A now-patched important safety flaw within the Wazur Server is being exploited by risk actors to drop two completely different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) assaults.
Akamai, which first found the exploitation efforts in late March 2025, stated the malicious marketing campaign targets CVE-2025-24016 (CVSS rating: 9.9), an unsafe deserialization vulnerability that enables for distant code execution on Wazuh servers.
The safety defect, which impacts all variations of the server software program together with and above 4.4.0, was addressed in February 2025 with the discharge of 4.9.1. A proof-of-concept (PoC) exploit was publicly disclosed across the identical time the patches have been launched.
The issue is rooted within the Wazuh API, the place parameters within the DistributedAPI are serialized as JSON and deserialized utilizing “as_wazuh_object” within the framework/wazuh/core/cluster/widespread.py file. A risk actor may weaponize the vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely.
The online infrastructure firm stated it found makes an attempt by two completely different botnets to take advantage of CVE-2025-24016 merely weeks after public disclosure of the flaw and the discharge of the PoC. The assaults have been registered in early March and Could 2025.
“That is the most recent instance of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly revealed CVEs,” safety researchers Kyle Lefton and Daniel Messing stated in a report shared with The Hacker Information.
Within the first occasion, a profitable exploit paves the best way for the execution of a shell script that serves as a downloader for the Mirai botnet payload from an exterior server (“176.65.134[.]62”) for various architectures. It is assessed that the malware samples are variants of LZRD Mirai, which has been round since 2023.
It is price noting that LZRD was additionally deployed not too long ago in assaults exploiting GeoVision end-of-life (EoL) Web of Issues (IoT) gadgets. Nonetheless, Akamai advised The Hacker Information that there isn’t any proof that these two exercise clusters are the work of the identical risk actor provided that LZRD is utilized by myriad botnet operators.
Additional infrastructure evaluation of “176.65.134[.]62” and its related domains have led to the invention of different Mirai botnet variations, together with LZRD variants named “neon” and “imaginative and prescient,” and an up to date model of V3G4.
A few of the different safety flaws exploited by the botnet embody flaws in Hadoop YARN, TP-Hyperlink Archer AX21 (CVE-2023-1389), and a distant code execution bug in ZTE ZXV10 H108L routers.
The second botnet to abuse CVE-2025-24016 employs an identical technique of utilizing a malicious shell script to ship one other Mirai botnet variant known as Resbot (aka Resentual).
“One of many attention-grabbing issues that we seen about this botnet was the related language. It was utilizing quite a lot of domains to unfold the malware that each one had Italian nomenclature,” the researchers stated. “The linguistic naming conventions may point out a marketing campaign to focus on gadgets owned and run by Italian-speaking customers particularly.”
In addition to trying to unfold by way of FTP over port 21 and conducting telnet scanning, the botnet has been discovered to leverage a variety of exploits focusing on Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368).
“The propagation of Mirai continues comparatively unabated, because it stays reasonably simple to repurpose and reuse outdated supply code to arrange or create new botnets,” the researchers stated. “And botnet operators can usually discover success with merely leveraging newly revealed exploits.”
CVE-2025-24016 is much from the one vulnerability to be abused by Mirai botnet variants. In latest assaults, risk actors have additionally taken benefit of CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording gadgets, to enlist them into the botnet.
The vulnerability is used to set off the execution of a shell script that is accountable for downloading the Mirai botnet from a distant server (“42.112.26[.]36”) and executing it, however not earlier than checking if it is presently working inside a digital machine or QEMU.
Russian cybersecurity firm Kaspersky stated the infections are concentrated round China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, including it recognized over 50,000 uncovered DVR gadgets on-line.
“Exploiting identified safety flaws in IoT gadgets and servers that have not been patched, together with the widespread use of malware focusing on Linux-based methods, results in a big variety of bots continuously looking out the web for gadgets to contaminate,” safety researcher Anderson Leite stated.
The disclosure comes as China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh have emerged as essentially the most focused international locations within the APAC area within the first quarter of 2025, in accordance with statistics shared by StormWall.
“API floods and carpet bombing are rising sooner than conventional volumetric TCP/UDP assaults, pushing firms to undertake smarter, extra versatile defenses,” the corporate stated. “On the identical time, rising geopolitical tensions are driving a surge in assaults on authorities methods and Taiwan – highlighting elevated exercise from hacktivists and state-sponsored risk actors.”
It additionally follows an advisory from the U.S. Federal Bureau of Investigation (FBI) that the BADBOX 2.0 botnet has contaminated tens of millions of internet-connected gadgets, most of that are manufactured in China, as a way to flip them into residential proxies to facilitate felony exercise.
“Cyber criminals acquire unauthorized entry to dwelling networks by both configuring the product with malicious software program previous to the person’s buy or infecting the system because it downloads required functions that comprise backdoors, often throughout the set-up course of,” the FBI stated.
“The BADBOX 2.0 botnet consists of tens of millions of contaminated gadgets and maintains quite a few backdoors to proxy providers that cyber felony actors exploit by both promoting or offering free entry to compromised dwelling networks for use for numerous felony exercise.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
