Mirai botnet variant exploits Four-Faith industrial router Flaw for DDoS attacks

Mirai botnet variant exploits Four-Faith industrial router Flaw for DDoS attacks

A new Mirai botnet variant has been exploiting a high-risk vulnerability in Four-Faith industrial routers since November 2024, according to a report from QiAnXin XLab.

The botnet has been linked to a massive campaign of distributed denial-of-service (DDoS) attacks, primarily targeting entities across China, Iran, Russia, Turkey, and the United States.

The malware leverages a zero-day vulnerability, tracked as CVE-2024-12856, in Four-Faith router models F3x24 and F3x36. This command injection flaw, rated 7.2 on the CVSS scale, exploits unchanged default credentials to gain initial access. First observed on November 9, 2024, the botnet also uses over 20 known vulnerabilities, affecting Huawei routers (CVE-2017-17215), LB-Link devices (CVE-2023-26801), PTZOptics IP camera (CVE-2024-8956), ASUS routers, Neterbit routers and Vimar smart home devices.

The botnet employs a brute-forcing module targeting weak Telnet passwords and uses a Mirai-based command structure for operations like scanning, self-updating, and executing DDoS attacks. To evade detection, the malware uses custom UPX packing with unique signatures and conceals its processes on infected devices.

Since its discovery in February 2024, the botnet has maintained nearly 15,000 daily active IP nodes, with infections concentrated in China, the United States, Germany, the United Kingdom, and Singapore.

DDoS attacks conducted by the botnet peaked in October and November 2024, with short bursts of intense traffic reaching up to 100 Gbps. Such high-bandwidth attacks, though lasting only 10–30 seconds, are capable of overwhelming even resilient network infrastructures, the researchers noted.

Back to the list

Latest Posts

New PhaaS platform Lucid targets 169 entities across 88 countries using iMessage and RCS

New PhaaS platform Lucid targets 169 entities across 88 countries using iMessage and RCS

Lucid is capable of sending up to 100,000 smishing messages per day.
1 April 2025
Surge in attacks targeting Palo Alto networks gateways observed

Surge in attacks targeting Palo Alto networks gateways observed

The activity began on March 17, 2025, and persisted at a rate of nearly 20,000 unique IP addresses per day.
1 April 2025
Canadian hacker arrested for allegedly stealing data from Texas Republican Party

Canadian hacker arrested for allegedly stealing data from Texas Republican Party

Cottle allegedly hacked  third-party hosting company Epik that managed the website for the Texas Republican Party.
1 April 2025