{
	"id": "a0c2b91d-57e5-44e6-8a51-1a49f6d48bab",
	"created_at": "2026-04-06T01:32:39.61636Z",
	"updated_at": "2026-04-10T03:20:51.908243Z",
	"deleted_at": null,
	"sha1_hash": "e2712ebf48f369ed5787bf5c4df5d25bd369737b",
	"title": "Mirai Code Re-use in Gafgyt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1482837,
	"plain_text": "Mirai Code Re-use in Gafgyt\r\nBy Siddharth Sharma\r\nPublished: 2021-04-15 · Archived: 2026-04-06 00:12:07 UTC\r\nResearch by Siddharth Sharma\r\nUptycs' threat research team recently detected several variants of the Linux-based botnet malware family,\r\n“Gafgyt”, via threat intelligence systems and our in-house osquery-based sandbox. Upon analysis, we identified\r\nseveral codes, techniques and implementations of Gafgyt, re-used from the infamous Mirai botnet.\r\nIn this blog, we’ll take a look at some of the re-used Mirai modules, their functionality, and the Uptycs EDR\r\ndetection capabilities of Gafgyt.\r\nGafgyt (also known as Bashlite) is a prominent malware family for *nix systems, which mainly target vulnerable\r\nIoT devices like Huawei routers, Realtek routers and ASUS devices. Gafgyt also uses some of the existing\r\nexploits (CVE-2017-17215, CVE-2018-10561) to download the next stage payloads, which we will discuss\r\nfurther on.\r\nGafgyt malware variants have very similar functionality to Mirai, as a majority of the code was copied.\r\nTechnical Analysis: Gafgyt; Re-used Mirai Modules \r\nDuring our analysis of Gafgyt, we identified several recent variants that have re-used some code modules from the\r\nMirai source code. The modules are: \r\n1. HTTP Flooding\r\n2. UDP Flooding\r\n3. TCP Flooding\r\n4. STD Module\r\n5. Telnet Bruteforce\r\nWe will provide details of these modules and their functionality, but for the purpose of this blog we are using the\r\nhashes (da20bf020c083eb080bf75879c84f8885b11b6d3d67aa35e345ce1a3ee762444 and\r\n1b3bb39a3d1eea8923ceb86528c8c38ecf9398da1bdf8b154e6b4d0d8798be49) and the Mirai leaked source code.\r\n1. HTTP Flooding Module\r\nHTTP flooding is a kind of DDoS attack in which the attacker sends a large number of HTTP requests to the\r\ntargeted server to overwhelm it. The creators of Gafgyt have re-used this code from the leaked Mirai source code.\r\nThe below figure (Figure 1) shows the comparison of the Gafgyt and Mirai HTTP flooding module. \r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 1 of 8\n\nFigure 1: HTTP flooder module. (Click to see larger version.)\r\nIn the above image, the left is the Gafgyt decompiled code, which matches the Mirai source code on the right.\r\n2. UDP Flood Module\r\nUDP flooding is a type of DDoS attack in which an attacker sends several UDP packets to the victim server as a\r\nmeans of exhausting it. Gafgyt contained this same functionality of UDP flooding, copied from the leaked Mirai\r\nsource code (see Figure 2).\r\nFigure 2: UDP flooder module. (Click to see larger version.)\r\n3. TCP Flood Module\r\nGafgyt performs all types of TCP flood attacks like SYN, PSH, FIN, etc. In this type of attack, the attacker\r\nexploits a normal three-way TCP handshake the victim server receives a heavy number of requests, resulting in\r\nthe server becoming unresponsive.\r\nThe below image shows the TCP flooder module of Gafgyt, which contained the similar code from Mirai (see\r\nFigure 3).\r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 2 of 8\n\nFigure 3: TCP flooder module. (Click to see larger version.)\r\n4. STD Module\r\nGafgyt contains an STD module which sends a random string (from a hardcoded array of strings) to a particular IP\r\naddress. This functionality has also been used by Mirai (see Figure 4).\r\nFigure 4:  STD module. (Click to see larger version.)\r\n5. Brute Force Module\r\nNot only flooding modules are being used. Recent Gafgyt also contained other modules with little tweaks, like a\r\ntelnet bruteforce scanner (see Figure 5).\r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 3 of 8\n\nFigure 5: Telnet bruteforce module. (Click to see larger version.)\r\nCVEs Used by Gafgyt\r\nGafgyt uses existing vulnerabilities in IoT devices to turn them into bots and later perform DDoS attacks on\r\nspecifically targeted IP addresses. Some of the recent Gafgyt variants (e.g.,\r\n7fe8e2efba37466b5c8cd28ae6af2504484e1925187edffbcc63a60d2e4e1bd8 and\r\n25461130a268f3728a0465722135e78fd00369f4bccdede4dd61e0c374d88eb8) also contained multiple exploits,\r\nlike the RCE exploit in Huawei Routers and the authentication bypass exploit in GPON Home Routers (see Figure\r\n6, 7, 8).\r\nFigure 6: Huawei Exploit inside binary (CVE-2017-17215). (Click to see larger version.)\r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 4 of 8\n\nFigure 7: Realtek Exploit inside binary (CVE-2014-8361). (Click to see larger version.)\r\nIn Figures 6 and 7, you can see the Gafgyt malware binary embeds Remote Code Execution exploits for Huawei\r\nand Realtek routers, by which the malware binary:\r\n1. using wget command, fetches the payload.\r\n2. gives the execution permission to payload using chmod command.\r\n3. executes the payload.\r\nFigure 8: GPON Router Exploit inside binary (CVE-2018-10561). (Click to see larger version.)\r\nIn the same way, the Gafgyt malware binary uses CVE-2018-10561 for authentication bypass in vulnerable GPON\r\nrouters; the malware binary fetches a malicious script using wget command and then executes the script from\r\n/tmp location (bins.sh in Figure 8).          \r\nFigure 9: Downloaded malicious script. (Click to see larger version.)\r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 5 of 8\n\nThe malicious script:\r\n1. using wget command, fetches the payload.\r\n2. gives the execution permission to payload using chmod command.\r\n3. executes the payload.\r\n4. removes the payload.\r\nThe IP addresses used for fetching the payloads in Figure 9 (above) were generally the open directories where\r\nmalicious payloads for different architectures were hosted by the attacker (see Figure 10).\r\nFigure 10: Malware programs hosted upon open directory. (Click to see larger version.)\r\nUptycs EDR Detection\r\nUptycs’ EDR capabilities, armed with YARA process scanning, detected both Gafgyt variants with a threat score\r\nof 10/10 (see Figure 11, 12).\r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 6 of 8\n\nFigure 11: Uptycs detection for Gafgyt I. (Click to see larger version.)\r\nFigure 12: Uptycs detection for Gafgyt II. (Click to see larger version.)\r\nMalware authors may not always innovate, and researchers often discover that malware authors copy and re-use\r\nleaked malware source code. In order to identify and protect against these kinds of malware attacks, we\r\nrecommend the following measures:\r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 7 of 8\n\nRegularly monitor the suspicious processes, events, and network traffic spawned on the execution of any\r\nuntrusted binary.\r\nKeep systems and firmware updated with the latest releases and patches.\r\nIOCs\r\nHashes\r\nda20bf020c083eb080bf75879c84f8885b11b6d3d67aa35e345ce1a3ee762444\r\n1b3bb39a3d1eea8923ceb86528c8c38ecf9398da1bdf8b154e6b4d0d8798be49\r\n7fe8e2efba37466b5c8cd28ae6af2504484e1925187edffbcc63a60d2e4e1bd8 \r\n25461130a268f3728a0465722135e78fd00369f4bccdede4dd61e0c374d88eb8\r\n4883de90f71dcdac6936d10b1d2c0b38108863d9bf0f686a41d906fdfc3d81aa\r\n25461130a268f3728a0465722135e78fd00369f4bccdede4dd61e0c374d88eb8\r\nURLs\r\n37[.]228[.]188[.]12\r\n178[.]253[.]17[.]49\r\n156[.]226[.]57[.]56\r\n156[.]244[.]91[.]129\r\n212[.]139[.]167[.]234\r\n193[.]190[.]104[.]125\r\n37[.]251[.]254[.]238\r\n212[.]139[.]167[.]234\r\nSource: https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nhttps://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt"
	],
	"report_names": [
		"mirai-code-re-use-in-gafgyt"
	],
	"threat_actors": [],
	"ts_created_at": 1775439159,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2712ebf48f369ed5787bf5c4df5d25bd369737b.pdf",
		"text": "https://archive.orkl.eu/e2712ebf48f369ed5787bf5c4df5d25bd369737b.txt",
		"img": "https://archive.orkl.eu/e2712ebf48f369ed5787bf5c4df5d25bd369737b.jpg"
	}
}