{
	"id": "a63ffb0a-5fac-43a0-9930-cdac553f6447",
	"created_at": "2026-04-06T00:19:23.549174Z",
	"updated_at": "2026-04-10T13:11:55.762252Z",
	"deleted_at": null,
	"sha1_hash": "6932fc96d45fcb6716effa26f0245138f44ea5af",
	"title": "Satori Author Linked to New Mirai Variant Masuta",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62527,
	"plain_text": "Satori Author Linked to New Mirai Variant Masuta\r\nBy Tom Spring\r\nPublished: 2018-01-23 · Archived: 2026-04-02 10:53:41 UTC\r\nTwo related Mirai variants called Masuta and PureMasuta have links to a hacker identified as Nexus Zeta.\r\nResearchers at NewSky Security say the hacker behind a Mirai malware variant called Satori, also known as Mirai\r\nOkiru, is the same hacker behind two new Mirai variants called Masuta and PureMasuta.\r\nBased on source code for Masuta malware recently found on the dark web, researchers at NewSky Security said\r\nthey were able to connect the dots between Satori and Masuta. The hacker is identified as Nexus Zeta.\r\nLast month researchers first identified Nexus Zeta as the principle behind a series of attacks against Huawei\r\nrouters, hijacked to spread the Mirai variant Satori. Originally, Nexus Zeta was considered a novice hacker\r\nbecause of clues the hacker left behind that allowed researchers to identify him as a forum poster to the site\r\nHackForums.\r\n“With this code leak, now we know that Nexus Zeta is not just a one-shot wonder or a copy-and-paste script\r\nkiddie,” said Ankit Anubhav, principal researcher at NewSky Security. “He has been honing his skills in the form\r\nof Masuta.”\r\nIn a research report released Tuesday, NewSky Security researchers also identified a second Masuta variant called\r\nPureMasuta. That variant is unique because the malware leverages a “weaponized” D-Link HNAP bug used by\r\nattackers to grow its botnet.\r\nThe D-Link HNAP flaw takes advantage of a Home Network Administration Protocol (HNAP) injection bug\r\noriginally identified in D-Link products in 2015. HNAP is a network protocol developed by Pure Networks, later\r\nacquired by Cisco Systems. HNAP is based on Simple Object Access Protocol (SOAP) and is used by device\r\nadmins to manage network devices.\r\n“It is possible to craft a SOAP query which can bypass authentication by\r\nusing hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading\r\nto arbitrary code execution) because of improper string handling. When both issues are combined, one can form a\r\nSOAP request which first bypasses authentication, and then causes arbitrary code execution,” wrote Anubhav.\r\nAnubhav said an examination of the PureMasuta botnet shell script downloaded from a command-and-control\r\nserver revealed that both Masuta and PureMasuta shared the same server.\r\n“We noticed that the command and control server is same as used in the original Masuta variants, hence indicating\r\nthat PureMasuta is an evolved creation of the same Masuta threat actors,” Anubhav said.\r\nhttps://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/\r\nPage 1 of 2\n\nSince September, PureMasuta-infected IPs have shot up\r\ntwelve-fold according to honeypot activities observed by NewSky Security.\r\nOkiku/Satori was first identified by Check Point researchers on November 23. In December, researchers at Qihoo\r\n360 Netlab said Satori infected more than 280,000 IP addresses in a 12 hour period and gained control over\r\n500,000 to 700,000 IoT devices.\r\n“Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already\r\nbeen observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215\r\nin his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets.\r\nThis makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets,” Anubhav\r\nsaid.\r\nSource: https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/\r\nhttps://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/"
	],
	"report_names": [
		"129640"
	],
	"threat_actors": [
		{
			"id": "c90b1108-7555-4e64-9bfe-1ef6bf2caf18",
			"created_at": "2023-01-06T13:46:38.739456Z",
			"updated_at": "2026-04-10T02:00:03.084254Z",
			"deleted_at": null,
			"main_name": "Nexus Zeta",
			"aliases": [],
			"source_name": "MISPGALAXY:Nexus Zeta",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434763,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6932fc96d45fcb6716effa26f0245138f44ea5af.pdf",
		"text": "https://archive.orkl.eu/6932fc96d45fcb6716effa26f0245138f44ea5af.txt",
		"img": "https://archive.orkl.eu/6932fc96d45fcb6716effa26f0245138f44ea5af.jpg"
	}
}