{
	"id": "de167a31-dc4e-4e3c-a18c-69a54978dfa8",
	"created_at": "2026-04-06T00:08:16.588241Z",
	"updated_at": "2026-04-10T13:12:28.670457Z",
	"deleted_at": null,
	"sha1_hash": "80662856fab9f4dcbe1786d8fae9b04f2ca6c586",
	"title": "Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 201359,
	"plain_text": "Botnet of Thousands of MikroTik Routers Abused in Glupteba,\r\nTrickBot Campaigns\r\nBy The Hacker News\r\nPublished: 2022-03-23 · Archived: 2026-04-05 19:25:36 UTC\r\nVulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of\r\nthe largest botnet-as-a-service cybercrime operations seen in recent years. \r\nAccording to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same\r\ncommand-and-control (C2) server.\r\n\"The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers,\" Avast's\r\nsenior malware researcher, Martin Hron, said in a write-up, potentially linking it to what's now called the Mēris\r\nbotnet.\r\nThe botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-\r\n14847), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts\r\nof the Mēris botnet were sinkholed in late September 2021.\r\nhttps://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html\r\nPage 1 of 3\n\n\"The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for,\r\nallowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a\r\nservice,\" Hron said.\r\nIn attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second\r\ndomain \"globalmoby[.]xyz.\"\r\nInteresting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the\r\ndiscovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to\r\nserve Glupteba malware samples to targeted hosts.\r\n\"When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain\r\n(which is again hidden by the Cloudflare proxy),\" Hron said. \"This is a control panel for the orchestration of\r\nenslaved MikroTik routers,\" with the page displaying a live counter of devices connected into the botnet.\r\nBut after details of the Mēris botnet entered public domain in early September 2021, the C2 server is said to have\r\nabruptly stopped serving scripts before disappearing completely.\r\nThe disclosure also coincides with a new report from Microsoft, which revealed how the TrickBot malware has\r\nweaponized MikroTik routers as proxies for command-and-control communications with the remote servers,\r\nraising the possibility that the operators may have used the same botnet-as-a-service.\r\nIn light of these attacks, it's recommended that users update their routers with the latest security patches, set up a\r\nstrong router password, and disable the router's administration interface from the public side.\r\n\"It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to\r\nrun malware on them, which is hard to write and spread massively considering all the different architectures and\r\nOS versions, but to simply use their legal and built-in capabilities to set them up as proxies,\" Hron said. \"This is\r\ndone to either anonymize the attacker's traces or to serve as a DDoS amplification tool.\"\r\nUpdate: Latvian company MikroTik told The Hacker News that the number \"was only true before we released the\r\npatch in [the] year 2018. After patch was released, the actual affected number of devices is closer to 20,000 units\r\nthat still run the older software. Also, not all of them are actually controlled by the botnet, many of them have a\r\nstrict firewall in place, even though running older software.\"\r\nWhen reached out to Avast for comment, the cybersecurity company confirmed that the number of affected\r\ndevices (~230,000) reflected the status of the botnet prior to its disruption. \"However, there are still isolated\r\nrouters with compromised credentials or staying unpatched on the internet,\" the company said in a statement.\r\nhttps://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html\r\nPage 2 of 3\n\n(The headline of the article has been corrected to take into account the fact that the number of affected MikroTik\r\nrouters is no longer more than 200,000 as previously stated.)\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html\r\nhttps://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html"
	],
	"report_names": [
		"over-200000-microtik-routers-worldwide.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434096,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80662856fab9f4dcbe1786d8fae9b04f2ca6c586.pdf",
		"text": "https://archive.orkl.eu/80662856fab9f4dcbe1786d8fae9b04f2ca6c586.txt",
		"img": "https://archive.orkl.eu/80662856fab9f4dcbe1786d8fae9b04f2ca6c586.jpg"
	}
}