IoT botnet operators keep expanding their arsenal by adding new scanners and exploits to harvest new IoT devices. One such popular botnet Muhstik, also known as Muhstik, has been observed targeting cloud infrastructures by leveraging several web application exploits.

What you need to know

Recently, cloud security firm Lacework has provided some additional analysis and observations related to Muhstik’s intrusion infrastructure and possible attribution.
  • The Muhstik gang has a multi-layered attack strategy that importantly involves a payload named pty that helps downloads other malicious components and then contacts IRC servers—the botnet’s C2 infrastructure—to receive commands.
  • Muhstik has been using the XMRmrig miner and scanning modules to target other Linux servers and home routers, along with Mirai source code to encrypt the configurations of its payload and scanning module.
  • Its primary method of propagation is via home routers such as GPON home router, DD-WRT router, and Tomato router.
  • Muhstik has actively exploited web application exploits in Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271) and Drupal RCE flaw (CVE-2018-7600).

Worth noting

  • The botnet has been found to be linked to a Chinese forensics firm Shen Zhou Wang Yun Information Technology Co., Ltd.
  • Other notable characteristics in Muhstik malware and infrastructure include the use of a Google Analytics ID and references to anime character ‘Jay’ from a game at

Recent botnet attacks on IoT devices

  • Last month, a botnet named HEH was being distributed with the capabilities to wipe all data from infected systems, such as routers, servers, and IoT devices.
  • InterPlanetary Storm malware operators had released a new variant to target IoT devices located in 84 different countries around the world.

Security tips

Experts recommend that users should be cautious when installing open-source firmware and pay attention to security updates and maintenance patches necessary to keep devices safeguarded. In addition, regular scans and instant patches for vulnerabilities are advisable.

Cyware Publisher