The MANGA (aka Dark Mirai) botnet operators have been discovered abusing a new vulnerability in the TP-Link TL-WR840N EU V5 that allows remote code execution.

The abused flaw

Botnets keep updating and upgrading their capabilities, targeting newly discovered vulnerabilities to perform illicit activities.
  • This time MANGA is exploting a bug tracked as CVE-2021-41653 that causes vulnerable host variables to execute commands on the device. 
  • A researcher published a proof of concept exploit for the flaw on November 12, and clearly not everyone applied the patch.
  • Later, MANGA started exploiting the flaw just two weeks after TP-Link released the firmware update.

The exploitation process

MANGA operators are exploiting the RCE flaw to force the devices to download and execute a malicious script.
  • The malicious script (tshit[.]sh) when executed, downloads the main binary payloads with two requests.
  • However, the actors still require authentication for this exploit, which is easy to overcome if the device has default credentials.
  • Just like the basic variant of Mirai, MANGA identifies infected machines' architecture and downloads matching payloads. Subsequently, it blocks connections to most targeted ports to stop other botnets from infecting the captured device.
  • Ultimately, the botnet waits for a command from the C2 server to carry out a Denial-of-Service (DoS) attack.

It is to be noted that TP-Link had already fixed the flaw by releasing a firmware update in November.


Unpatched devices may, now more often than ever, lead to dangerous consequences. Therefore, experts recommend always updating devices regularly and changing the default password with strong ones.

Cyware Publisher