{
	"id": "9dddb479-9dc1-443b-85ad-c363627367ef",
	"created_at": "2026-04-06T00:09:41.285915Z",
	"updated_at": "2026-04-10T03:21:08.046795Z",
	"deleted_at": null,
	"sha1_hash": "f5c05b4bb598da1c1039275b238f0b37f561937a",
	"title": "BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 621923,
	"plain_text": "BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to\r\nEmail Spammers\r\nBy Hui Wang\r\nPublished: 2018-11-07 · Archived: 2026-04-05 20:32:54 UTC\r\nThis article was co-authored by Hui Wang and RootKiter.\r\nSince September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the\r\nsystem logged more than 100k scan sources, a pretty large number compared with most other botnets we have\r\ncovered before.\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 1 of 10\n\nThe interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431\r\ndestination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper\r\nvulnerable URL. After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out\r\nwhere the shellcode's execution start address in memory is so a right exploit payload can be crafted and fed to the\r\ntarget.\r\nAt the beginning we were not able to capture a valid sample as the honeypot needs to be able to simulate the\r\nabove scenarios. We had to tweak and customize our honeypot quite a few times, then finally in Oct, we got it\r\nright and successfully tricked the botnet to send us the sample (we call it BCMUPnP_Hunter).\r\nThe botnet has the following characteristics:\r\nThe amount of infection is very large, the number of active scanning IP in each scan event is about\r\n100,000;\r\nThe target of infection is mainly router equipment with BroadCom UPnP feature enabled.\r\nSelf-built proxy network (tcp-proxy), the proxy network is implemented by the attacker, the proxy\r\ncurrently communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. We\r\nhighly suspect that the attacker's intention is to send spams.\r\nScale Assessment\r\nThe trend of scanning source IP for TCP port 5431 in the last 30 days is as follows:\r\nIt can be seen that the scan activity picks up every 1-3 days. The number of active scanning IP in each\r\nsingle event is about 100,000\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 2 of 10\n\nAll together we have 3.37 million unique scan source IPs. It is a big number, but it is likely that the IPs of\r\nthe same infected devices just changed over time.\r\nThe number of potential infections may reach 400,000 according to Shodan based on the search of banner:\r\nServer: Custom/1.0 UPnP/1.0 Proc/Ver\r\nGeographical distribution for the scanner IPs in the last 7 days (click to enlarge, deeper means more infected\r\ndevices).\r\nInfected Device Information\r\nWe probed the scanners, and 116 different type of infected device information is obtained, the actual infected\r\ndevice type should be more than what displays below:\r\nADB Broadband S.p.A, HomeStation ADSL Router\r\nADB Broadband, ADB ADSL Router\r\nADBB, ADB ADSL Router\r\nALSiTEC, Broadcom ADSL Router\r\nASB, ADSL Router\r\nASB, ChinaNet EPON Router\r\nASB, ChinaTelecom E8C(EPON) Gateway\r\nActiontec, Actiontec GT784WN\r\nActiontec, Verizon ADSL Router\r\nBEC Technologies Inc., Broadcom ADSL Router\r\nBest IT World India Pvt. Ltd., 150M Wireless-N ADSL2+ Router\r\nBest IT World India Pvt. Ltd., iB-WRA300N\r\nBillion Electric Co., Ltd., ADSL2+ Firewall Router\r\nBillion Electric Co., Ltd., BiPAC 7800NXL\r\nBillion, BiPAC 7700N\r\nBillion, BiPAC 7700N R2\r\nBinatone Telecommunication, Broadcom LAN Router\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 3 of 10\n\nBroadcom, ADSL Router\r\nBroadcom, ADSL2+ 11n WiFi CPE\r\nBroadcom, Broadcom Router\r\nBroadcom, Broadcom ADSL Router\r\nBroadcom, D-Link DSL-2640B\r\nBroadcom, D-link ADSL Router\r\nBroadcom, DLink ADSL Router\r\nClearAccess, Broadcom ADSL Router\r\nComtrend, AR-5383n\r\nComtrend, Broadcom ADSL Router\r\nComtrend, Comtrend single-chip ADSL router\r\nD-Link Corporation., D-Link DSL-2640B\r\nD-Link Corporation., D-Link DSL-2641B\r\nD-Link Corporation., D-Link DSL-2740B\r\nD-Link Corporation., D-Link DSL-2750B\r\nD-Link Corporation., D-LinkDSL-2640B\r\nD-Link Corporation., D-LinkDSL-2641B\r\nD-Link Corporation., D-LinkDSL-2741B\r\nD-Link Corporation., DSL-2640B\r\nD-Link, ADSL 4*FE 11n Router\r\nD-Link, D-Link ADSL Router\r\nD-Link, D-Link DSL-2640U\r\nD-Link, D-Link DSL-2730B\r\nD-Link, D-Link DSL-2730U\r\nD-Link, D-Link DSL-2750B\r\nD-Link, D-Link DSL-2750U\r\nD-Link, D-Link DSL-6751\r\nD-Link, D-Link DSL2750U\r\nD-Link, D-Link Router\r\nD-Link, D-link ADSL Router\r\nD-Link, DVA-G3672B-LTT Networks ADSL Router\r\nDARE, Dare router\r\nDLink, D-Link DSL-2730B\r\nDLink, D-Link VDSL Router\r\nDLink, DLink ADSL Router\r\nDQ Technology, Inc., ADSL2+ 11n WiFi CPE\r\nDQ Technology, Inc., Broadcom ADSL Router\r\nDSL, ADSL Router\r\nDareGlobal, D-Link ADSL Router\r\nDigicom S.p.A., ADSL Wireless Modem/Router\r\nDigicom S.p.A., RAW300C-T03\r\nDlink, D-Link DSL-225\r\nEltex, Broadcom ADSL Router\r\nFiberHome, Broadcom ADSL Router\r\nGWD, ChinaTelecom E8C(EPON) Gateway\r\nGenew, Broadcom ADSL Router\r\nINTEX, W150D\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 4 of 10\n\nINTEX, W300D\r\nINTEX, Wireless N 150 ADSL2+ Modem Router\r\nINTEX, Wireless N 300 ADSL2+ Modem Router\r\nITI Ltd., ITI Ltd.ADSL2Plus Modem/Router\r\nInteno, Broadcom ADSL Router\r\nIntercross, Broadcom ADSL Router\r\nIskraTEL, Broadcom ADSL Router\r\nKasda, Broadcom ADSL Router\r\nLink-One, Modem Roteador Wireless N ADSL2+ 150 Mbps\r\nLinksys, Cisco X1000\r\nLinksys, Cisco X3500\r\nNB, DSL-2740B\r\nNetComm Wireless Limited, NetComm ADSL2+ Wireless Router\r\nNetComm, NetComm ADSL2+ Wireless Router\r\nNetComm, NetComm WiFi Data and VoIP Gateway\r\nOPTICOM, DSLink 279\r\nOpticom, DSLink 485\r\nOrcon, Genius\r\nQTECH, QTECH\r\nRaisecom, Broadcom ADSL Router\r\nRamptel, 300Mbps ADSL Wireless-N Router\r\nRouter, ADSL2+ Router\r\nSCTY, TYKH PON Router\r\nStar-Net, Broadcom ADSL Router\r\nStarbridge Networks, Broadcom ADSL Router\r\nTP-LINK Technologies Co., Ltd, 300Mbps Wireless N ADSL2+ Modem Router\r\nTP-LINK Technologies Co., Ltd, 300Mbps Wireless N USB ADSL2+ Modem Router\r\nTP-LINK, TP-LINK Wireless ADSL2+ Modem Router\r\nTP-LINK, TP-LINK Wireless ADSL2+ Router\r\nTechnicolor, CenturyLink TR-064 v4.0\r\nTenda, Tenda ADSL2+ WIFI MODEM\r\nTenda, Tenda ADSL2+ WIFI Router\r\nTenda, Tenda Gateway\r\nTenda/Imex, ADSL2+ WIFI-MODEM WITH 3G/4G USB PORT\r\nTenda/Imex, ADSL2+ WIFI-MODEM WITH EVO SUPPORT\r\nUTStarcom Inc., UTStarcom ADSL2+ Modem Router\r\nUTStarcom Inc., UTStarcom ADSL2+ Modem/Wireless Router\r\nUniqueNet Solutions, WLAN N300 ADSL2+ Modem Router\r\nZTE, Broadcom ADSL Router\r\nZTE, ONU Router\r\nZYXEL, ZyXEL VDSL Router\r\nZhone, Broadcom ADSL Router\r\nZhone, Zhone Wireless Gateway\r\nZoom, Zoom Adsl Modem/Router\r\nZyXEL, CenturyLink UPnP v1.0\r\nZyXEL, P-660HN-51\r\nZyXEL, ZyXEL xDSL Router\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 5 of 10\n\nhuaqin, HGU210 v3 Router\r\niBall Baton, iBall Baton 150M Wireless-N ADSL2+ Router\r\niiNet Limited, BudiiLite\r\niiNet, BoB2\r\niiNet, BoBLite\r\nBotnet Workflow\r\nAs mentioned in the beginning, the bot has to go through multiple steps to infect a protentional target, see the\r\nfollowing diagram for the workflow, note the Loader is ( 109.248.9.17:4369 )\r\nFigure 1: BCMUPnP_Hunter Infection process (Click to enlarge)\r\nThe Sample\r\nThe sample of the botnet consists of two parts, the shellcode and the Main sample, which are described below.\r\nshellcode\r\nThe main function of shellcode is to download the main sample from C2( 109.248.9.17:8738 ) and execute it.\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 6 of 10\n\nThe shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not\r\nfind similar code using search engines). It seems that the author has profound skills and is not a typical script kid:\r\nCode basic: The code has multiple syscall calls for networks, processes, files, etc.\r\nSome details: syscall 0x40404 (instead of syscall 0 ) and multiple inversion operations were used so\r\nbad characters ( \\x00 ) could be avoided; the stack variables in the code also have different degrees of\r\nmultiplexing to optimize the runtime stack structure;\r\nCode logic: by calling the Loop at various section, the possibility of many failed calls is reasonably\r\navoided, and the validity of shellcode execution is guaranteed.\r\nThe complete flow chart is as follows:\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 7 of 10\n\nFigure 2: Shellcode calling graph(Click to enlarge)\r\nMain Sample\r\nThe main sample includes BroadCom UPnP vulnerability probe and a proxy access network module, it can parse\r\nfour instruction codes from C2:\r\nCommand Code | Length | Function\r\n0x00000000 0x18 The first packet, no practical function\r\n0x01010101 0x4c Search for potential vulnerable target\r\n0x02020202 0x08 Empty current task\r\n0x03030303 0x108 Access Proxy Network\r\n0x01010101 to enable the port scan task, once the BOT IDs a potential target, the target IP will be\r\nreported to the Loader, and then the Loader will complete the subsequent infection process.\r\n0x03030303 is for the proxy service, BOT accesses the address provided in the instruction and reports the\r\naccess result to the C2. This can generate real economic benefits. Attackers can use this command to build\r\na proxy network, and then profit from doing things such as sending spam, simulating clicks, and so on.\r\nProxy Network and Spam\r\nIn the instructions we have obtained, BCMUPnP_Hunter is used to proxy traffic to the following servers:\r\n104.47.0.33:25\r\n104.47.12.33:25\r\n104.47.124.33:25\r\n104.47.14.33:25\r\n104.47.33.33:25\r\n104.47.48.33:25\r\n104.47.50.33:25\r\n106.10.248.84:25\r\n144.160.159.21:25\r\n188.125.73.87:25\r\n67.195.229.59:25\r\n74.6.137.63:25\r\n74.6.137.64:25\r\n98.137.159.28:25\r\nThis table shows what we have dug out from our various data sources for the above IPs:\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 8 of 10\n\nAs can be seen:\r\nThese servers are all well-known mail service providers, including Outlook, Hotmail, Yahoo! Mail;\r\nFor several months, these servers have provided and only provided TCP25 services;\r\nIn this case, it appears that the attacker is abusing the email service of these servers;\r\nThis makes us highly skeptical that the attacker is using the proxy network established by BCMUPnP_Hunter to\r\nsend spam.\r\nRelevant security oragnizations are welcomed to contact netlab[at]360.cn for a full list of infected IP addresses.\r\nReaders are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab[at]360.cn.\r\nAppendix: About the BroadCom UPnP Vulnerability\r\nUPnP is the acronym for Universal Plug and play, the Universal plug-in protocol. [1] The goal of the agreement is\r\nto enable home networks (data sharing, communication and entertainment) and various devices in the corporate\r\nnetwork to seamlessly connect with each other and simplify the implementation of related networks. Broadcom\r\nUPnP is a concrete implementation of Broadcom's response to the UPnP protocol.\r\nAs Broadcom is in the industry upstream of the supply chain, the implementation is adopted by major router\r\nmanufacturers, including Asus, D-link,zyxel,us Robotics,t p-link,netgear and so on.\r\nIn October 2013, security researchers at security research firm DefenseCode discovered the BroadCom UPnP\r\nformat string vulnerability in the protocol stack . Considering that the vulnerability affects products from several\r\nmajor router vendors, DefenseCode did not disclose their findings until 2017. The code disclosed this time is of a\r\nverification nature[2] An attacker must complete the necessary vulnerability analysis and optimize the shellcode\r\nprocess on the basis of a publicly available document before it can be of practical power.\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 9 of 10\n\nIoC\r\nC2\r\n109.248.9.17 \"Bulgaria/BG\" \"AS58222 Solar Invest UK LTD\" #C2\u0026\u0026Loader\r\nSample MD5\r\n9036120904827550bf4436a919d3e503\r\nShellcode(Base64 encode):\r\nAtYgJSQCD6YBAQEMArUgJSQCD6YBAQEMJ6T/yq+k/+CvoP/kJ6X/4CgG//8kAg+rAQEBDCgE//8kAg+hAQEBDAO9uCUnvf/gJA///QHgICckD//\r\nSource: https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nhttps://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/"
	],
	"report_names": [
		"bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434181,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5c05b4bb598da1c1039275b238f0b37f561937a.pdf",
		"text": "https://archive.orkl.eu/f5c05b4bb598da1c1039275b238f0b37f561937a.txt",
		"img": "https://archive.orkl.eu/f5c05b4bb598da1c1039275b238f0b37f561937a.jpg"
	}
}