Researchers with FortiGuard Labs discovered a piece of botnet malware called “Condi” that exploits a vulnerability in TP-Link Archer routers to comprise them in a DDoS botnet.

FortiGuard researchers say they have been observing a spike in the number of Condi samples since the end of May.

Condi is said to have been developed by a threat actor known as zxcr9999 who runs a Telegram channel called Condi Network to advertise their warez. The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code.

The malware exploits a command injection vulnerability (CVE-2023-1389) in vulnerable TP-Link Archer AX21 (AX1800) routers to hijack the devices. It also uses several techniques to keep itself running in an infected system and prevents infections from other botnets by attempting to terminate their processes.

Unlike most DDoS botnets, Condi doesn’t use brute force to propagate. It comes with a scanner modified from Mirai’s original Telnet scanner to scan for any public IPs with open ports 80 or 8080 (commonly used for HTTP servers) and then sends a hardcoded exploitation request to download and execute a remote shell script. This script then will infect the device with Condi if it is a vulnerable TP-Link Archer AX21 device.

“While the sample we analyzed only contained the scanner for CVE-2023-1389, other Condi botnet samples were also seen exploiting other vulnerabilities to propagate. The publicly available source code for older versions also includes scanners for known vulnerabilities exploited by other Mirai variants,” the researchers noted.

FortiGuard also said they discovered source code for an older version of Condi that scans for devices with an open Android Debug Bridge port (TCP/5555).

“Malware campaigns, especially botnets, are always looking for ways to expand. Exploiting recently discovered (or published) vulnerabilities have always been one of their favored methods,” the researchers cautioned, urging users to always apply security updates and patches.