{
	"id": "faf782ed-e8de-462e-b156-cf4f92600552",
	"created_at": "2026-04-06T00:19:34.330129Z",
	"updated_at": "2026-04-10T13:13:08.079002Z",
	"deleted_at": null,
	"sha1_hash": "904725eda3be4dc79f4d1863959f1b000208a2c4",
	"title": "Miori IoT Botnet Delivered via ThinkPH Exploit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88811,
	"plain_text": "Miori IoT Botnet Delivered via ThinkPH Exploit\r\nBy By: Augusto Remillano II, Mark Vicente Dec 20, 2018 Read time: 4 min (1011 words)\r\nPublished: 2018-12-20 · Archived: 2026-04-05 18:46:36 UTC\r\nThe exploitation of vulnerabilities in smart devices has been a persistent problem for many internet of things (IoT)\r\nusers. Perhaps the most infamous IoT threat is the constantly evolving Miraiopen on a new tab malware, which\r\nhas been used in many past campaigns that compromised devices with default or weak credentials. Different Mirai\r\nvariants and derivatives have cropped upopen on a new tab since its source code was leaked in 2016.\r\nWe analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution\r\n(RCE) vulnerability in the PHP framework, ThinkPHP. The exploit related to the vulnerability is relatively new —\r\ndetails about it have only surfacedopen on a new tab on December 11. For its arrival method, the IoT botnet uses\r\nthe said exploit that affects ThinkPHP versions prior to 5.0.23 and 5.1.31. Interestingly, our Smart Protection\r\nNetwork also showed a recent increase on events related to the ThinkPHP RCE. We expect malicious actors to\r\nabuse the ThinkPHP exploit for their respective gains.\r\nAside from Miori, several known Mirai variants like IZ1H9 and APEP were also spotted using the same RCE\r\nexploit for their arrival method. The aforementioned variants all use factory default credentials via Telnet to log in\r\nand spread to other devices. Once any of these Mirai variants infects a Linux machine, it will become part of a\r\nbotnet that facilitates distributed denial-of-service (DDoS) attacks.\r\nLooking into the Mirai Variant, Miori\r\nMiori is just one of the many Mirai offshoots. Fortinet once describedopen on a new tab its striking resemblance\r\nto another variant called Shinoa. Our own analysis revealed that the cybercriminals behind Miori used the\r\nThinkPHP RCE to make vulnerable machines download and execute their malware from\r\nhxxp://144[.]202[.]49[.]126/php:\r\nintel\r\nFigure 1. RCE downloads and executes Miori malware\r\nUpon execution, Miori malware will generate this in the console:\r\nintel\r\nFigure 2. Miori infects device\r\nIt will start Telnet to contactother IP addresses. It also listens on port 42352 (TCP/UDP) for commands from its\r\nC\u0026C server. It then sends the command “/bin/busybox MIORI” to verify infection of targeted system.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 1 of 9\n\nFigure 3. Miori sends command\r\nWe were able to decrypt Miori malware’s configuration table embedded in its binary and found the following\r\nnotable strings. We also listed the usernames and passwords used by the malware, some of which are default and\r\neasy-to-guess.\r\nMirai variant: Miori\r\nXOR key: 0x62\r\nUsername/Password Notable strings\r\n1001chin\r\nadm\r\nadmin123\r\nadmintelecom\r\naquario\r\ndefault\r\ne8ehome\r\ne8telnet\r\nGM8182\r\ngpon\r\noh\r\nroot\r\nsupport\r\ntaZz@23495859\r\ntelecomadmin\r\ntelnetadmin\r\ntsgoingon\r\nttnet\r\nvizxv\r\n/bin/busybox kill -9\r\n/bin/busybox MIORI (infection verification)\r\n/bin/busybox ps (kills parameters)\r\n/dev/FTWDT101\\ watchdog\r\n/dev/FTWDT101_watchdog\r\n/dev/misc/watchdog\r\n/dev/watchdog\r\n/dev/watchdog0\r\n/etc/default/watchdog\r\n/exe\r\n/maps\r\n/proc/\r\n/proc/net/route\r\n/proc/net/tcp\r\n/sbin/watchdog\r\n/status\r\naccount\r\nenable\r\nenter\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 2 of 9\n\nzte incorrect\r\nlogin\r\nlolistresser[.]com (C\u0026C server)\r\nMIORI: applet not found (infection verification)\r\npassword\r\nshell\r\nsystem\r\nTSource Engine Query\r\nusername\r\nyour device just got infected to a bootnoot\r\nTable 1. Related Miori credentials and strings\r\nA closer look also uncovered two URLs used by two other variants of Mirai: IZ1H9 and APEP. We then looked\r\ninto the binaries (x86 versions) located in the two URLs. Both variants use the same string deobfuscation\r\ntechnique as Mirai and Miori, and we were likewise able to decrypt their configuration table.\r\nhxxp://94[.]177[.]226[.]227/bins/\r\nMirai variant: IZ1H9\r\nXOR key: 0xE0\r\nUsername/Password Notable strings\r\n00000000\r\n12345\r\n54321\r\n123456\r\n1111111\r\n20080826\r\n20150602\r\n88888888\r\n/bin/busybox IZ1H9 (infection verification)\r\n/bin/watchdog /dev/FTWDT101\\ watchdog (watchdog disabling)\r\n/dev/FTWDT101_watchdog\r\n/dev/misc/watchdog\r\n/dev/watchdog\r\n/dev/watchdog0\r\n/dev/watchdog1\r\n/etc/default/watchdog\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 3 of 9\n\n1234567890\r\n/ADMIN/\r\nadmin1\r\nadmin123\r\nadmin1234\r\nantslq\r\nchangeme\r\nD13hh[\r\ndefault\r\nezdvr\r\nGM8182\r\nguest\r\nhi3518\r\nipc71a\r\nIPCam@sw\r\nipcam_rt5350\r\njuantech\r\njvbzd\r\nklv123\r\nklv1234\r\nnimda\r\npassword\r\nqwerty\r\nQwestM0dem\r\nroot123\r\nservice\r\n/etc/resolv.conf\r\n/proc/\r\n/proc/net/tcp\r\n/sbin/watchdog\r\nassword\r\nenable\r\nenter\r\nIZ1H9: applet not found\r\nj.#0388 (printed out in console after execution)\r\nlinuxsh\r\nlinuxshell\r\nnameserver\r\nncorrect\r\nsystem\r\nTSource Engine Query\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 4 of 9\n\nsmcadmin\r\nsupport\r\nsvgodie\r\nsystem\r\ntelnet\r\ntl789\r\nvizxv\r\nvstarcam2015\r\nxc3511\r\nxmhdpic\r\nzlxx.\r\nzsun1188\r\nZte521\r\nTable 2. Related IZ1H9 credentials and strings\r\nhxxp://cnc[.]arm7plz[.]xyz/bins/\r\nMirai variant: APEP\r\nXOR key: 0x04\r\nUsername/Password C\u0026C server Notable strings\r\n123456\r\n888888\r\n20150602\r\n1q2w3e4r5\r\n2011vsta\r\n3ep5w2u\r\nadmintelecom\r\ncnc[.]arm7plz[.]xyz\r\nscan[.]arm7plz[.]xyz\r\n%4'%-\\F\r\n/bin/busybox APEP (infection verification)\r\n/bin/watchdog (watchdog disabling)\r\n/dev/FTWDT101/watchdog\r\n/dev/FTWDT101_watchdog\r\n/dev/misc/watchdog\r\n/dev/watchdog\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 5 of 9\n\nbcpb+serial#\r\ndefault\r\ne8ehome\r\ne8telnet\r\nfliruser\r\nguest\r\nhuigu309\r\njuniper123\r\nklv1234\r\nlinux\r\nmaintainer\r\nMaxitaxi01\r\nsuper\r\nsupport\r\ntaZz@01\r\ntaZz@23495859\r\ntelecomadmin\r\ntelnetadmin\r\ntsgoingon\r\nvstarcam2015\r\nZte521\r\nZXDSL\r\n/dev/watchdog0\r\n/etc/default/watchdog\r\n/etc/watchdog /maps/\r\n/proc/\r\n/proc/net/tcp\r\n/sbin/watchdog /status\r\nCIA NIGGER\r\nenable\r\nenter\r\nincorrect\r\nlinuxshell\r\npassword\r\nshell\r\nstart\r\nsystem\r\nterryadavis\r\nTable 3. Related APEP credentials, C\u0026C servers, and strings\r\nIt should be noted that aside from dictionary attacks via Telnet, APEP also spreads by taking advantage of CVE-2017-17215open on a new tab, which involves another RCE vulnerability and affects Huawei HG532 router\r\ndevices, for its attacks. The vulnerability was also reportedopen on a new tab to be involved in Satori and\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 6 of 9\n\nBrickerbot variants. Huawei has since releasedopen on a new tab a security notice and outlined measures to\r\ncircumvent possible exploitation.\r\nintel\r\nFigure 4. Exploit related to CVE-2017-17215\r\nConclusion and Recommendations\r\nTelnet default password login attempts to connected devices aren’t new. Factory default passwords, which many\r\nusers may ignore or forget to change, are commonly used to access vulnerable devices. Mirai has since spawned\r\nother botnets that use default credentials and vulnerabilities in their attacks. Users are advised to change the\r\ndefault settings and credentials of their devices to deter hackers from hijacking them. As a general rule, smart\r\ndevice users should regularly update their devices to the latest versions. This will address vulnerabilities that serve\r\nas potential entry points for threats and will also improve the functionality of the devices. Finally, enable the auto-update feature if the device allows it.\r\nUsers can also adopt IoT security solutions that are designed to combat these kinds of threats. Trend Micro Smart\r\nHome Network™open on a new tab protects users from this threat via this intrusion prevention rule:\r\n1135215 WEB ThinkPHP Remote Code Execution\r\nIndicators of Compromise (IoCs)\r\nSHA-256\r\nee9c7a5b9f7059bdd0649eaaa0adb762683c79fbda91746048332813b44fa1e2 Backdoor.Linux.MIRAI.AR\r\n0d3a8933735a8d19c234db8a5ba1a0c2de390ae59b7298494a4e3bf139851d5f Backdoor.Linux.MIRAI.AR\r\na6956f98deec26bdaed948cd36ef6bfe954dbba227fd66ad3babd3a7fa4b4d96 Backdoor.Linux.MIRAI.AR\r\n239c9aeec6e17a2739c12b7a4821b99be53375b085210a14d2f4f3e362dd3b7c Backdoor.Linux.MIRAI.AR\r\nadb8271ed2342f50fd602353251574504672992db45fdde7e1e9a223cbd9a10a Backdoor.Linux.MIRAI.AR\r\n868a582cd87418faac09859527b1b9405b287799429c424552551a5a3ddfe1b3 Backdoor.Linux.MIRAI.AR\r\n25a5415a04ff746d0cfa4f5e82b00d7aaac60e92424dd94bb8cf9626e6b724ef Backdoor.Linux.MIRAI.AR\r\nf271d7a3290581f552376cf00006b961fcf54b0d9aa1365c4550113a1132f32d Backdoor.Linux.MIRAI.AR\r\nbd188c69264362b8a09d14af6196b83a6c3da5d6d3b6dc95b97fe87108500c91 Backdoor.Linux.MIRAI.AR\r\nc5e79ceb1878ad4aebf3e8a33a66aeed535aecc1e5ebca0dd0122a6ecfbfe207 Backdoor.Linux.MIRAI.AS\r\ne51c2675430ebb1e49b4187508eae926fdfc52560074a23f937fe50c72c3d56d Backdoor.Linux.MIRAI.AS\r\n76049e93887525e097c9fd06bdc31dad6a118082f5b2fc581020ae11ad80be95 Backdoor.Linux.MIRAI.AS\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 7 of 9\n\n119c33956bb26fdb697b2e042cde106c98cb1562fdbd5bb2acb2d8e7e603a303 Backdoor.Linux.MIRAI.AS\r\n4825e628d3d6442870821823c14bac5bcab93658e3dbf426b8e6c479320077a9 Backdoor.Linux.MIRAI.AS\r\n4dfab085dcc8d1a4ea6be2f6ca08970d238ffcd4b9ee0728d1f38070750e5f7b Backdoor.Linux.MIRAI.AS\r\n937df675fba3e58e41514ec1881bd9298043533ca9e113b91240d916761fa704 Backdoor.Linux.MIRAI.AS\r\nd6cf67dea7f89d87636f80eba76d4bfcdd6a5fc6540967c446c33522e95f156e Backdoor.Linux.MIRAI.AS\r\n1b20bedd8a69695ba30a4284c19fe84e5926ed8de4f9074b4137ee07e6674d77 Backdoor.Linux.MIRAI.AS\r\n37b6a3b2ca8681abfcaa79868963046aeaab8a46e123d5311d432bd9d11fcc80 Backdoor.Linux.MIRAI.AS\r\n19eb54eea5dfd71d5753ed94e1845fa81b88545f47c14a2c90960da8e06e6c1b Backdoor.Linux.MIRAI.AS\r\nec77dcab385c31bbbf228df92dcaecc947279c3143afc478807184395b06a6e6 Backdoor.Linux.MIRAI.AS\r\n83619527ba2e4c20d1eb5206f058ca55358b4b3ac032ee8d22616a020c8853d0 Backdoor.Linux.MIRAI.AS\r\n27f6c7ce88d874a270d197bb91d419783bf5e08e16fa43ced57607748f2fc5b2 Backdoor.Linux.MIRAI.AS\r\n404ea2a77693b0ab4c76da65aae7451d83d621a75b8eb8d2736998bf1c23ecf3 Backdoor.Linux.MIRAI.AS\r\n64e1f581d42f2c9e0c1f13b4f814d4a4b0cad2e3ac1c8a754f6a912ab07b4bc1 Backdoor.Linux.MIRAI.AS\r\n231d0913bba4b8c02f93fca2a917762eb94013d31f0ac4c9703b498b6ab9a87f Backdoor.Linux.MIRAI.AS\r\nbf3190c7746775a7756d76d0c4bbeedeb1b4bc2a14fb3465da0bd49dfae14503 Backdoor.Linux.MIRAI.AS\r\neba3e81fcedaaa9661c5faa41b98c1d7906fdad7f960530f936ac2ad0b921ac3 Backdoor.Linux.MIRAI.AS\r\nad463ae6c08a085a1c45fc8da32c736bb1ced083d0cc0619a7d0a919c43a3717 Backdoor.Linux.MIRAI.AS\r\neefa90ebde0d5d16c71315f292f86a72735e62af686a7872d1d153694582404d Backdoor.Linux.MIRAI.AS\r\n7408a894f4c278155b5ab28ebd48269075ee73ad24dc877cecd7b41a97b6d975 Backdoor.Linux.MIRAI.AS\r\n282836e3d6649d9f97cdbf6b373329386a4fd290b87599f84f1d84ecfe5586eb Backdoor.Linux.MIRAI.AS\r\n73036a31742e52cca9cfb02883cef62efb7f9129c14e2e2fd3064d2b4b8ec6e0 Backdoor.Linux.MIRAI.AS\r\nRelated malicious URLs:\r\nhxxp://144[.]202[.]49[.]126/miori[.]mips\r\nhxxp://144[.]202[.]49[.]126/miori[.]mpsl\r\nhxxp://144[.]202[.]49[.]126/miori[.]arm\r\nhxxp://144[.]202[.]49[.]126/miori[.]arm5\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 8 of 9\n\nhxxp://144[.]202[.]49[.]126/miori[.]arm6\r\nhxxp://144[.]202[.]49[.]126/miori[.]arm7\r\nhxxp://144[.]202[.]49[.]126/miori[.]sh4\r\nhxxp://144[.]202[.]49[.]126/miori[.]ppc\r\nhxxp://144[.]202[.]49[.]126/miori[.]x86\r\nhxxp://144[.]202[.]49[.]126/miori[.]arc\r\nhxxp://144[.]202[.]49[.]126/php\r\nhxxp://94[.]177[.]226[.]227/bins/\r\nhxxp://cnc[.]arm7plz[.]xyz/bins/\r\nhxxp://scan[.]arm7plz[.]xyz\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-ex\r\necution-exploit/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/"
	],
	"report_names": [
		"with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434774,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/904725eda3be4dc79f4d1863959f1b000208a2c4.pdf",
		"text": "https://archive.orkl.eu/904725eda3be4dc79f4d1863959f1b000208a2c4.txt",
		"img": "https://archive.orkl.eu/904725eda3be4dc79f4d1863959f1b000208a2c4.jpg"
	}
}