A new Mirai botnet variant has been exploiting a high-risk vulnerability in Four-Faith industrial routers since November 2024, according to a report from QiAnXin XLab.

The botnet has been linked to a massive campaign of distributed denial-of-service (DDoS) attacks, primarily targeting entities across China, Iran, Russia, Turkey, and the United States.

The malware leverages a zero-day vulnerability, tracked as CVE-2024-12856, in Four-Faith router models F3x24 and F3x36. This command injection flaw, rated 7.2 on the CVSS scale, exploits unchanged default credentials to gain initial access. First observed on November 9, 2024, the botnet also uses over 20 known vulnerabilities, affecting Huawei routers (CVE-2017-17215), LB-Link devices (CVE-2023-26801), PTZOptics IP camera (CVE-2024-8956), ASUS routers, Neterbit routers and Vimar smart home devices.

The botnet employs a brute-forcing module targeting weak Telnet passwords and uses a Mirai-based command structure for operations like scanning, self-updating, and executing DDoS attacks. To evade detection, the malware uses custom UPX packing with unique signatures and conceals its processes on infected devices.

Since its discovery in February 2024, the botnet has maintained nearly 15,000 daily active IP nodes, with infections concentrated in China, the United States, Germany, the United Kingdom, and Singapore.

DDoS attacks conducted by the botnet peaked in October and November 2024, with short bursts of intense traffic reaching up to 100 Gbps. Such high-bandwidth attacks, though lasting only 10–30 seconds, are capable of overwhelming even resilient network infrastructures, the researchers noted.