Two Mirai variants integrate the exploit: The first botnet exploiting CVE-2025-24016 was detected by Akamai in March and used a proof-of-concept (PoC) exploit that was published for the vulnerability in late February. That exploit targets the /security/user/authenticate/run_as API endpoint.The second botnet was detected in early May and targeted the /Wazuh endpoint, but the exploit payload is very similar to the previously released PoC exploit. Both botnets exploit additional vulnerabilities for other devices and deploy the Mirai malware.First launched in 2016, Mirai was one of the most successful malware payloads that commandeered IoT devices and used them to launch distributed denial-of-service (DDoS) attacks. The original botnet was responsible for some of the biggest DDoS attacks recorded on the internet until it was shut down by its creator and the source code for the malware was released on GitHub.Since then, many variants of Mirai have been observed, as attackers take the original codebase and add new exploits and functionality to it.The first variant that exploits the Wazuh vulnerability downloads a malicious shell script that can download the Mirai payload for various CPU architectures. The Mirai variant contains the name “morte” and used command-and-control (C2) domains previously associated with a Windows-based RAT and several other Mirai variants.The morte botnet also contains exploits for known vulnerabilities in Hadoop YARN, TP-Link Archer AX21, and ZTE ZXV10 H108L routers. Incorporating multiple exploits for IoT devices is common for Mirai but attackers can customize them.The second Mirai botnet exploiting the Wazuh flaw has been dubbed Resbot or Resentual and uses C2 domains that contain Italian words. This botnet also includes exploits for known vulnerabilities in Huawei HG532 and TrueOnline ZyXEL P660HN-T v1 routers as well as the Miniigd UPnP implementation in the Realtek network chipset SDK.”Researchers’ attempts to educate organizations on the importance of vulnerabilities by creating PoCs continue to lead to baleful results, showing just how dire it is to keep up with patches when they are released,” the Akamai team wrote in its report. “Botnet operators keep tabs on some of these vulnerability disclosures, and, especially in cases where PoCs are made available, they will quickly adapt the PoC code to proliferate their botnet.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4004616/mirai-botnet-weaponizes-poc-to-exploit-wazuh-open-source-xdr-flaw.html
