MalwareUsed by 2 actorsExploits 5 CVEs

MooBot

MooBot is an IoT botnet malware family and Mirai variant used to compromise internet-exposed edge and embedded devices, especially routers and DVRs, and conscript them into botnets for DDoS activity and proxying malicious traffic. The content links MooBot to infections of Ubiquiti EdgeOS routers, TP-Link Archer AX21 routers, Hikvision devices via CVE-2021-36260, Cacti servers via CVE-2022-46169, and LILIN DVR devices via a 0-day vulnerability chain. Reported propagation and exploitation vectors include default administrator passwords on exposed Ubiquiti routers, CVE-2023-1389 command injection on TP-Link Archer AX21 devices, CVE-2021-36260, exploitation of Cacti to deliver botnet payloads, and LILIN DVR command injection and file-read flaws. Fortinet reporting cited MooBot fetching and executing scripts that download architecture-specific ELF payloads and then remove traces. One protocol-level indicator mentioned in the content is that the initial registration packet may contain the bytes \x33\x66\x99, noted as commonly associated with MooBot and another Mirai variant.

Operationally, MooBot has been observed in botnet-based DDoS activity alongside Mirai, Gafgyt, IRCBot, and RipprBot, including attacks observed during the Russia-Ukraine conflict. The content also states that Russia’s GRU Unit 26165, tracked as APT28, Fancy Bear, Sednit, and Forest Blizzard, repurposed a criminal MooBot botnet in April 2022 after seizing control of hundreds of compromised Ubiquiti EdgeRouters. In that state-linked use, the MooBot-based router infrastructure was used to relay stolen authentication hashes toward Microsoft Exchange, host phishing landing pages and credential proxies on residential IP space, run custom Python scripts for webmail credential theft, steal NTLMv2 digests, and redirect phishing traffic via custom routing rules. Victims and targets associated with this GRU use included U.S. and foreign governments, military entities, security organizations, corporate organizations, and broader cyberespionage targets in the United States and allied countries.

Law enforcement disrupted this infrastructure in February 2024 through the FBI’s Operation Dying Ember, which targeted hundreds of compromised Ubiquiti EdgeOS routers, deleted MooBot and related malicious files, and temporarily blocked attacker remote access. The content also references MooBot infrastructure and indicators including a MooBot C2 endpoint at wor.wordtheminer.com:8725 and infrastructure such as 185.224.129.233 and goodpackets.cc in DDoS reporting.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

5 CVES

CVE-2023-23397Microsoft Outlook Net-NTLMv2 Hash Leak via Reminder Sound UNC Path

The botnet was originally built by criminals using the MooBot malware. APT28 used it over in April 2022 and included the botnet into three distinct uses.

via sekoia blogblog.sekoia.io

CVE-2021-36260Unauthenticated Command Injection in Hikvision Web ServerExploited in the wild

The botnet is likely using CVE-2021-36260 to infect these targets... VulnCheck tracks 23 public exploits for this vulnerability, including a Metasploit module... included in CISA’s Known Exploited Vulnerabilities Catalog (KEV)... actively detected in the Shadow Server and GreyNoise honeypot networks.

via vulncheck blogvulncheck.com

CVE-2023-1389Unauthenticated Command Injection in TP-Link Archer AX21 /locale EndpointExploited in the wild

Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface. | Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent "AGoent," and the Gafgyt Variant.

via bleeping computerbleepingcomputer.com

CVE-2022-46169Unauthenticated Command Injection in Cacti remote_agent.phpExploited in the wild

"...allowing threat actors to breach internet-exposed Cacti servers to deliver botnet malware such as MooBot and ShellBot."

via the hacker newsthehackernews.com

CVE-2022-45045Authenticated Command Injection in Xiongmai NVR Upgrade Service

...there remain a lot of affected devices on the internet, which is somewhat surprising given years of exploitation by at least one botnet (Moobot).

via vulncheck blogvulncheck.com

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT28

The botnet was originally built by criminals using the MooBot malware. APT28 used it over in April 2022 and included the botnet into three distinct uses.

via sekoia blogblog.sekoia.io

GRU

For instance, in February 2024, the FBI took down Moobot, a botnet of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic in cyberespionage attacks targeting the United States and its allies.

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1584.008Network DevicesEvidence2

APT28 systematically moved large parts of its operational infrastructure onto compromised SOHO and edge devices, rather than relying only on rented VPS.

Initial Access

3 techniques

T1078.001Default AccountsEvidence1

Cybercriminals not linked with the GRU (Russian Military Intelligence) first infiltrated Ubiquiti Edge OS routers and deployed the Moobot malware, targeting Internet-exposed devices with widely known default administrator passwords.

T1190Exploit Public-Facing ApplicationEvidence4

It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389... sends a hardcoded exploitation request to download and execute a remote shell script... if it is a vulnerable TP-Link Archer AX21 device.

T1566PhishingEvidence3

The botnet served three purposes: relaying stolen authentication hashes toward Microsoft Exchange, hosting phishing pages on residential IP addresses, and running custom Python scripts on the hijacked routers.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.

Persistence

1 technique

T1078.001Default AccountsEvidence1

Privilege Escalation

1 technique

T1078.001Default AccountsEvidence1

Stealth

3 techniques

T1070Indicator RemovalEvidence1

Mirai variant: Downloads a script that subsequently fetches ELF files, which are compressed using UPX. Monitors and terminates packet analysis tools to avoid detection.

T1070.004File DeletionEvidence1

AGoent : Downloads and executes scripts that fetch and run ELF files from a remote server, then erases the files to hide traces.

T1078.001Default AccountsEvidence1

Defense Impairment

1 technique

T1601Modify System ImageEvidence1

“修改 /zconf/service.xml 中的FTP或NTP参数的Server字段,注入后门命令; … 使用 SetConfiguration 功能…向目标设备写入配置文件; 设备会定时同步FTP或NTP配置,触发命令执行。”

Credential Access

3 techniques

T1003OS Credential DumpingEvidence1

The botnet served three purposes: relaying stolen authentication hashes toward Microsoft Exchange...

T1552.001Credentials In FilesEvidence1

“硬编码登陆账号密码列表: root/icatch99 report/8Jg0SR8K50 默认账号密码: admin/123456”

T1557Adversary-in-the-MiddleEvidence1

Authentication traffic toward Microsoft 365 and similar services was then funnelled through Adversary-in-the-Middle nodes for credential and OAuth-token harvesting.

Collection

1 technique

T1557Adversary-in-the-MiddleEvidence1

Authentication traffic toward Microsoft 365 and similar services was then funnelled through Adversary-in-the-Middle nodes for credential and OAuth-token harvesting.

Command and Control

5 techniques

T1071Application Layer ProtocolEvidence3

The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.

T1090ProxyEvidence2

Hosting phishing landing pages and credential-collection proxies on residential IPs, which sat below the radar of most reputation-based filtering.

T1090.003Multi-hop ProxyEvidence1

SocksEscort was a front for a malware operation that infected modems and home routers... most of which were other cybercrime operations needing ways to hide their attacks inside the infrastructure of residential internet providers.

T1095Non-Application Layer ProtocolEvidence1

The binary protocol used by Condi to communicate with the C2 server is a modified version of that initially implemented in Mirai.

T1105Ingress Tool TransferEvidence2

Subsequently, the GRU hackers leveraged the Moobot malware to deploy their own custom malicious tools, effectively repurposing the botnet into a cyber espionage tool with global reach.

Impact

1 technique

T1498Network Denial of ServiceEvidence2

the attacks started as early as February 12, and continued to grow in number and intensity, peaking on February 16, with a mix of NTP amplification, UDP/STD/OVH floods, and other types of attacks.

INDICATORS OF COMPROMISE

IOCs tracked for this family

53 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

12 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

29 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

12 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app4 years ago

hash.md5●●●●●●●●●●●●View more in app6 years ago

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app

cyber security newsNews

Jun 12, 2026

Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks

Malware used to build a criminal botnet that compromised routers and was later repurposed by APT28 for relaying stolen authentication hashes, hosting phishing pages, and running custom Python scripts on hijacked routers.

sekoia blogNews

Jun 11, 2026

APT28, an evolution of tradecraft - Sekoia.io Blog

Router-focused malware used to build a botnet of compromised edge devices that APT28 leveraged for relay, phishing hosting, and credential collection support.

scworldNews

May 22, 2026

Ubiquiti patches three critical vulnerabilities in UniFi OS | brief | SC Media

A botnet that used compromised Ubiquiti routers for malicious activity.

bleeping computerNews

May 22, 2026

Ubiquiti patches three max severity UniFi OS vulnerabilities

A botnet of compromised Ubiquiti Edge OS routers used to proxy malicious traffic and conceal cyberespionage operations.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching53

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities5

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.