{ "id": "ee966b8f-4d3a-4469-8ab5-877b25c40bb4", "created_at": "2026-04-06T00:15:32.035811Z", "updated_at": "2026-04-10T03:38:06.586926Z", "deleted_at": null, "sha1_hash": "dcff04db2d5a8ae2d35060e1a4abc8135f15a49b", "title": "Searching for the Reuse of Mirai Code: Hide ‘N Seek Bot", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2070539, "plain_text": "Searching for the Reuse of Mirai Code: Hide ‘N Seek Bot\r\nBy Jasper Manuel\r\nPublished: 2018-04-16 · Archived: 2026-04-05 21:04:51 UTC\r\nIt’s a common practice in mainstream software development to reuse codes that were made available on the\r\ninternet. This practice is no different with malware development. Many malware source codes have been leaked\r\nand they enable many wannabe hackers and malware authors to learn and make their own malware.\r\nIn September 2016, the Mirai source code was leaked on the hacking community Hackforums. Mirai is known to\r\nhave been used to temporarily cripple high profile services via massive distributed denial of service (DDoS)\r\nattacks. Since the release of this code online, many have tried to modify it and as a result many variants and\r\nderivations have emerged trying to get a slice of the IoT threat pie. On March 3, 2018, my colleague Dario\r\nDurando had the opportunity to present our research about these variants at the RootedCon Security Conference in\r\nMadrid, Spain. We identified variants that were derived from the original Mirai source code. From simple\r\nmodifications (such as just adding additional credentials to the list of credentials available for a brute force attack)\r\nto more complex approaches (such as using exploits) to spread the malware to IoT devices, these variants all still\r\nuse the main Mirai code base.\r\nWith this knowledge that leaked malware source codes are used by many malware authors in their own malware\r\nprogramming, we here at FortiGuard Labs became interested into searching out other malware that leverages\r\nMirai code modules. Interestingly, one of the families that showed up in our search was the Hide ‘N Seek (HNS)\r\nbot, which was discovered in January of 2018. HNS is a complex botnet that uses P2P to communicate with\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 1 of 11\n\npeers/other infected devices to receive commands. In this article, I will discuss how the Mirai bot code was used\r\nin this HNS bot.\r\nA Quick Review of the Mirai Bot\r\nThe original Mirai malware has the following components:\r\nBot – infects and spreads to IoT devices through a brute-force attack and contacts the command and control\r\nserver (C2) to receive commands from the botnet master/users to launch DoS attacks against specified\r\ntargets.\r\nCommand and Control server – used to control the infected IoT devices to launch DDoS attacks against\r\nspecified targets.\r\nReport server – listens for reports from an infected IoT device to report that a new potential victim IoT\r\ndevice. This report contains the IP and login credentials of the new victim.\r\nLoader – loads the bot to the new victim device.\r\nFig 1. How Mirai Works\r\nIn this article, we will just focus on the bot. The Mirai bot has 3 main modules:\r\n·       Attack – the attack module contains various DoS attack methods (UDP, TCP, HTTP).\r\n·       Killer – kills processes (telnet, SSH, HTTP, other bots).\r\n·       Scanner – generates a list of random IP addresses to brute force to use within the botnet.\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 2 of 11\n\nFig 2. Mirai’s main modules\r\nThe Hide ‘N Seek Bot and How Mirai Code Was Used\r\nHNS was discovered in January 2018. This IoT malware is more complex than Mirai in the sense that it\r\ncommunicates in a complex and decentralized manner (custom-built peer-to-peer (P2P) communication) in order\r\nto receive commands to perform its various malicious routines. HNS doesn’t launch DoS attacks, but was found to\r\nhave the capability to exfiltrate data and execute additional code.\r\nAt first glance, it’s hard to notice that Hide ‘N Seek is using some Mirai modules, especially if you haven’t read\r\nthe Mirai source code or haven’t analyzed Mirai binaries before. There are some awesome IDA plugins, however,\r\nthat you can use to identify functions in a binary that have similar functions in another binary. However, they did\r\nnot work for the samples I analyzed so I had to do the identification manually.\r\nIf you try to compile the Mirai source code, you will notice that its encrypted strings are stored in the read-only\r\ndata segment (.rodata) of the compiled ELF binary. With this in mind, I started to check the .rodata segment of the\r\nHNS binary for possible encrypted strings.\r\nFig 3. .rodata segment containing possibly encrypted strings\r\nWhen I checked the code reference to one of the sets of data, I was brought to the part of the binary where pointers\r\nto this data are passed as the first parameter to the same function. This gave me the idea that the function might be\r\na decryption function.\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 3 of 11\n\nFig 4. Code snippet showing the pointers to the data passed as a parameter to the same function\r\nGoing into the function reveals that it is, in fact, a decryption routine. The decryption starts with a hardcoded\r\nsingle-byte XOR key. This key is XORed with the first byte of the string, and the result is then added to the key.\r\nThe sum of the XOR result and the key is used as the key for the second byte. The same procedure applies to the\r\nnext bytes. I saw two different keys (0xA (ARM) and 0xA0 (x64)) from the binaries I analyzed, but this key can\r\nbe easily changed.\r\nFig 5. Decryption function\r\nTo make the string decryption easier, a simple IDA python script can be written to automatically find the addresses\r\nof the encrypted strings and then apply the decryption algorithm. We can also use it to add comments to contain\r\nthe decrypted strings.\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 4 of 11\n\nFig 6. Decrypted strings\r\nNow that we can see them, some of these strings look familiar. Some of these same strings are also found in Mirai.\r\nFig 7. The Mirai configuration table\r\nWith these strings decrypted, it’s easier to identify the Mirai functions used by HNS by just checking the\r\nreferences to these strings and then comparing them with the functions in the original Mirai source code. \r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 5 of 11\n\nFig 8. The Mirai “consume_pass_prompt” function\r\nFig 9. The HNS “consume_pass_prompt” function implementation\r\nWhile many functions look like they are directly copied, there are also many functions that were clearly modified\r\nto fit the needs of this new malware. The HNS bot has three main modules: a scanner, a process killer, and a\r\nfunction to wait for a connection from its peers. \r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 6 of 11\n\nFig 10. 3 The main modules of HNS: scanner, killer, P2P\r\nTwo of the modules, the scanner and the killer, have a very similar code structure to that of the Mirai scanner and\r\nkiller modules.\r\nFor the killer module, they both kill processes associated with other bot,s like QBOT, Zollard, and even Mirai\r\nitself.\r\nFig 11. HNS kills other bots\r\nOne difference is that HNS doesn’t directly kill processes (by port number) related to HTTP, telnet, and\r\nSSH. Instead, the attacker can specify at runtime a port number. The process associated with this port will be\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 7 of 11\n\nkilled.\r\n \r\nFig 12. HNS kills the process related to a port specified at runtime\r\nFor the scanner, they both generate a list of random set of IP addresses to search for potential victims. Major\r\ndifferences are around the ports to scan and compromise methods to be used. HNS scans ports 80, 8080, 2323,\r\n9527, 23 randomly by initiating a raw socket SYN connection. Once a connection is established, like Mirai, it will\r\ntry to brute-force its way into the device via telnet using a hardcoded list of credentials. Once successful, it can\r\nload itself to the device through several methods, such as echo, HTTP, and TFTP. Unlike with HNS, in the original\r\nMirai the loader is a separate binary, while other Mirai modifications embed the loader into their body.\r\nFig 13. HNS randomly selects which port to scan\r\nHNS uses at least three exploits on the samples I analyzed. Two are used for propagation. One of these targets\r\nNetgear DGN DSL modems/routers (also used by Reaper bot) while the other targets TP-Link routers. While the\r\noriginal Mirai doesn’t use exploits to propagate, other modifications use other various exploits to spread.\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 8 of 11\n\nFig 14. Netgear DGN DSL modem/router exploit in the HNS implementation\r\nFig 15. TP-Link router exploit HNS implementation\r\nAfter logging in successfully via telnet into a ZyXEL PK5001Z modem, the third one (CVE-2016-10401) is used\r\nto escalate the user to root using ‘su’ with password ‘zyad5001’.\r\nFig 16. CVE-2016-10401 HNS implementation\r\nOther HNS Details\r\nThis article doesn’t focus on the HNS malware itself. Instead, this article describes how Mirai code was used in\r\nHNS. This allows us to study how we can use this technique to hunt for other malware that uses Mirai code.\r\nHowever, some very interesting features of HNS must also be mentioned here. For example, HNS uses a custom-built P2P communication with peers and/or other infected devices using a randomly generated UDP port or a port\r\nspecified at runtime. Unlike Mirai, which was designed to launch DoS attacks against certain targets, this IoT\r\nmalware receives commands through peers to exfiltrate data and execute additional code. This P2P\r\ncommunication makes the malware more complicated to analyze. The decentralized manner of receiving\r\ncommands also makes it hard to identify where the commands are issued from and where the data drop points are\r\nlocated.\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 9 of 11\n\nFig 17. Code snippet showing P2P commands\r\nConclusion\r\nAs we have seen in the past, malware source code leaks result in more malware being created. We are now seeing\r\nthat the Mirai source code leak is going through this same process, and so we expect to see new malware families\r\nemerge that leverage the Mirai source code.\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 10 of 11\n\nAs always, by using the knowledge we gained from this study, we here at FortiGuard Labs will continue to watch,\r\nand even hunt for malware that uses the Mirai source code.\r\nSolution\r\nFortinet detects the HNS samples as Linux/Hns.A!tr and the exploits used as ZyXEL.PK5001Z.Modem.Backdoor,\r\nNETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution, and TP-Link.Wireless.Router.Backdoor .\r\n-= FortiGuard Lion Team =-\r\nSamples analyzed:\r\n8cb5cb204eab172befcdd5c923c128dd1016c21aaab72e7b31c0359a48d1357e (x64)\r\n095c13175e0908e67289bd5c619745ea905a73600ccb9c3f12df3e1c018e1346 (ARM)\r\n2da20a90a52e51897113438ac819362e5e04f8a7435c578d7d306afb482ac71e (MIPS)\r\nCheck out our latest Quarterly Threat Landscape Report for more details about recent threats.\r\nSign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nhttps://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html" ], "report_names": [ "searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434532, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dcff04db2d5a8ae2d35060e1a4abc8135f15a49b.pdf", "text": "https://archive.orkl.eu/dcff04db2d5a8ae2d35060e1a4abc8135f15a49b.txt", "img": "https://archive.orkl.eu/dcff04db2d5a8ae2d35060e1a4abc8135f15a49b.jpg" } }