{
	"id": "b9613478-26de-438c-9302-c01567000fd3",
	"created_at": "2026-04-06T00:06:37.891141Z",
	"updated_at": "2026-04-10T03:21:53.468299Z",
	"deleted_at": null,
	"sha1_hash": "fb07abef966eb553bb5b7d279615845b3e72463e",
	"title": "Quick summary about the Port 8291 scan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 236534,
	"plain_text": "Quick summary about the Port 8291 scan\r\nBy RootKiter\r\nPublished: 2018-03-28 · Archived: 2026-04-05 20:10:22 UTC\r\nSummary\r\nThis 8291 scan event is caused by a Hajime botnet variant. Compared to the old Hajime, this one adds two new\r\nfeatures:\r\n1. Check port 8291 to determine if the target is a MikroTik device\r\n2. Use ‘Chimay Red’ Stack Clash Remote Code Execution Loophole vulnerabilities to infect and spread.\r\nFor more details about the Hajime, please check our previous blog here\r\nThe sharp scan increase\r\nAt around 0:00 on March 25, Beijing time, our Scanmon system suggested a large number of scan activity is\r\nhappening on port 8291 on a global scale.\r\nAround 2 pm, our honeypot data indicated this sudden spike was related to Hajime. Our preliminary conclusion\r\nbased on its UPX_MAGIC_LE32 and some sample features confirmed that the sample is Hajime based. And we\r\nfound the ‘Chimay Red’ Stack Clash Remote Code Execution” vulnerability related attack code in their atk\r\nmodule.\r\nhttps://www.exploit-db.com/exploits/44283/\r\nInfection process\r\nhttps://blog.netlab.360.com/quick-summary-port-8291-scan-en/\r\nPage 1 of 4\n\nThis Hajime variant adds a support of using “‘Chimay Red’ Stack Clash Remote Code “Execution” to perform\r\nworm-like spreading, and its propagation process is roughly divided into two steps:\r\n1. Find a MikroTik device by checking if the target port is open on port 8291, if this port is open,the other\r\ncommon web ports (80,81,82,8080,8081,8082,8089,8181,8880) will be probed next.\r\n2. Check the version number of the device and send the Exploit which carried the Shellcode. Once the\r\nvulnerability is successfully exploited, Hajime will be downloaded and executed.\r\nNumber of unique ips\r\nFrom 2018-03-25 00:00 to 2018-03-27 12:36(GMT+8), We logged a total of 861,131 unique scan source IPs (72\r\nHours).(Please bear in mind that device may change ip due to device reboot etc and it does not necessary mean all\r\nthese devices are MikroTik devices as all the Hajime bots will perform this task as long as they have the most\r\nrecent version of Hajime code running. Also naturally there will be some noises such as researcher ips in it)\r\nScan Source Distribution\r\nhttps://blog.netlab.360.com/quick-summary-port-8291-scan-en/\r\nPage 2 of 4\n\nFrom the above figure, it is not difficult to find the top three sources of the scan source are: Brazil (585k), Iran\r\n(51.8k), Russia (26.4k).\r\nMitigation\r\n1. block unnecessary 8291 port request\r\n2. Update to the latest version from MikroTik.\r\nWe will continue to monitor this activity, if readers have new discoveries, feel free to contact us on our twitter.\r\nIOC\r\n06B4D50254C6C112437A3ED893EF40B4 .i.mipseb\r\n93A1A080FCDE07E512E7485C92861B69 atk.mipseb\r\nfc834c015b357c687477cb9116531de7 atk.mipseb.upx.unpack\r\nRefer\r\n1. https://scan.netlab.360.com/#/dashboard?\r\ntsbeg=1521648000000\u0026tsend=1522252800000\u0026dstport=8291\u0026toplistname=srcip\u0026topn=10\u0026sortby=sum\r\n2. https://forum.mikrotik.com/viewtopic.php?f=2\u0026t=132368\u0026sid=7f731eb96b119d6e9e1a90227270fdd4\r\n3. https://www.exploit-db.com/exploits/44283/\r\n4. https://blog.netlab.360.com/hajime-status-report/\r\n5. https://blog.netlab.360.com/hajime-status-report-en/\r\n6. https://twitter.com/360Netlab\r\nhttps://blog.netlab.360.com/quick-summary-port-8291-scan-en/\r\nPage 3 of 4\n\nSource: https://blog.netlab.360.com/quick-summary-port-8291-scan-en/\r\nhttps://blog.netlab.360.com/quick-summary-port-8291-scan-en/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/quick-summary-port-8291-scan-en/"
	],
	"report_names": [
		"quick-summary-port-8291-scan-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb07abef966eb553bb5b7d279615845b3e72463e.pdf",
		"text": "https://archive.orkl.eu/fb07abef966eb553bb5b7d279615845b3e72463e.txt",
		"img": "https://archive.orkl.eu/fb07abef966eb553bb5b7d279615845b3e72463e.jpg"
	}
}