{
	"id": "3cf20ba6-5464-4960-bea7-ecb8ff0492e2",
	"created_at": "2026-04-06T01:30:33.356606Z",
	"updated_at": "2026-04-10T03:23:51.177487Z",
	"deleted_at": null,
	"sha1_hash": "c60ac5a3d80a2def7d9172cf9171f02a613b969a",
	"title": "Mirai Variant MooBot Targeting D-Link Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 816867,
	"plain_text": "Mirai Variant MooBot Targeting D-Link Devices\r\nBy Chao Lei, Zhibin Zhang, Cecilia Hu, Aveek Das\r\nPublished: 2022-09-06 · Archived: 2026-04-06 01:00:56 UTC\r\nExecutive Summary\r\nIn early August, Unit 42 researchers discovered attacks leveraging several vulnerabilities in devices made by D-Link, a\r\ncompany that specializes in network and connectivity products. The vulnerabilities exploited include:\r\nCVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability\r\nCVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability\r\nCVE-2022-26258: D-Link Remote Command Execution Vulnerability\r\nCVE-2022-28958: D-Link Remote Command Execution Vulnerability\r\nIf the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct\r\nfurther attacks such as distributed denial-of-service (DDoS) attacks. The exploit attempts captured by Unit 42 researchers\r\nleverage the aforementioned vulnerabilities to spread MooBot, a Mirai variant, which targets exposed networking devices\r\nrunning Linux.\r\nWhile D-Link has published security bulletins regarding all the vulnerabilities mentioned here, some users may be running\r\nunpatched or older versions or devices. Unit 42 strongly recommends applying upgrades and patches where possible.\r\nPalo Alto Networks Next-Generation Firewall customers receive protections through cloud-delivered security services\r\nsuch as IoT Security, Advanced Threat Prevention, WildFire and Advanced URL Filtering, which can detect and block the\r\nexploit traffic and malware.\r\nCampaign Overview\r\nThe whole attack process is shown in Figure 1.\r\nFigure 1. Campaign overview.\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 1 of 9\n\nExploited Vulnerabilities\r\nFour known vulnerabilities were exploited in this attack. Upon successful exploitation, the wget utility executes to\r\ndownload MooBot samples from the malware infrastructure and then executes the downloaded binaries. Vulnerability-related information is shown in Table 1.\r\nID Vulnerability Description Severity\r\n1 CVE-2015-2051\r\nD-Link HNAP SOAPAction Header Command Execution\r\nVulnerability\r\nCVSS Version 2.0: 10.0\r\nHigh\r\n2 CVE-2018-6530\r\nD-Link SOAP Interface Remote Code Execution\r\nVulnerability\r\nCVSS Version 3.0: 9.8\r\nCritical\r\n3\r\nCVE-2022-\r\n26258\r\nD-Link Remote Command Execution Vulnerability\r\nCVSS Version 3.0: 9.8\r\nCritical\r\n4\r\nCVE-2022-\r\n28958\r\nD-Link Remote Command Execution Vulnerability\r\nCVSS Version 3.0: 9.8\r\nCritical\r\nTable 1. List of exploited vulnerabilities.\r\nD-Link Exploit Payloads\r\nThe attacker utilizes four D-Link vulnerabilities that could lead to remote code execution and download a MooBot\r\ndownloader from host 159.203.15[.]179.\r\n1. CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability\r\nFigure 2. CVE-2015-2051 exploit payload.\r\nThe exploit targeting the older D-Link routers takes advantage of vulnerabilities in the HNAP SOAP interface. An attacker\r\ncan perform code execution through a blind OS command injection.\r\n2. CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 2 of 9\n\nFigure 3. CVE-2018-6530 exploit payload.\r\nThe exploit works due to the older D-Link router's unsanitized use of the “service” parameters in requests made to the\r\nSOAP interface. The vulnerability can be exploited to allow unauthenticated remote code execution.\r\n3. CVE-2022-26258: D-Link Remote Code Execution Vulnerability\r\nFigure 4. CVE-2022-26258 exploit payload.\r\nThe exploit targets a command injection vulnerability in the\r\n/lan.asp\r\ncomponent. The component does not successfully sanitize the value of the HTTP parameter\r\nDeviceName\r\n, which in turn can lead to arbitrary command execution.\r\n4. CVE-2022-28958: D-Link Remote Code Execution Vulnerability\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 3 of 9\n\nFigure 5. CVE-2022-28958 exploit payload.\r\nThe exploit targets a remote command execution vulnerability in the\r\n/shareport.php\r\ncomponent. The component does not successfully sanitize the value of the HTTP parameter\r\nvalue\r\n, which can lead to arbitrary command execution.\r\nMalware Analysis\r\nAll the artifacts related to this attack are shown in the following table:\r\nFile\r\nName\r\nSHA256 Description\r\nrt B7EE57A42C6A4545AC6D6C29E1075FA1628E1D09B8C1572C848A70112D4C90A1\r\nA script\r\ndownloader.\r\nIt downloads\r\nMooBot onto\r\nthe\r\ncompromised\r\nsystem and\r\nrenames the\r\nbinary files\r\nto Realtek. \r\nwget[.]sh 46BB6E2F80B6CB96FF7D0F78B3BDBC496B69EB7F22CE15EFCAA275F07CFAE075 The script\r\ndownloader.\r\nIt downloads\r\nMooBot onto\r\nthe\r\ncompromised\r\nsystem, and\r\nrenames the\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 4 of 9\n\nbinary files\r\nto Android.\r\narc 36DCAF547C212B6228CA5A45A3F3A778271FBAF8E198EDE305D801BC98893D5A\r\nMooBot\r\nexecutable\r\nfile.\r\narm 88B858B1411992509B0F2997877402D8BD9E378E4E21EFE024D61E25B29DAA08\r\nMooBot\r\nexecutable\r\nfile.\r\narm5 D7564C7E6F606EC3A04BE3AC63FDEF2FDE49D3014776C1FB527C3B2E3086EBAB\r\nMooBot\r\nexecutable\r\nfile.\r\narm6 72153E51EA461452263DBB8F658BDDC8FB82902E538C2F7146C8666192893258\r\nMooBot\r\nexecutable\r\nfile.\r\narm7 7123B2DE979D85615C35FCA99FA40E0B5FBCA25F2C7654B083808653C9E4D616\r\nMooBot\r\nexecutable\r\nfile.\r\ni586 CC3E92C52BBCF56CCFFB6F6E2942A676B3103F74397C46A21697B7D9C0448BE6\r\nMooBot\r\nexecutable\r\nfile.\r\ni686 188BCE5483A9BDC618E0EE9F3C961FF5356009572738AB703057857E8477A36B\r\nMooBot\r\nexecutable\r\nfile.\r\nmips 4567979788B37FBED6EEDA02B3C15FAFE3E0A226EE541D7A0027C31FF05578E2\r\nMooBot\r\nexecutable\r\nfile.\r\nmipsel 06FC99956BD2AFCEEBBCD157C71908F8CE9DDC81A830CBE86A2A3F4FF79DA5F4\r\nMooBot\r\nexecutable\r\nfile.\r\nsh4 4BFF052C7FBF3F7AD025D7DBAB8BD985B6CAC79381EB3F8616BEF98FCB01D871\r\nMooBot\r\nexecutable\r\nfile.\r\nx86_64 4BFF052C7FBF3F7AD025D7DBAB8BD985B6CAC79381EB3F8616BEF98FCB01D871\r\nMooBot\r\nexecutable\r\nfile.\r\nTable 2. Attack-related artifacts.\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 5 of 9\n\nUnit 42 researchers conducted analysis on the downloaded malware sample. Based on its behavior and patterns, we\r\nbelieve that the malware samples that were hosted on 159.203.15[.]179 relate to a variant of the Mirai botnet called\r\nMooBot.\r\nFigure 6. MooBot random string generator.\r\nThe most obvious feature of MooBot is the executable file containing the string w5q6he3dbrsgmclkiu4to18npavj702f,\r\nwhich will be used to generate random alphanumeric strings.\r\nUpon execution, the binary file prints get haxored! to the console, spawns processes with random names and wipes out the\r\nexecutable file.\r\nFigure 7. MooBot creates processes.\r\nAs a variant, MooBot inherits Mirai’s most significant feature – a data section with embedded default login credentials and\r\nbotnet configuration – but instead of using Mirai’s encryption key, 0xDEADBEEF, MooBot encrypts its data with 0x22.\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 6 of 9\n\nFigure 8. MooBot configuration decode function.\r\nAfter decoding its C2 server vpn.komaru[.]today from configuration, MooBot will send out a message to inform the C2\r\nserver that a new MooBot is online. The message starts with the hardcoded magic value 0x336699.\r\nAt the time of our analysis, the C2 server was offline. According to the code analysis, MooBot will also send heartbeat\r\nmessages to the C2 server and parse commands from C2 to start a DDoS attack on a specific IP address and port number.\r\nConclusion\r\nThe vulnerabilities mentioned above have low attack complexity but critical security impact that can lead to remote code\r\nexecution. Once the attacker gains control in this manner, they could take advantage by including the newly compromised\r\ndevices into their botnet to conduct further attacks such as DDoS.\r\nTherefore, we strongly recommend applying patches and upgrades when possible.\r\nPalo Alto Networks customers receive protections from the vulnerability and malware through the following products and\r\nservices:\r\nNext-Generation Firewalls with a Threat Prevention security subscription can block the attacks with Best Practices\r\nvia Threat Prevention signatures 38600, 92960, 92959 and 92533.\r\nWildFire can stop the malware with static signature detections.\r\nThe Palo Alto Networks IoT security platform can leverage network traffic information to identify the vendor,\r\nmodel and firmware version of a device and identify specific devices that are vulnerable to the aforementioned\r\nCVEs.\r\nAdvanced URL Filtering and DNS Security are able to block the C2 domain and malware hosting URLs.\r\nIn addition, IoT Security has an inbuilt machine learning-based anomaly detection that can alert the customer if a\r\ndevice exhibits non-typical behavior, such as a sudden appearance of traffic from a new source, an unusually high\r\nnumber of connections or an inexplicable surge of certain attributes typically appearing in IoT application\r\npayloads.\r\nIndicators of Compromise\r\nInfrastructure\r\nMooBot C2\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 7 of 9\n\nvpn.komaru[.]today\r\nMalware Host\r\nhttp://159.203.15[.]179/wget.sh\r\nhttp://159.203.15[.]179/wget.sh3\r\nhttp://159.203.15[.]179/mips\r\nhttp://159.203.15[.]179/mipsel\r\nhttp://159.203.15[.]179/arm\r\nhttp://159.203.15[.]179/arm5\r\nhttp://159.203.15[.]179/arm6\r\nhttp://159.203.15[.]179/arm7\r\nhttp://159.203.15[.]179/sh4\r\nhttp://159.203.15[.]179/arc\r\nhttp://159.203.15[.]179/sparc\r\nhttp://159.203.15[.]179/x86_64\r\nhttp://159.203.15[.]179/i686\r\nhttp://159.203.15[.]179/i586\r\nArtifacts\r\nShell Script Downloader\r\nFilename SHA256\r\nrt B7EE57A42C6A4545AC6D6C29E1075FA1628E1D09B8C1572C848A70112D4C90A1\r\nwget[.]sh 46BB6E2F80B6CB96FF7D0F78B3BDBC496B69EB7F22CE15EFCAA275F07CFAE075\r\nTable 3. Shell script downloader.\r\nMooBot Sample\r\nFilename SHA256\r\narc 36DCAF547C212B6228CA5A45A3F3A778271FBAF8E198EDE305D801BC98893D5A\r\narm 88B858B1411992509B0F2997877402D8BD9E378E4E21EFE024D61E25B29DAA08\r\narm5 D7564C7E6F606EC3A04BE3AC63FDEF2FDE49D3014776C1FB527C3B2E3086EBAB\r\narm6 72153E51EA461452263DBB8F658BDDC8FB82902E538C2F7146C8666192893258\r\narm7 7123B2DE979D85615C35FCA99FA40E0B5FBCA25F2C7654B083808653C9E4D616\r\ni586 CC3E92C52BBCF56CCFFB6F6E2942A676B3103F74397C46A21697B7D9C0448BE6\r\ni686 188BCE5483A9BDC618E0EE9F3C961FF5356009572738AB703057857E8477A36B\r\nmips 4567979788B37FBED6EEDA02B3C15FAFE3E0A226EE541D7A0027C31FF05578E2\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 8 of 9\n\nmipsel 06FC99956BD2AFCEEBBCD157C71908F8CE9DDC81A830CBE86A2A3F4FF79DA5F4\r\nsh4 4BFF052C7FBF3F7AD025D7DBAB8BD985B6CAC79381EB3F8616BEF98FCB01D871\r\nx86_64 3B12ABA8C92A15EF2A917F7C03A5216342E7D2626B025523C62308FC799B0737\r\nTable 4. MooBot samples.\r\nSource: https://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nhttps://unit42.paloaltonetworks.com/moobot-d-link-devices/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/moobot-d-link-devices/"
	],
	"report_names": [
		"moobot-d-link-devices"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439033,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c60ac5a3d80a2def7d9172cf9171f02a613b969a.pdf",
		"text": "https://archive.orkl.eu/c60ac5a3d80a2def7d9172cf9171f02a613b969a.txt",
		"img": "https://archive.orkl.eu/c60ac5a3d80a2def7d9172cf9171f02a613b969a.jpg"
	}
}