Executive Summary
FortiGuard Labs has uncovered a new malware strain dubbed Gayfemboy, a Mirai successor that aggressively targets routers and critical networking gear from Cisco, TP-Link, DrayTek, and Raisecom. The campaign exploits multiple CVEs to compromise infrastructure devices, establish long-term persistence, and enable DDoS, cryptomining, and stealthy backdoor access.
With infections spreading across Brazil, Mexico, the U.S., Germany, France, Switzerland, Israel, and Vietnam, the malware poses a significant risk to telecommunications, manufacturing, technology, and media sectors.
Background
Gayfemboy was first observed in activity tracked since 2024, but its escalation with renewed exploitation waves in 2025 highlights a shift from brute-force credential attacks (typical of Mirai) to the targeted exploitation of vendor-specific vulnerabilities.
The malware’s infrastructure and payloads have been traced to:
- Source IP:
87[.]121[.]84[.]34 - Payload Host:
220[.]158[.]234[.]135
Vulnerability Details
Gayfemboy exploits multiple known flaws across networking equipment, including:
- CVE-ID: CVE-2020-8515
CVSS Score: 9.8 (Critical)
EPSS Score: 3.41
Vulnerability Type: Remote Code Execution (Command Injection)
Affected Software: DrayTek Vigor Routers (multiple models)
Patched in: Firmware updates released by DrayTek in 2020
This vulnerability arises due to improper input validation in the web management interface. A remote attacker with network access to the router’s HTTP/HTTPS service can inject system commands and achieve full device takeover without authentication. - CVE-ID: CVE-2023-1389
CVSS Score: 8.8 (High severity)
EPSS Score: 1.25
Vulnerability Type: Command Injection / Authentication Bypass
Affected Software: TP-Link Archer AX21 (AX1800) Wi-Fi Router
Patched in: TP-Link firmware updates (2023)
The flaw exists in the/cgi-bin/luciAPI endpoint, which fails to properly sanitize user input. An unauthenticated attacker can inject arbitrary system commands, enabling remote control of affected TP-Link routers. Public exploits are widely available. - CVE-ID: CVE-2024-7120
CVSS Score: 9.1 (Critical)
EPSS Score: 2.84
Vulnerability Type: Authentication Bypass & Remote Code Execution
Affected Software: Raisecom MSG Gateway devices
Patched in: Vendor security patches (2024)
The vulnerability allows attackers to bypass authentication controls and directly execute privileged system functions. By crafting malicious requests, adversaries can gain remote code execution on targeted devices, giving them complete control. - CVE-ID: CVE-2025-20281
CVSS Score: 9.6 (Critical)
EPSS Score: 3.72
Vulnerability Type: Privilege Escalation & Remote Code Execution (Insecure Deserialization)
Affected Software: Cisco Identity Services Engine (ISE)
Patched in: Cisco ISE Security Update (2025)
This vulnerability is caused by insecure deserialization in administrative services. Low-privileged remote attackers can escalate privileges and execute arbitrary code with SYSTEM-level access, severely impacting enterprise security infrastructure.
By leveraging these CVEs, attackers bypass traditional authentication and gain remote control.
Infection Method
- Attacker scans internet-facing routers and appliances for vulnerable firmware.
- Exploited devices download payloads from attacker-controlled infrastructure.
- Executables are disguised (e.g.,
xalefor x86-64,aalefor ARM64) to avoid detection. - Malware achieves persistence via watchdog routines and anti-analysis delays.
Malware Behavior and Capabilities
Once active, Gayfemboy enables:
- Botnet Integration: Enrolling devices into a DDoS-for-hire service (UDP/TCP/ICMP floods).
- Cryptomining: Deploying coin miners to monetize compromised routers.
- Backdoor Access: Hidden function triggered with the keyword “meowmeow.”
- Self-Defense:
- Terminates analysis/debugging tools (
tcpdump,wget,curl). - Kills competing botnets and malware.
- Alters UPX headers to bypass unpackers.
- Terminates analysis/debugging tools (
The malware utilizes evasion and persistence mechanisms such as:
- UPX Tampering: Replaces standard headers to evade unpacking.
- Anti-Sandbox Delays: Sleeps up to 27 hours in analysis environments.
- Dynamic C2 Communication: Resolves through public DNS (e.g.,
8.8.8.8,1.1.1.1). - Domain Rotation: Uses a rotating set of domains, such as:
cross-compiling[.]orgfurry-femboys[.]toptwinkfinder[.]nli-kiss-boys[.]com
MITRE ATT&CK Techniques
- T1190 – Exploit Public-Facing Application: Exploiting router web interfaces (DrayTek, TP-Link, Raisecom, Cisco ISE).
- T1059 – Command and Scripting Interpreter: Executing injected commands on vulnerable devices.
- T1547 – Boot or Logon Autostart Execution: Establishing persistence across reboots by modifying firmware/config.
- T1071 – Application Layer Protocol: Web Protocols: Malware communicates with attacker servers over HTTP/HTTPS.
- T1499 – Endpoint Denial of Service: Compromised routers leveraged in DDoS attacks.
Visual Flow of Attack
[Exploitation of Router Vulnerabilities (CVE-2020-8515, CVE-2023-1389, CVE-2024-7120, CVE-2025-20281)]
-> [Initial Access Gained on Vulnerable Router]
-> [Payload Download from Attacker Infrastructure (220[.]158[.]234[.]135)]
-> [Malware Installation and Execution on Router]
-> [Persistence Established via Watchdog Modules & Autostart Mechanisms]
-> [Command & Control Communication with Domains (cross-compiling[.]org, furry-femboys[.]top, etc.)]
-> [Router Hijacked for Attacker Use]
-> [Launch DDoS Attacks (UDP Flood, TCP SYN Flood, ICMP Flood)]
-> [Remote Command Execution on Router]
-> [Download and Execution of Additional Payloads]
-> [Use of Router as C2 Relay or Proxy for Further Operations]
Indicators of Compromise (IOCs)
IPs
- 87[.]121[.]84[.]34 (exploit source)
- 220[.]158[.]234[.]135 (payload host)
- 141[.]11[.]62[.]222
- 149[.]50[.]96[.]114
- 78[.]31[.]250[.]15
- 5[.]182[.]206[.]7
- 5[.]182[.]204[.]251
Domains
- cross-compiling[.]org
- furry-femboys[.]top
- twinkfinder[.]nl
- i-kiss-boys[.]com
- 3gipcam[.]com
Threat Actor Attribution
While attribution remains inconclusive, the infrastructure overlaps with Mirai-derived botnets, suggesting evolution by threat actors with expertise in router exploitation and persistence techniques.
Solutions and Mitigation
To protect against ongoing exploitation of these vulnerabilities, administrators should apply the following patches and mitigations immediately:
- DrayTek (CVE-2020-8515)
- Fix: Upgrade to Firmware v1.5.1 or later.
- Mitigation: Disable remote web management and restrict access to the management interface until patched.
- TP-Link Archer AX21 (CVE-2023-1389)
- Fix: Update to Firmware v1.1.4 Build 20230219 or newer.
- Mitigation: Turn off remote web access if not required.
- Raisecom Routers (CVE-2024-7120)
- Fix: Apply the vendor-provided Firmware v3.90 update.
- Mitigation: Restrict management access to trusted IPs and enforce ACLs where patching is delayed.
- Cisco Identity Services Engine (CVE-2025-20281)
- Fix: Upgrade to Cisco ISE 3.3 Patch 6 or 3.4 Patch 2.
- Mitigation: Block external exposure of ISE management services and monitor for suspicious API activity.
Other mitigations include:
- Blocking IOCs: Update firewalls and DNS filtering to block listed domains and IPs.
- Network Monitoring: Watch for unusual UDP/TCP traffic spikes on ports 80, 443, 1900, 8080.
- Endpoint Security: Ensure IPS/IDS solutions detect obfuscated UPX binaries.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.