Home / Threat Intelligence bulletins / Mirai malware targets Wi-Fi router vulnerability

Update – TP-Link router firmware targeted by threat actor group – 17th May 2023


The Chinese nation-state sponsored threat actor group, tracked as “Camaro Dragon” has reported to have targeted TP-Link routers with a malware variant, dubbed “Horse Shell”. The associated campaign has specifically targeted organisations involved in European foreign affairs. The malware is implanted a backdoor and has been specifically crafted for TP-Link routers.

The Horse Shell backdoor allows for the creation of remote shells, the transfer of files and tunnelling. Upon infection, the malware sends data pertaining to the device via established communications with a command-and-control (C2) server.

Whilst not confirmed as of the time of this writing, it is possible that that the threat actor group has compromised the target systems by either exploiting an associated vulnerability or via a brute force attack.

Updated Impact

The deployment of the Horse Shell malware in TP-Link routers allows threat actors to implement their attack chain, whilst appearing to originate from home-based networks. Upon accessing the target system, the threat actors could then execute commands and use the compromised system as a SOCKS proxy to transmit communications between systems.

Updated Containment, Mitigations & Remediations

It is strongly recommended that users follow the security best practices outlined below:

– Apply the latest firmware update for the respective router model version

– Change the default administrator password

– Disable remote access to the device administrator panel, ensuring that it is only accessible from the local network.

Updated Threat Landscape

A recent trend has emerged relating to the targeting of vulnerable routers by nation-state sponsored threat actor groups. Such groups have recently targeted other similar products, including Fortinet VPN and SonicWall SMA routers. Further, CISA also disclosed that the Russian state-sponsored threat actor, tracked as Forrest Blizzard, had targeted Cisco routers to install the Jaguar Tooth malware for espionage purposes.

Edge network devices do not tend to implement Endpoint Detection and Response (EDR) security solutions, which makes them vulnerable to threat actors that can leverage these flaws for the purposes of data exfiltration, lateral movement and further targeting.

Updated Threat Group

The operations within the campaign reported on have correlations to those of another threat actor group, tracked as “Mustang Panda”. This attribution was made based upon features including IP addresses of the threat actor servers.

Updated Further Information

Check Point Research Report

Target Industry

Indiscriminate, opportunistic targeting.


The Mirai Botnet malware has been detected to be actively exploiting a TP-Link Archer A21 (AX1800) Wi-Fi router vulnerability, tracked as CVE-2023-1389 (CVSSv3 Score: 8.8). The security flaw pertains to an unauthenticated command injection in the locale API of the web management interface of the TP-Link Archer AX21 router, which allows remote threat actors to inject commands that should be executed on the device.


Successful exploitation of CVE-2023-1389 could allow an unauthenticated threat actor to inject commands, which would be run as root, with a simple POST request. Mirai capitalises on this vulnerability by downloading the binary payload for the router’s architecture to recruit the target into its botnet.

Vulnerability Detection

TP-Link has released a security patch for the vulnerability of the respective firmware version. As such, previous versions are vulnerable to potential exploit.

Affected Products

– TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219

Containment, Mitigations & Remediations

It is strongly recommended that Archer AX21 AX1800 dual-band Wi-Fi 6 router owners download the latest firmware update for their device’s hardware version.

Indicators of Compromise

Mirai file hashes (SHA-256):

– 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

– d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8

– e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0

– b7ba5aa2f8f7781d408e87b2131fa2cc9b95cdf3460f9778229398c9e851772a

– a751c5bec5b36af1ba055dbc7a685f1c6727ebe6f4e07851d6879e16de68de6b

– 126bb1b0e8d429b34e723ac4fd28110c318fa9bc630cca99699e9a40fa8c04a0

– e72a8346bc46a9bf19333854ed4e0d3ceb85a4b5027fa22ee97d7e3bf7cf0e35

– 19438049d371b69519f1481cde74a29f8bc3804f922716191ea1dcb7ba3fb49a

– 549e6304100d56db6779cb83c1780343e383e4d1a5414660e770d1576e3b5ef1

– 61afb1ccc711cdd14be640db19762a550f049c84449efe69261d1a6af6144713

– 64a568c02bc4fcf19909417b80f6b24dc7b4628c14c4361935c5ef80eff4996f

– 68fa13e20eda4cbd4101ddfb8f831b3ef1f58612054d9272bd64b3595148bbc3

– c49c002db86e831d71d09791641a1fc787f4a8496572e7714919a72a0ff5735c

– 017f4cfa1837951a10bd1c1ae0a05be290964c40bd4e569dbd78ae2d335a1342

– 042b7582f5d30e79e36ea4b99d525e4d0d734c2defafb1bf994215abc8e6672b

– 5d0e333649e4b890ed67a224c52ff1ead43f6c532e21c71114d896b5ffd446c4

– 8e3ab0350c8337783c5856336dd303b2fb6de032e885e342883c15d84db94943

– e8adfde410ef3195b8f211ab0b62c0429257a8db1915ca142be8ca8953c853de

– ecc1a8d29b22ff17ba657adf1405a22cabc16405edc686f0c64eb3e81aa5a40c

– eecd1c03c8468e135d630d93204e90ea87bcfdf30342599b838e6e557152af92

Mirai IP addresses:

– 179[.]43[.]175[.]5

– 185[.]216[.]71[.]112

– 204[.]76[.]203[.]6

– 45[.]95[.]55[.]214

– 101[.]109[.]242[.]42

– 180[.]117[.]224[.]253

– 223[.]13[.]70[.]225

– 121[.]227[.]226[.]166

– 27[.]43[.]119[.]75

– 61[.]53[.]72[.]55

– 101[.]108[.]64[.]115

– 111[.]242[.]240[.]115

– 112[.]80[.]116[.]27

– 113[.]221[.]26[.]207

– 118[.]121[.]188[.]128

– 125[.]44[.]233[.]214

– 175[.]11[.]66[.]136

– 182[.]122[.]108[.]50

– 220[.]186[.]169[.]99

– 45[.]95[.]55[.]202

Mirai domain:

– tego[.]hopacali[.]xyz

Mirai URLs:

– hxxp[://]112[.]80[.]116[.]27:50607/bin[.]sh

– hxxp[://]118[.]121[.]188[.]128:57199/bin[.]sh

– hxxp[://]175[.]11[.]66[.]136:37499/i

– hxxp[://]179[.]43[.]175[.]5/bins/sh4

– hxxp[://]182[.]122[.]108[.]50:47046/bin[.]sh

– hxxp[://]223[.]13[.]70[.]225:45488/i

– hxxp[://]45[.]95[.]55[.]202/reaper/reap[.]arm7

– hxxp[://]101[.]108[.]64[.]115:54349/bin[.]sh

– hxxp[://]101[.]109[.]242[.]42:35044/bin[.]sh

– hxxp[://]111[.]242[.]240[.]115:42206/i

– hxxp[://]112[.]80[.]116[.]27:50607/i

– hxxp[://]113[.]221[.]26[.]207:58992/Mozi[.]m

– hxxp[://]117[.]158[.]60[.]98:56639/Mozi[.]m

– hxxp[://]118[.]121[.]188[.]128:57199/i

– hxxp[://]121[.]227[.]226[.]166:33229/i

– hxxp[://]125[.]44[.]233[.]214:48455/bin[.]sh

– hxxp[://]176[.]97[.]210[.]166/Cherarm5

– hxxp[://]179[.]43[.]175[.]5/bins/arc

– hxxp[://]179[.]43[.]175[.]5/bins/arm6

– hxxp[://]179[.]43[.]175[.]5/bins/m68k

Threat Landscape

Regardless of the fact that the creators of the Mirai Botnet malware were previously apprehended, the source code of the malware was subsequently released into the wild and, as such, Mirai and other botnet variants pose a significant threat to unprotected devices and the associated networks.

Since being released on the dark web, the Mirai source code is continuously being altered by threat actors to create more advanced strains of the malware. To date, these have included Okiru, Satori, Masuta and PureMasuta. Due to the open access to the source code, as well as the fact that target markets continue to develop in notoriety, it is highly likely that further variants will continue to emerge, leading to the potential of further targeting.

Threat Group

Due to the progressive development of additional variants, no specific threat actor has been associated with the Mirai Botnet malware. However, it should be noted that Russian-speaking threat actors have been linked to documented cases of attacks while using more advanced variants of the botnet.

Mitre Methodologies

Common Weakness Enumeration:

CWE-77 – Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Further Information

Zero Day Initiative Report

Intelligence Terminology Yardstick