Industrial routers are being affected by zero-day vulnerabilities from new Mirai botnets.

Cybersecurity researchers have identified a new variant of the Mirai malware, which focuses on attacking industrial routers and smart home devices by exploiting zero-day vulnerabilities, misconfigurations, and weak passwords. This botnet, known as "gayfemboy," is linked to approximately 15,000 active IP addresses distributed across countries such as the United States, Turkey, Iran, China, and Russia.

Unlike the original version of Mirai, which was responsible for some of the most notorious and devastating DDoS attacks, this new variant takes advantage of over 20 distinct vulnerabilities, some of which lack assigned CVEs. Investigations have revealed flaws in devices such as Neterbit routers and products from the Vimar brand, as well as the exploitation of the command injection vulnerability CVE-2024-12856, which is considered high severity (7.2/10) and affects Four-Faith industrial routers.

Since February of last year, the botnet has maintained a series of DDoS attacks, with the highest performance recorded in October and November 2024. The offensives demonstrate a duration of between 10 and 30 seconds and can generate traffic exceeding 100 Gbps, posing a significant risk even to well-established infrastructures. Researchers noted that the primary targets of these attacks are from various industries in countries such as China, the United States, Germany, the United Kingdom, and Singapore.

The most affected devices include routers from brands such as ASUS, Huawei, Neterbit, and LB-Link, PZT cameras, Kguard and Lilin DVRs, as well as a variety of 5G/LTE devices with improper configurations or weak credentials. Given the scale and intensity of the attacks, users of these devices are advised to remain vigilant for possible signs of compromise.