\r\n5.     \\x33\\x66\\x99: Send the webserver port. Malware responds with \\x66\\x99\\x66 followed by a length of the next\r\nstring and “CondiiNeett webserv:\u003cPORT\u003e\"\r\n6.     \\x66\\x66\\x99: Sets an unused lockdown flag, which might indicate a feature in development.\r\nOnce it receives the \\x33\\x66\\x66 command used to start the webserver, this malware downloads bot binaries from\r\na hardcoded IP and port. After that, it starts a basic HTTP server on a random port number above 1024 to host\r\nthese binaries. GET, POST, and HEAD requests to this server for the /arm, /arm7, /mips, /mipsel, /x86_64, /sh4,\r\n/ppc, and /m68k URLs will serve these binaries if they were downloaded previously. This HTTP server\r\nmasquerades as a legitimate Apache HTTP server by responding with the “Server: Apache” header when any\r\nURLs are requested.\r\nFrom then on, the threat actor can issue the \\x33\\x66\\x33 command to download the latest binaries from the same\r\nhardcoded IP and port so that the webserver serves the most updated version of the malware.\r\nIf the first byte of the C2 response is not \\x33, \\x66, or \\x99, the bot parses it as an attack command in the same\r\nway as Mirai.\r\nBelow is this sample's list of attack functions and a description of the implemented attack method.\r\nattack_tcp_syn: Similar to Mirai’s TCP SYN flood\r\nattack_tcp_ack: Similar to Mirai’s TCP ACK flood\r\nattack_tcp_socket: TCP flood using 5000 threads against a single targeted IP\r\nattack_tcp_thread: TCP flood using 100 threads shared among targeted IPs\r\nattack_tcp_bypass: Similar to Mirai’s TCP STOMP flood\r\nattack_udp_plain: Similar to Mirai’s UDP PLAIN flood\r\nattack_udp_thread: Similar to attack_udp_plain, but uses two threads per target IP\r\nattack_udp_smart: Similar to attack_udp_plain with extra error handling for connection failures\r\nAs the attack methods are consistent with the descriptions in the Telegram advertisement (Figure 1), this particular\r\nsample was likely built by the bot developer or someone with access to the malware source code.\r\nThis sample did not contain any HTTP attack methods observed in older Condi versions.\r\nConclusion\r\nMalware campaigns, especially botnets, are always looking for ways to expand. Exploiting recently discovered (or\r\npublished) vulnerabilities has always been one of their favored methods, as we highlighted above for the Condi\r\nbotnet. Thus, it is strongly recommended to always apply the latest security patches and updates as soon as\r\npossible.\r\nAs always, FortiGuard Labs will continue to monitor these campaigns.\r\nFortinet Protections\r\nhttps://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389\r\nPage 4 of 6\n\nFortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus,\r\nFortiClient, and FortiEDR services, as follows:\r\nThe following (AV) signature detects the malware samples mentioned in this blog:\r\nLinux/Mirai.REAL!tr\r\nLinux/Mirai.CDB!tr\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiClient, and FortiEDR. Fortinet EPP customers\r\nrunning current AntiVirus updates are also protected.\r\nThe FortiGuard Web Filtering Service blocks the C2 servers and download URLs.\r\nFortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:\r\nCVE-2023-1389: TP-Link.Archer.AX21.Unauthenticated.Command.Injection\r\nFor a comprehensive list of protections from FortiGuard Labs for this vulnerability, please visit the Outbreak Alert\r\npage for further details.\r\nThe FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nFiles\r\n091d1aca4fcd399102610265a57f5a6016f06b1947f86382a2bf2a668912554f\r\n291e6383284d38f958fb90d56780536b03bcc321f1177713d3834495f64a3144\r\n449ad6e25b703b85fb0849a234cbb62770653e6518cf1584a94a52cca31b1190\r\n4e3fa5fa2dcc6328c71fed84c9d18dfdbd34f8688c6bee1526fd22ee1d749e5a\r\n509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084\r\n593e75b5809591469dbf57a7f76f93cb256471d89267c3800f855cabefe49315\r\n5e841db73f5faefe97e38c131433689cb2df6f024466081f26c07c4901fdf612\r\ncbff9c7b5eea051188cfd0c47bd7f5fe51983fba0b237f400522f22ab91d2772\r\nccda8a68a412eb1bc468e82dda12eb9a7c9d186fabf0bbdc3f24cd0fb20458cc\r\ne7a4aae413d4742d9c0e25066997153b844789a1409fd0aecce8cc6868729a15\r\nf7fb5f3dc06aebcb56f7a9550b005c2c4fc6b2e2a50430d64389914f882d67cf\r\nDownload URLs\r\nhttps://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389\r\nPage 5 of 6\n\nhxxp://85[.]217[.]144[.]35/arm\r\nhxxp://85[.]217[.]144[.]35/arm5\r\nhxxp://85[.]217[.]144[.]35/arm6\r\nhxxp://85[.]217[.]144[.]35/arm7\r\nhxxp://85[.]217[.]144[.]35/m68k\r\nhxxp://85[.]217[.]144[.]35/mips\r\nhxxp://85[.]217[.]144[.]35/mpsl\r\nhxxp://85[.]217[.]144[.]35/ppc\r\nhxxp://85[.]217[.]144[.]35/sh4\r\nhxxp://85[.]217[.]144[.]35/x86\r\nhxxp://85[.]217[.]144[.]35/x86_64\r\nhxxp://85[.]217[.]144[.]35/abc3.sh\r\nhxxp://cdn2[.]duc3k[.]com/t\r\nC2s\r\n85[.]217[.]144[.]35\r\ncdn2[.]duc3k[.]com\r\nSource: https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389\r\nhttps://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389"
	],
	"report_names": [
		"condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434202,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f4c5a7f4f5f9128f4a8221e6ea2c392755d14bf.pdf",
		"text": "https://archive.orkl.eu/2f4c5a7f4f5f9128f4a8221e6ea2c392755d14bf.txt",
		"img": "https://archive.orkl.eu/2f4c5a7f4f5f9128f4a8221e6ea2c392755d14bf.jpg"
	}
}