{
	"id": "9ff1c1ad-7617-4332-9fa2-afeaa4561647",
	"created_at": "2026-04-06T00:22:24.515157Z",
	"updated_at": "2026-04-10T13:12:24.720771Z",
	"deleted_at": null,
	"sha1_hash": "7bcb890bd45775cc88e9badb128778cef9d20625",
	"title": "Mirai Activity Picks up Once More After Publication of PoC Exploit Code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 574920,
	"plain_text": "Mirai Activity Picks up Once More After Publication of PoC Exploit\r\nCode\r\nBy Catalin Cimpanu\r\nPublished: 2017-11-24 · Archived: 2026-04-05 20:31:31 UTC\r\nThe publication of proof-of-concept (PoC) exploit code in a public vulnerabilities database has lead to increased activity\r\nfrom Mirai-based IoT botnets, Li Fengpei, a security researcher with Qihoo 360 Netlab, told Bleeping Computer today.\r\nThe exploit code was published online on October 31 but scans using this PoC started on Wednesday, November 22,\r\naccording to a report Li shared with Bleeping Computer.\r\nPoC exploit targets ZyXEL PK50001Z routers\r\nThe PoC is for a vulnerability in the old ZyXEL PK5001Z routers that came to light in January 2016 on the OpenWrt\r\nforums.\r\nThe vulnerability (CVE-2016-10401) is a hidden su (super-user) password on the affected ZyXEL devices that elevates a\r\nuser's access to root level. This su password (zyad5001) is useless, as it cannot be used to log into the device.\r\nhttps://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nNonetheless, miscreants have discovered that there's a large amount of ZyXEL devices that have shipped to users that are\r\nusing admin/CentryL1nk and admin/QwestM0dem as default Telnet credentials.\r\nThe PoC published last month automates the process of logging into a remote ZyXEL device using one of the two Telnet\r\npasswords, and then uses the hardcoded su password to gain root privileges.\r\nMirai botnet incorporates recent ZyXEL PoC\r\nThe PoC exploit code had Mirai written all over it the moment it was published online. This is because Mirai botnets are\r\nbuilt by scanning the Internet for devices with exposed Telnet ports and using a list of default credentials to attempt to log\r\ninto devices and install the Mirai DDoS malware.\r\nStarting on Wednesday, this is exactly what happened. For the past 60 hours, Li says Netlab has detected a spike of scans on\r\nports 23 and 2323, both used for Telnet authentication. Attackers are using the above PoC to break into exposed devices and\r\ninfect them with Mirai.\r\nSuch a massive scan campaign did not go unnoticed. Independent security researcher Troy Mursch also reported a similar\r\nuptick in Mirai activity yesterday.\r\n879 new unique IP addresses were found in the #Mirai-like #botnet on 2017-11-22\r\nThis is an all-time record for the most new unique IP address that I've seen added to the botnet in one day.\r\nA massive increase of volume from Argentina (@Telefonica) is largely the cause. pic.twitter.com/c8GBUpKNgW\r\n— Bad Packets Report (@bad_packets) November 23, 2017\r\nMost new Mirai bots are located in Argentina\r\nAs both Netlab and Mursch have pointed out, most of the infected devices are from Argentina, and more precisely from the\r\nnetwork of local ISP Telefonica de Argentina.\r\nNetlab says it detected around 100,000 IPs performing these scans in the past 60 hours. Since Mirai-infected devices\r\nperform the IP scanning and exploitation attempt, this is an approximate estimation of the number of bots in this Mirai\r\nbotnet that's looking for vulnerable ZyXEL devices.\r\nNetLab says that around 65,700 of these bots were located in Argentina, a clear sign that the ISP has shipped devices with\r\nthe default creds included in the public PoC.\r\nhttps://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/\r\nPage 3 of 4\n\nThe good news is that Mirai bots do not have a persistence mechanism in place, meaning they are removed when the router\r\nreboots. This is why Mirai botnets wildly vary in size from day to day, and why botnet herders need to be constantly\r\nscanning the Internet to keep their bot numbers up.\r\nThis is also not the first time when a Mirai botnet has exploited flaws in one particular ISP's network to grow to a mammoth\r\nsize. Similar incidents have happened in Germany and the UK in November and December 2016.\r\nThe hacker behind those incidents deployed faulty Mirai malware versions that eventually brought down Internet services\r\nfor ISP customers. Law enforcement tracked down, arrested, charged, and sentenced the hacker, named BestBuy (also\r\nknown as Popopret).\r\nThere are no reports that Telefonica users are suffering from Internet connectivity outages, meaning users are not aware their\r\ndevices are infected with the Mirai malware.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/\r\nhttps://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/"
	],
	"report_names": [
		"mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434944,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7bcb890bd45775cc88e9badb128778cef9d20625.pdf",
		"text": "https://archive.orkl.eu/7bcb890bd45775cc88e9badb128778cef9d20625.txt",
		"img": "https://archive.orkl.eu/7bcb890bd45775cc88e9badb128778cef9d20625.jpg"
	}
}