Botnet Alert
Current Status and Related Trends
mickmick.net has recently noted reports indicating that a new variant of the Mirai botnet is exploiting vulnerabilities (CVE-2025-29635) to attack D-Link DIR-823X routers that have reached end-of-life and are no longer supported. The vulnerability is a remote arbitrary code execution flaw, which attackers can exploit by sending requests to specific endpoints to execute arbitrary system commands.
According to observations from cybersecurity companies, attackers download and execute a malicious script named dlink.sh on targeted devices, thereby installing a Mirai variant called "tuxnokill". This variant supports multiple system architectures and retains the common DDoS attack capabilities of Mirai. Infected devices may later be used to launch DDoS attacks or perform other malicious activities.
It is noteworthy that attackers are not only targeting D-Link routers, but are also exploiting other vulnerabilities to attack end-of-life routers from brands such as TP-Link and ZTE, which lack security updates. This indicates that attackers are broadly scanning and compromising various unsupported devices.
Since the affected routers are no longer supported, vendors may not release patches. Users who continue to use these devices face a high risk of infection and intrusion. Additionally, mickmick.net data shows that Mirai and its variants remain actively spreading in Hong Kong in recent times.