{
	"id": "83fdb642-0c45-4230-a98f-30c84a7ba1bc",
	"created_at": "2026-04-06T00:15:04.31186Z",
	"updated_at": "2026-04-10T13:11:27.614317Z",
	"deleted_at": null,
	"sha1_hash": "639e42888d2b23d66ee05feccd03ea11ee74544e",
	"title": "New Mirai Variant Targeting Network Security Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 469651,
	"plain_text": "New Mirai Variant Targeting Network Security Devices\r\nBy Vaibhav Singhal, Ruchna Nigam, Zhibin Zhang, Asher Davila\r\nPublished: 2021-03-16 · Archived: 2026-04-02 10:48:24 UTC\r\nExecutive Summary\r\nOn Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:\r\nVisualDoor (a SonicWall SSL-VPN exploit).\r\nCVE-2020-25506 (a D-Link DNS-320 firewall exploit).\r\nCVE-2020-26919 (a Netgear ProSAFE Plus exploit).\r\nPossibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).\r\nThree other IoT vulnerabilities yet to be identified.\r\nOn Feb. 23, 2021, one of the IPs involved in the attack was updated to serve a Mirai variant leveraging CVE-2021-27561\r\nand CVE-2021-27562, mere hours after vulnerability details were published. On March 3, 2021, the same samples were\r\nserved from a third IP address, with the addition of an exploit leveraging CVE-2021-22502. Furthermore, on March 13, an\r\nexploit targeting CVE-2020-26919 was also incorporated into the samples.\r\nThe attacks are still ongoing at the time of this writing. Upon successful exploitation, the attackers try to download a\r\nmalicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and\r\nbrute-forcers.\r\nPalo Alto Networks Next-Generation Firewall customers with Threat Prevention, WildFire and URL Filtering security\r\nsubscriptions, as well as AutoFocus can detect and block all the exploit attempts from this kind of malware family.\r\nVulnerabilities Being Exploited\r\nFive known vulnerabilities and three unknown vulnerabilities were exploited in this attack. Upon successful exploitation, the\r\nwget utility is invoked to download a shell script from the malware infrastructure. The shell script then downloads several\r\nMirai binaries compiled for different architectures and executes these downloaded binaries one by one. Vulnerability\r\ninformation is shown in Table 1, below.\r\nID Vulnerability Description Severity\r\n1 VisualDoor SonicWall SSL-VPN Remote Command Injection Vulnerability Critical\r\n2 CVE-2020-25506\r\nD-Link DNS-320 Firewall Remote Command Execution\r\nVulnerability\r\nCritical\r\n3\r\nCVE-2021-27561 and\r\nCVE-2021-27562\r\nYealink Device Management Pre-Auth ‘root’ Level Remote Code\r\nExecution Vulnerability\r\nCritical\r\n4 CVE-2021-22502\r\nRemote Code Execution Vulnerability in Micro Focus Operation\r\nBridge Reporter (OBR), affecting version 10.40\r\nCritical\r\n5 CVE-2019-19356\r\nResembles the Netis WF2419 Wireless Router Remote Code\r\nExecution Vulnerability\r\nHigh\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 1 of 16\n\n6 CVE-2020-26919\r\nNetgear ProSAFE Plus Unauthenticated Remote Code Execution\r\nVulnerability\r\nCritical\r\n7 Unidentified\r\nRemote Command Execution Vulnerability Against an Unknown\r\nTarget\r\nUnknown\r\n8 Unidentified\r\nRemote Command Execution Vulnerability Against an Unknown\r\nTarget\r\nUnknown\r\n9 Unknown Vulnerability\r\nVulnerability Used by Moobot in the Past, Although the Exact Target\r\nis Still Unknown\r\nUnknown\r\nTable 1. List of vulnerabilities.\r\nExploit Payloads\r\n1. VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability\r\nFigure 1. VisualDoor SonicWall SSL-VPN exploit payload.\r\nThe exploit of SonicWall SSL-VPN targets an old version of Bash, which is vulnerable to ShellShock. An attacker can send\r\na crafted Common Gateway Interface (CGI) request to a particular shell script leading to an unauthenticated remote code\r\nexecution (RCE) vulnerability.\r\n2. CVE-2020-25506: D-Link DNS-320 Firewall Remote Command Execution Vulnerability\r\nFigure 2. D-Link DNS-320 exploit payload.\r\nThe exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully\r\nsanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.\r\n3. CVE-2021-27561 and CVE-2021-27562: Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution\r\nVulnerability\r\nFigure 3. Yealink Device exploit payload\r\nThe exploit works by chaining a pre-auth Server-Side Request Forgery (SSRF) vulnerability and a command injection\r\nvulnerability, making it possible to execute commands as root without authentication, simply by sending an HTTPS request\r\nto the remote target.\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 2 of 16\n\n4. CVE-2021-22502: Micro Focus Operation Bridge Reporter (OBR) Remote Code Execution\r\nFigure 4. Micro Focus Operation Bridge Reporter exploit payload.\r\nThe exploit works due to the unsanitized use of the “username” and “password” parameters in requests made to the\r\nLogonResource API. The vulnerability can be exploited to allow unauthenticated RCE as root on the OBR server.\r\n5. CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution Vulnerability\r\nFigure 5. Netis WF2419 exploit payload.\r\nThe exploit targets an RCE vulnerability in a diagnostic tool utility. An authenticated attacker can perform command\r\nexecution via multiple vulnerable parameters such as IP address or domain name.\r\n6. CVE-2020-26919: Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability\r\nFigure 6. Netgear ProSAFE exploit payload.\r\nThe exploit targets debug web sections and an attacker can execute system commands through it. This is due to lack of\r\nproper checks on access controls leading to RCE with administrator privileges.\r\n7. Unidentified vulnerability (lang parameter command injection)\r\nFigure 7. Unidentified vulnerability exploit payload.\r\nThe exploit of an unidentified vulnerability targets a command injection vulnerability in certain components. The\r\ncomponent does not successfully sanitize the value of the HTTP parameter lang, which in turn leads to arbitrary command\r\nexecution.\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 3 of 16\n\n8. Unidentified vulnerability (key parameter command injection)\r\nFigure 8. Unidentified vulnerability exploit payload.\r\nThe unknown exploit targets the login CGI script, where a key parameter is not properly sanitized leading to a command\r\ninjection.\r\n9. Unknown vulnerability (op_type parameter command injection)\r\nFigure 9. Unidentified vulnerability exploit payload.\r\nThis exploit targets the op_type parameter, which is not properly sanitized leading to a command injection. It has been\r\nobserved in the past being used by Moobot, however the exact target is unknown.\r\nMalware Behaviors\r\nBinary Functionality\r\nlolol.sh\r\nAfter deleting some key folders from the target machine (such as ones containing the existing scheduled\r\njobs, as well as startup scripts), this script downloads the “dark” binaries explained below, saves them to a\r\nmisleadingly named file “nginx” and tries to run each one. Since the “dark” binaries downloaded are each\r\ncompiled for a different architecture, only the one compatible with the target machine would actually\r\nexecute.\r\nFollowing that, it schedules a job that would (supposedly) run every hour to rerun the lolol.sh script.\r\nHowever, the cron configuration is incorrect. This would have been an attempt to ensure the process is re-launched in case it crashes or is killed for some other reason.\r\nFinally, several packet filter rules are created to block incoming traffic directed at commonly used ports\r\nlike the standard SSH, HTTP and telnet ports, among others. This is probably to make maintenance of and\r\nremote access to the affected system more challenging for an administrator.\r\nIn one of the two observed versions of the script, it also downloads and runs the “install.sh” script\r\ndescribed below.\r\ninstall.sh This script downloads GoLang v1.9.4 onto the target system and adds it to the system path. In addition, it\r\nalso installs the GoLang standard SSH package and zmap (a common network-scanning package).\r\nIt also downloads the “nbrute” binaries and the “combo.txt” file described below. As was the case for the\r\nprevious script, the “nbrute” binaries downloaded are each compiled for a different architecture,\r\nincreasing the probability of compatibility with the target machine.\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 4 of 16\n\nFinally, zmap is run to scan port 22, and IPs found with port 22 open are sent as input to the nbrute binary.\r\nnbrute.\r\n[arch]\r\nThese binaries are written in GoLang and mainly serve the purpose of brute-forcing the various\r\ncredentials found in “combo.txt” while initiating an SSH connection with a certain IP.\r\ncombo.txt Plain text file containing numerous combinations of credentials (often default credentials on devices).\r\ndark.\r\n[arch]\r\nThese binaries are based on the Mirai codebase, and mainly serve the purpose of propagation – either\r\nusing the exploits described in the section above, or by brute-forcing SSH connections using some hard-coded credentials in the binary.\r\nThe key used for the standard Mirai byte-wise XOR encryption routine is 0xbaadf00d.\r\nTable 2. Malware behaviors.\r\nConclusion\r\nThe IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in\r\nsome cases, have catastrophic consequences. We strongly advise customers to apply patches whenever possible.\r\nPalo Alto Networks customers are protected from the aforementioned vulnerabilities by the following products and services:\r\nNext-Generation Firewalls with the Threat Prevention security subscription can block the attacks with best practices\r\nvia threat prevention signatures 90776, 90553, 55228, 57842, 59191, 90302, 90808, 90824 and 90555.\r\nWildFire can stop the malware with static signature detections.\r\nURL Filtering blocks malicious malware domains.\r\nAutoFocus users can track exploit activity using the tags VisualDoor, CVE-2020-25506, CVE-2021-27562, CVE-2021-25502 and CVE-2020-26919.\r\nIndicators of Compromise\r\nSamples\r\nFirst\r\nSeen\r\nURL SHA256\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.arm5 60135a7817a0a1734c2e211a8613873548f4611fddc8666890f6a69860c43e61\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.arm6 087fc3206ddb94e80118e7e7f0215c88409a0071b657d21071e15b7917f7cc4e\r\nMar\r\n13,\r\n203[.]159.80.241/bins/dark.arm7 33f75999a3b4c354b6281399e541b97fd6463c5cd2ab13a538522d72a8870f30\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 5 of 16\n\n2021\r\n02:43\r\nUTC\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.m68k 02d48570f1089e2e7f4f9256bb033136c773834af31054e477e094e48cba110e\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.mips 45ff08b1de872379f965d423a0f4e1f2e82f0ea8d101220b83d3aed3b2e7f1c9\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.mpsl 85acead88180809d47524aac87d6f76799e7c0a1729d9614446be73aa8e7d871\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.ppc 0bbdb062ecfae7e1b59084a5e5fe052908ecfdea7db0777a9c318e9e55fdb5ff\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.sh4 77a1f62dc76cc9ee2d924008a0fdcc329396021f027ebe1cfa468f9625c2455b\r\nMar\r\n13,\r\n2021\r\n02:43\r\nUTC\r\n203[.]159.80.241/bins/dark.x86 8d11635019b077d36ce7de2a3ca9261f126e0ff5808f722fcb967e7cd000be23\r\nMar\r\n11,\r\n2021\r\n19:22\r\nUTC\r\n203[.]159.80.241/bins/dark.arm7 519b2d04e80c2cb7c000a3c00cb30098df363bd825281b2b7384d964b832df3b\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 6 of 16\n\nMar\r\n11,\r\n2021\r\n19:22\r\nUTC\r\n203[.]159.80.241/bins/dark.arm6 7a571f666c8f272cce1ee7ad75520a013bbed800e7d0c80a17804500a3474a13\r\nMar\r\n11,\r\n2021\r\n19:22\r\nUTC\r\n203[.]159.80.241/bins/dark.arm5 5d7487a5d6febb015a21a98eddffc617cfc06453fe2a7dacac6e1719f56c56fb\r\nMar\r\n11,\r\n2021\r\n19:22\r\nUTC\r\n203[.]159.80.241/bins/dark.mpsl e9d056afe12210ddf98967e3291127ef9d0d24cbd36862ebc8b0726a565eefb8\r\nMar\r\n11,\r\n2021\r\n19:22\r\nUTC\r\n203[.]159.80.241/bins/dark.mips 73aaf3ce3e5ea7a598f01d727e8278ff64ff0067fc2f2b22387b09de64c2ff4f\r\nMar\r\n11,\r\n2021\r\n13:12\r\nUTC\r\n203[.]159.80.241/bins/dark.x86 64f9bc6e925fd2f538c89fd8a8c25d11521b9fcc51c8c5308e9850c990bea04b\r\nMar\r\n11,\r\n2021\r\n12:59\r\nUTC\r\n203[.]159.80.241/bins/dark.ppc 0c4ec06f32d5f15846239d224d68086cbeaf513b63f0fcafa4eddd8e18a3d372\r\nMar\r\n11,\r\n2021\r\n12:30\r\nUTC\r\n203[.]159.80.241/bins/dark.sh4 2f590f5af68dd30cdd51de85cb55dd16160ffce16dd326b2ac4c85e0007fca51\r\nMar\r\n11,\r\n2021\r\n12:30\r\nUTC\r\n203[.]159.80.241/bins/dark.m68k cd59c912b9af910db1880d6fb86cd6cb656477552cf2c2fc82e372bafbe004b8\r\nMar\r\n5,\r\n45[.]133.1.133/bins/dark.ppc 63e66d6f0ddf5fea5b1f71643bdb30f3fff4531c364b6fd1b0e0e0cfe5da833f\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 7 of 16\n\n2021\r\n14:13\r\nUTC\r\nMar\r\n4,\r\n2021\r\n10:19\r\nUTC\r\n45[.]133.1.133/bins/dark.m68k 0a664a74fcc00910170edcd5f548569b40c2c5d58fc5ced1f475dbe938684e17\r\nMar\r\n4,\r\n2021\r\n10:19\r\nUTC\r\n45[.]133.1.133/bins/dark.mips 05102e5abb23c761426c2c0f19f70f650938ea9e9295ccbb92349513c1d26c63\r\nMar\r\n4,\r\n2021\r\n10:19\r\nUTC\r\n45[.]133.1.133/bins/dark.mpsl cc996d19c3e9b732b5f61fb7a2ad20a4f9e1fd7e62f484f15c7cc984a32dec01\r\nMar\r\n4,\r\n2021\r\n10:19\r\nUTC\r\n45[.]133.1.133/bins/dark.sh4 f05225fec1fda7c6405e6961207ee12e198272d352144f516e970829a74093e2\r\nMar\r\n4,\r\n2021\r\n10:19\r\nUTC\r\n45[.]133.1.133/bins/dark.x86 9aa0ded21b8c21075a6ad24180befc47dbfeb3985a433f1baa6181ec945a19b9\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/lolol.sh ecae298b18493bf2366f6081e8215a474cce4554e07a7b2380a7f8e8a3a9a37d\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.arm5 fb940b1049e0e95c03adb7a2750347108cadf6b19ef4149a5103f7625c07c8ec\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 8 of 16\n\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.arm6 515dc2fd8819c7fc82395acc4c7fb5b2903982a5f48bc26bc8d0235bc0664d1f\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.arm7 a9c4ea40b08ce4281c2dc9776355186dfc5649f9ec2b36c32fa5540f8d2aef2d\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.m68k ac75cb71c2f052141a238b8f7215d5a0956f7034cf90f231d228ce58254d23ba\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.mips 1e56f8ca44f84eff212805fa061ecb0f6fb8bc9499ff2e541ad3c43fb2f4420a\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.mpsl 1d9496814d35d9e302d7e99339e9730fc81c022bc085c0711b73ebad962cbc2b\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.ppc 971b5a96d84ca0d7dd906b639cd97a04835013be32356d09037cff64516c73bf\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.sh4 e2a6ac516ec8b5dcc76becc26cf992434882d490d8f2c9d7071298dba7a641a2\r\nMar\r\n3,\r\n2021\r\n14:24\r\nUTC\r\n45[.]133.1.133/bins/dark.x86 a5ca43106a713c4a8e978575b8685889c244501288b9fa7c7dc7f1e8c5ef1291\r\nFeb\r\n26,\r\niotlmao[.]xyz/bins/dark.m68k a6cb6356432ca83467f6da2168be2aabbabe5d2f2dd4c01d6c4a93d01a57df53\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 9 of 16\n\n2021\r\n13:14\r\nUTC\r\nFeb\r\n26,\r\n2021\r\n13:14\r\nUTC\r\niotlmao[.]xyz/bins/dark.sh4 c686712f9be64e3d2957754ce181e5b4680b205cb6773b85b35df57983ed31cf\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.arm5 8cc6375f2eabe865e8400f27381a513a69e4100748458c3d2c706f3d4002bf1e\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.arm6 4414bf4f41663a6458372bcc4743d6e50bbb2d40c26d71bcb945926c98cd5537\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.arm7 8d0beb4b143dc4a9543b4bc5d7f44a6771a973709aaf8c3a4754d120b99d0afd\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.m68k f9770197d2254e6d5d4cb872b07dc25feb2994d4d5f0b3c854a98f9dfa3c6854\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.mips 74ab77e1069c6fb32925e89563c57f09c842cad0de6ab6b7c9ec2fa44d2641b1\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.mpsl 0039231b2fd5e5a3d86ae3b626d35b8fed7f2887a58e32b480ac82cd82150f7c\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 10 of 16\n\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.ppc 9d55aa1d9841be74cdc0c9d0a9fe2f20e0704ea30c721a7b2dcae02675416629\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.sh4 7aa437a562f3a956cf60fce652e6a0fb2d3c7cda0e5312c1a7fa62e177c45906\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/bins/dark.x86 8e65d7b16939834e1cd86b36b495924d34f10a8c477b53c9c8e648c804b97c2d\r\nFeb\r\n24,\r\n2021\r\n15:59\r\nUTC\r\n185[.]239.242.63/lolol.sh 5715d9c632c646c856f2775de8e98c00cade29f7bfb6fbe33a5741b01e897521\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.arm 5525b282df49206e76e884ca0f86806ddc97ec08343bab1d9a98f029a2697b08\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.arm5 b82b8957a4397eae1061a74fb7a8014cbbcbe7064d4edf2e0b15233fd2ce8cca\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.arm6 ec9dc19758ba74fb254c69d2b60ae1012b1bd65390e936990e4bd8573bcb83aa\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.arm7 38d8f2d17b3b676f5258a28b6b4093a1c3cdfa0d34d97c80d86686a3cff7ed55\r\nFeb\r\n23,\r\n185[.]239.242.63/bins/dark.m68k b066b1c1d019fc97e3649b99ad10294783b13a12b67d34b9c8500e762c37b7e7\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 11 of 16\n\n2021\r\n09:03\r\nUTC\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.mips 904b086dbf3e8f4dd1711d758d54675ce2d6002ff607a72d72d7e3aea612ba7d\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.mpsl 4f6a9d2c775e0ba38189390aa7975973209f8e703d6f974c2ab67c97ad263204\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.ppc c26401490ab9343b023f1f89b39d8d32835a795117ef7d7a129871bc05010dd6\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.sh4 73b35ddbf9784a6f6ebad7f5a1f4965daedc2f92cbb45a9cb76e61c0104bf553\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/bins/dark.x86 a925f0486b33f3f05d610d33c5a4b6bb2d5531c89e804e001ec01c4f5c25975e\r\nFeb\r\n23,\r\n2021\r\n09:03\r\nUTC\r\n185[.]239.242.63/lolol.sh 4fe20e73217d0bde39616ebf6f50f0f27882f939537561849f7b17968c5b8e30\r\nFeb\r\n22,\r\n2021\r\n16:30\r\nUTC\r\n37[.]46.150.102/bins/dark.mpsl 6b1bea5f17eb2c16815b8cb87d6e24e707248e5384fc4dd33c86c189657c73ff\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 12 of 16\n\nFeb\r\n22,\r\n2021\r\n16:30\r\nUTC\r\n37[.]46.150.102/bins/dark.ppc 918395bac079ab747736246b9d84e66921774d3eb95bb47045704624646b1287\r\nFeb\r\n22,\r\n2021\r\n16:30\r\nUTC\r\n37[.]46.150.102/bins/dark.sh4 528179f34ed9a6e69f582c23b3cbb50343164bf0e5995624a8d16f8b0df202e8\r\nFeb\r\n22,\r\n2021\r\n16:30\r\nUTC\r\n37[.]46.150.102/bins/dark.x86 f05d21a5b4b72a761c1540f1400dff7e39f10ac1c8b843ec8986d2e780a7807a\r\nFeb\r\n22,\r\n2021\r\n16:30\r\nUTC\r\n37[.]46.150.102/lolol.sh b3a20c8dfa5adaa8247c4d2097f3cc8423b4e270c9735f616628bf9bde583cbe\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.arm5 2102b6a9f4b6745b0963ac3040945fb351c3d7df5b8e75dbc4ebf587c921998f\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.arm6 bfd14a2f5c26501efb5d4010839b7d0bbc9a639d86ab5d12af663de598f15427\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.arm7 d9f7504b3fe81f5264da5f23bdb7529f6d1dd713e28a92828180787729872a8d\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.m68k 40808fb06796aeb740368b9bc322c12193d1bebb8e5eeddc420a98db6ac82689\r\nFeb\r\n22,\r\n185[.]239.242.63/bins/dark.mips 3c47dceb9b8fbb0d40c3f1efa8ebc8d7dcf82aa0af46c4486ec3fc8ca29a83b2\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 13 of 16\n\n2021,\r\n12:32\r\nUTC\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.mpsl d31f1fecde01cc37950dc5b5330cd72e8ab1943f251bdfa5990f0d9d3a0a8e8f\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.ppc 5446350c771766589e6d79e8185e10fcc0a6681eb76723b7f26dfef03c9080a5\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.sh4 02f08ccc4a4136c89276135664267e08f1bb6795842a84c06c15478d3c3101e6\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/bins/dark.x86 f467e6335a4a0250a17d61b3d138b31998f3e6669e1fcd1c3648db1b44b55ffa\r\nFeb\r\n22,\r\n2021,\r\n12:32\r\nUTC\r\n185[.]239.242.63/lolol.sh 4fe20e73217d0bde39616ebf6f50f0f27882f939537561849f7b17968c5b8e30\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/brute/combo.txt 6a68acd757fab908b2455c9b5882c25ab4a550121c2badb960b0a514a04a8d3d\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/brute/nbrute.386 baedd59eba62c289dcb722588895eb165f4a1570b3c012efc3dcc60d3bdea521\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 14 of 16\n\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/brute/nbrute.amd64 8524826a687491c6bfd161df3e4fb2f537f50ea32834d7710dcf3b788a5ddfc2\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/brute/nbrute.arm 4f69555ab71b49c2c1067f0907eb73b185327b57c566a8311ba9f9e58f4e85a5\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/brute/nbrute.mips a5c2b758da21d7895c7945de8684c9b27370af6c5bf48ce3d94626261982659f\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/brute/nbrute.mipsle b37da8e6afa2b3223b1f8f73e6801cf3fed3c0f114cfb9c134b5f06322a337ca\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.arm5 a447bb67be310702807ff148f53f2b4c64ddba0c37f92caf6acabdfaa9ad6603\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.arm6 b2122c5a9c738d964fa770760db40d6708de377e2e671feccb836054ceda2f47\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.arm7 80cd13bfcc2fc29096abf18525d17766700a6d25a9806e55c7b7de776cba0302\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.m68k 66ea76a427b69f153486f962baff29d4a68393e985c7d88c94d773b25ad4964a\r\nFeb\r\n16,\r\n37[.]46.150.102/bins/dark.mips def1959fae2d8a3dfe606126ceb9d5403deae97a4b4e216dc8e60354980eeac4\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 15 of 16\n\n2021,\r\n11:01\r\nUTC\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.mpsl 667640d293e4ce2287546fc2e0056ee14f414868bf5b77f72078096c516a9fb0\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.ppc beb0b7178b242f2dba21c3d91abf80e8738847b8086d2a42e9352738c83542b5\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.sh4 554bee9f896a7a013804485894875348ff760b08ff7b0ae14c210e2b37da75f6\r\nFeb\r\n16,\r\n2021,\r\n11:01\r\nUTC\r\n37[.]46.150.102/bins/dark.x86 2a09719254934fe8ee8f200a0a7537d35a293fe1f8d0e396e23374e9b209f273\r\nTable of Contents\r\nExecutive Summary\r\nVulnerabilities Being Exploited\r\nMalware Behaviors\r\nConclusion\r\nIndicators of Compromise\r\nRelated Articles\r\nUnderstanding the Russian Cyberthreat to the 2026 Winter Olympics\r\nFrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications\r\nIt Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nhttps://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/"
	],
	"report_names": [
		"mirai-variant-iot-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434504,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/639e42888d2b23d66ee05feccd03ea11ee74544e.pdf",
		"text": "https://archive.orkl.eu/639e42888d2b23d66ee05feccd03ea11ee74544e.txt",
		"img": "https://archive.orkl.eu/639e42888d2b23d66ee05feccd03ea11ee74544e.jpg"
	}
}