{
	"id": "ff770c59-662a-4115-a147-4b8d77a3ace5",
	"created_at": "2026-04-06T00:15:21.643353Z",
	"updated_at": "2026-04-10T03:21:36.298517Z",
	"deleted_at": null,
	"sha1_hash": "38e02121b5ee8e7b5b8069bc88275b13fc8b968e",
	"title": "New Echobot Botnet Variant Uses Over 50 Exploits to Propagate",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 821917,
	"plain_text": "New Echobot Botnet Variant Uses Over 50 Exploits to Propagate\r\nBy Ionut Ilascu\r\nPublished: 2019-08-06 · Archived: 2026-04-05 22:31:45 UTC\r\nA new variant of Echobot botnet has been spotted to include over 50 exploits leading to remote code execution (RCE)\r\nvulnerabilities in various Internet-of-Things devices.\r\nEchobot was discovered in May and analyzed by security researchers at Palo Alto Networks, who found that it incorporated\r\n18 exploits at the time.\r\nA week later, Larry Cashdollar from Akamai published his analysis, where he revealed that the number of exploits in\r\nEchobot increased to 26, most of them being RCEs in several networked devices.\r\nhttps://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe latest Echobot variant was found by security researcher Carlos Brendel Alcañiz, and uses 59 different RCE exploits to\r\npropagate, according to a tweet he published today.\r\nBrendell says that he made the discovery after receiving weaponized code that targeted security flaws in Asus devices. The\r\nlist of payloads compiled by the researcher shows that the operator relies on known exploits, some as old as 2010.\r\nThe malware dropper is hosted on an open server, in a file called Richard.\r\nThe interesting part is that the author seems to have thrown in exploits without targeting a specific category of products. The\r\ncode incorporated  is available from multiple public exploit repositories.\r\nBrendel provided BleepingComputer with the exploits he found in this Echobot variant and the products they target include\r\nan odd mix of hardware and software solutions: routers, cameras, smart home hubs, network-attached storage systems,\r\nservers, database management software, Zeroshell distribution.\r\nIt should come as no surprise that this botnet includes such a high number of payloads. The malware is one of the hundreds\r\nof spin-offs from Mirai botnet, whose code is publicly available, built for distributed denial-of-service attacks. This enables\r\nanyone to modify it to their own liking.\r\nIt is unclear what the author of this variant is trying to achieve, but their endeavor definitely shows how easily one can pick\r\nup malicious code and adapt it to their own needs.\r\nList of exploits used by this Echobot variant. All of them are available from public repositories:\r\nAsustor ADM 3.1.2RHG1 Remote Code Execution\r\nUbiquity Nanostation5 (Air OS) 0day Remote Command Execution\r\nAlcatel-Lucent OmniPCX Enterprise 7.1 Remote Command Execution\r\nASMAX AR 804 gu Web Management Console Arbitrary Command Execution\r\nASUS DSL-N12E_C1 1.1.2.3_345 Remote Command Execution\r\nAsus RT56U 3.0.0.4.360 Remote Command Injection\r\nAWStats Totals 1.14 multisort - Remote Command Execution\r\nAWStats 6.0 'configdir' Remote Command Execution\r\nAWStats 6.0 'migrate' Remote Command Execution\r\nBarracuda IMG.pl Remote Command Execution\r\nBeckhoff CX9020 CPU Module Remote Code Execution\r\nBelkin Wemo UPnP Remote Code Execution\r\nBEWARD N100 H.264 VGA IP Camera M2.1.6 Remote Code Execution\r\nCrestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV\r\nIT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD\r\nWPS/InFocus\r\nRemote Command Injection\r\nCitrix SD-WAN Appliance 10.2.2\r\nAuthentication Bypass / Remote Command\r\nExecution\r\nEnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Remote Code Execution\r\nDogfood CRM 'spell.php' Remote Command Execution\r\nhttps://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/\r\nPage 3 of 5\n\nCTEK SkyRouter 4200/4300 Command Execution\r\nNETGEAR R7000 / R6400 'cgi-bin' Command Injection\r\nDell KACE Systems Management Appliance (K1000) 6.4.120756 Unauthenticated Remote Code Execution\r\nD-Link OS-Command Injection via UPnP Interface\r\nOpenDreamBox 2.0.0 Plugin WebAdmin Remote Code Execution\r\nFreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution\r\nFritz!Box Webcm Command Injection\r\nGeutebruck 5.02024 G-Cam/EFD-2250 'testaction.cgi' Remote Command Execution\r\nGitorious Remote Command Execution\r\nHomeMatic Zentrale CCU2 Remote Code Execution\r\nHootoo HT-05 Remote Code Execution\r\nIris ID IrisAccess ICU 7000-2 Remote Root Command Execution\r\nLinksys WAG54G2\r\nWeb Management Console Arbitrary\r\nCommand Execution\r\nMitel AWC Command Execution\r\nNagios 3.0.6\r\n'statuswml.cgi' Arbitrary Shell Command\r\nInjection\r\nNUUO NVRmini\r\n'upgrade_handle.php' Remote Command\r\nExecution\r\nNETGEAR ReadyNAS Surveillance 1.4.3-16 Remote Command Execution\r\nEyeLock nano NXT 3.5 Remote Code Execution\r\nOP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 'welcome' Remote Command Execution\r\nop5 7.1.9 Remote Command Execution\r\nHP OpenView Network Node Manager 7.50 Remote Command Execution\r\nOracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution\r\nPHPMoAdmin Unauthorized Remote Code Execution\r\nPlone and Zope Remote Command Execution\r\nQuickTime Streaming Server 'parse_xml.cgi' Remote Execution\r\nRealtek SDK Miniigd UPnP SOAP Command Execution\r\nRedmine SCM Repository 0.9.x/1.0.x Arbitrary Command Execution\r\nRocket Servergraph Admin Center fileRequestor Remote Code Execution\r\nSAPIDO RB-1732 Remote Command Execution\r\nSeowonintech Devices Remote Command Execution\r\nSpreecommerce 0.60.1 Arbitrary Command Execution\r\nhttps://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/\r\nPage 4 of 5\n\nLG SuperSign EZ CMS 2.5 Remote Code Execution\r\nFLIR Thermal Camera FC-S/PT Command Injection\r\nSchneider Electric U.Motion Builder 1.3.4\r\n'track_import_export.php object_id'\r\nUnauthenticated Command Injection\r\nMiCasaVerde VeraLite Remote Code Execution\r\nVMware NSX SD-WAN Edge Command Injection\r\nWePresent WiPG-1000 Command Injection\r\nWireless IP Camera (P2P) WIFICAM Remote Code Execution\r\nXfinity Gateway Remote Code Execution\r\nYealink VoIP Phone SIP-T38G Remote Command Execution\r\nZeroShell 1.0beta11 Remote Code Execution\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/\r\nhttps://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/"
	],
	"report_names": [
		"new-echobot-botnet-variant-uses-over-50-exploits-to-propagate"
	],
	"threat_actors": [],
	"ts_created_at": 1775434521,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38e02121b5ee8e7b5b8069bc88275b13fc8b968e.pdf",
		"text": "https://archive.orkl.eu/38e02121b5ee8e7b5b8069bc88275b13fc8b968e.txt",
		"img": "https://archive.orkl.eu/38e02121b5ee8e7b5b8069bc88275b13fc8b968e.jpg"
	}
}