{
	"id": "1e1ee3e5-fe3a-4a69-96d6-f339811291ec",
	"created_at": "2026-04-06T00:17:25.989827Z",
	"updated_at": "2026-04-10T03:22:04.099251Z",
	"deleted_at": null,
	"sha1_hash": "96716f664b828b2625e9f4d4312f479cb3031004",
	"title": "Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 695125,
	"plain_text": "Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day\r\nBy Catalin Cimpanu\r\nPublished: 2018-07-19 · Archived: 2026-04-05 19:10:59 UTC\r\nA malware author has built a huge botnet comprised of over 18,000 routers in the span of only one day.\r\nThis new botnet has been spotted yesterday by security researchers from NewSky Security, and their findings have been\r\nconfirmed today by Qihoo 360 Netlab, Rapid7, and Greynoise.\r\nBotnet built with one exploit only\r\nThe botnet has been built by exploiting a vulnerability in Huawei HG532 routers, tracked as CVE-2017-17215.\r\nhttps://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nScans for this vulnerability, which can be exploited via port 37215, started yesterday morning, July 18, according to data\r\ncollected by Netlab's NetScan system.\r\nBy late in the evening, NewSky security researcher Ankit Anubhav says the botnet had already gathered 18,000 routers.\r\nAnubhav told Bleeping Computer the botnet author reached out to him to brag about his actions, even sharing a list with the\r\nIP addresses of all of the botnet's victims.\r\nBotnet author is a known threat actor\r\nThe botnet herder identified himself with the pseudonym \"Anarchy.\" Answering inquiries from both Anubhav and Bleeping\r\nComputer, Anarchy did not provide a reason why he created the botnet.\r\nBut Anubhav believes Anarchy may actually be a hacker who previously identified as Wicked, which Anubhav interviewed\r\non NewSky's blog and Fortinet featured in a report here.\r\nWicked/Anarchy is a well-known malware author who, in the past, has created variations of the Mirai IoT malware. These\r\nvariations and their respective botnets were known as Wicked, Omni, and Owari (Sora), and had been previously used for\r\nDDoS attacks.\r\nBotnet will also target Realtek routers\r\nBut the real problem here is not a malware author doing what he does best. The problem is the relative ease with which\r\nAnarchy built a gigantic botnet within one day.\r\nHe didn't do it with a zero-day or some vulnerability that had not been exploited before. He did so with a high-profile\r\nvulnerability that many botnets have exploited before.\r\nCVE-2017-17215 is a well-known exploit that has been abused by at least two versions of the Satori botnet [1, 2], and many\r\nof the smaller Mirai-based offshoots. You'd think that by now users would have patched devices or ISPs would have blocked\r\nincoming connections on port 37215.\r\nBut Anarchy is not done yet. The botnet author told Anubhav that he also plans to target CVE-2014-8361, a vulnerability in\r\nRealtek routers exploitable via port 52869.\r\n\"Testing has already started for the Realtek exploit during the night,\" Anubhav told Bleeping Computer in a private\r\nconversation today. [Update: Both Rapid7 and Greynoise are confirming that scans for Realtek have gone through the roof\r\ntoday.]\r\nIt's both hilarious and sad that somebody can nowadays build a huge DDoS botnet in less than a day. This only shows the\r\nreal sad state of SOHO router security.\r\nIOCs, courtesy of NewSky Security and CERT Tunisia:\r\nhttps://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/\r\nPage 3 of 4\n\nSHA-256: 61440574aafaf3c4043e763dd4ce4c628c6c92fb7d7a2603076b3f60f2813f1b [Source]\r\nC2: hxxp://104.244.72.82 [Source]\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/\r\nhttps://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/"
	],
	"report_names": [
		"router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/96716f664b828b2625e9f4d4312f479cb3031004.pdf",
		"text": "https://archive.orkl.eu/96716f664b828b2625e9f4d4312f479cb3031004.txt",
		"img": "https://archive.orkl.eu/96716f664b828b2625e9f4d4312f479cb3031004.jpg"
	}
}