Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

The Hacker News by The Hacker News
June 9, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks.

Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that allows for remote code execution on Wazuh servers.

The security defect, which affects all versions of the server software including and above 4.4.0, was addressed in February 2025 with the release of 4.9.1. A proof-of-concept (PoC) exploit was publicly disclosed around the same time the patches were released.

The problem is rooted in the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and deserialized using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. A threat actor could weaponize the vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely.

The web infrastructure company said it discovered attempts by two different botnets to exploit CVE-2025-24016 merely weeks after public disclosure of the flaw and the release of the PoC. The attacks were registered in early March and May 2025.

“This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs,” security researchers Kyle Lefton and Daniel Messing said in a report shared with The Hacker News.

Cybersecurity

In the first instance, a successful exploit paves the way for the execution of a shell script that serves as a downloader for the Mirai botnet payload from an external server (“176.65.134[.]62”) for different architectures. It’s assessed that the malware samples are variants of LZRD Mirai, which has been around since 2023.

It’s worth noting that LZRD was also deployed recently in attacks exploiting GeoVision end-of-life (EoL) Internet of Things (IoT) devices. However, Akamai told The Hacker News that there is no evidence that these two activity clusters are the work of the same threat actor given that LZRD is used by myriad botnet operators.

Further infrastructure analysis of “176.65.134[.]62” and its associated domains have led to the discovery of other Mirai botnet versions, including LZRD variants named “neon” and “vision,” and an updated version of V3G4.

Some of the other security flaws exploited by the botnet include flaws in Hadoop YARN, TP-Link Archer AX21 (CVE-2023-1389), and a remote code execution bug in ZTE ZXV10 H108L routers.

The second botnet to abuse CVE-2025-24016 employs a similar strategy of using a malicious shell script to deliver another Mirai botnet variant referred to as Resbot (aka Resentual).

“One of the interesting things that we noticed about this botnet was the associated language. It was using a variety of domains to spread the malware that all had Italian nomenclature,” the researchers said. “The linguistic naming conventions could indicate a campaign to target devices owned and run by Italian-speaking users in particular.”

Besides attempting to spread via FTP over port 21 and conducting telnet scanning, the botnet has been found to leverage a wide range of exploits targeting Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368).

“The propagation of Mirai continues relatively unabated, as it remains rather straightforward to repurpose and reuse old source code to set up or create new botnets,” the researchers said. “And botnet operators can often find success with simply leveraging newly published exploits.”

CVE-2025-24016 is far from the only vulnerability to be abused by Mirai botnet variants. In recent attacks, threat actors have also taken advantage of CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to enlist them into the botnet.

The vulnerability is used to trigger the execution of a shell script that’s responsible for downloading the Mirai botnet from a remote server (“42.112.26[.]36”) and executing it, but not before checking if it’s currently running inside a virtual machine or QEMU.

Russian cybersecurity company Kaspersky said the infections are concentrated around China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, adding it identified over 50,000 exposed DVR devices online.

Cybersecurity

“Exploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect,” security researcher Anderson Leite said.

The disclosure comes as China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh have emerged as the most targeted countries in the APAC region in the first quarter of 2025, according to statistics shared by StormWall.

“API floods and carpet bombing are growing faster than traditional volumetric TCP/UDP attacks, pushing companies to adopt smarter, more flexible defenses,” the company said. “At the same time, rising geopolitical tensions are driving a surge in attacks on government systems and Taiwan – highlighting increased activity from hacktivists and state-sponsored threat actors.”

It also follows an advisory from the U.S. Federal Bureau of Investigation (FBI) that the BADBOX 2.0 botnet has infected millions of internet-connected devices, most of which are manufactured in China, in order to turn them into residential proxies to facilitate criminal activity.

“Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the user’s purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process,” the FBI said.

“The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
123Invent Inventor Develops New Cooler with Wireless Charging Capabilities

123Invent Inventor Develops New Cooler with Wireless Charging Capabilities

Recommended.

Cloud Foundry Day North America Sessions Announced with Focus on Next-Generation Open Source Projects

Cloud Foundry Day North America Sessions Announced with Focus on Next-Generation Open Source Projects

April 10, 2025
Lenovo Channel Chief Rob Cato Steps Up To Take On Global Infrastructure Role

Lenovo Channel Chief Rob Cato Steps Up To Take On Global Infrastructure Role

August 8, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio