An underground malware domain, named Cyberium, has been discovered hosting an active Mirai variant, identified as Moobot. Moreover, researchers observed a widespread scanning in their telemetry for a vulnerability in Tenda routers.

What's the threat?

According to AT&T Alien Labs, the widespread scanning for vulnerable Tenda routers alerted the researchers. The targeted flaw is a remote code execution (CVE-2020-10987) vulnerability.
  • This spike in activity was observed throughout a large number of clients, within a few hours. This vulnerability was barely detected by honeypots in the last six months, except for a minor peak in November 2020.
  • In late March, researchers tracked down the infrastructure behind the malware and identified that besides scanning for Tenda vulnerabilities, it was scanning for other bugs in Axis SSI, Realtek SDK Miniigd (CVE-2014-8361), and Huawei home routers (CVE-2017-17215).
  • In addition, it was deploying a DVR scanner that attempted default credentials for the Sofia video application. These compromises were linked to different Mirai-based botnet infections, including the Satori botnet.
  • When the Cyberium domain was investigated, several campaigns were observed, going back to as early as May 2020. Most of the attacks lasted for around a week while they hosted various Mirai variants.

Previous Moobot activity

Moobot was first discovered in April last year when it was abusing a pair of zero-day flaws to target multiple fiber routers. Then in October, it was going after vulnerable Docker APIs.
  • In all instances, the aim has been to add devices as nodes in a botnet used to perform DDoS attacks, just like Mirai. This variant is not a common one.
  • One of the main characteristics of Moobot is a hardcoded string that is used multiple times in code, such as generating the process name to be used while execution.


Cyberium has been in action for the past year and appears to be still active. Some of its subdomains were up, however they were not hosting any malware samples. It signifies that these malicious pages are at present awaiting new requests for C2 server lists or likely to be armed in near future.

Cyware Publisher