Headline
Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw
Akamai’s latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.
Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware.
This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely.
It is worth noting that this is the first time active attacks using this vulnerability have been reported, highlighting a concerning trend where cybercriminals quickly turn newly discovered flaws into tools for their campaigns.
****Two Botnets, One Goal****
The technical report, shared with Hackread.com, reveals that Akamai’s Security Intelligence and Response Team (SIRT) first noticed suspicious activity in their global network of honeypots in March 2025, just weeks after the flaw was made public in February 2025.
The team identified two distinct botnets leveraging this exploit. The first botnet began its attacks in early March, using the vulnerability to download and run a malicious script. This script then pulls down the main Mirai malware, which is designed to infect a wide range of Internet of Things (IoT) devices.
These Mirai variants, sometimes named morte, are identifiable by a unique message they display, such as lzrd here_._ These initial attacks used the same authorization details as a publicly available proof of concept (PoC) exploit, meaning attackers quickly adapted known information.
The second botnet emerged in early May 2025, also spreading a Mirai variant called resgod. This botnet caught attention because its associated online addresses (domains) featured Italian-sounding names, like gestisciweb.com, which means manage web. This could suggest the attackers are specifically trying to target devices owned by Italian-speaking users. The resgod malware itself carries the clear message, “Resentual got you!”
****Beyond Wazuh: Other Exploited Flaws****
While the Wazuh vulnerability is the primary focus, the botnets weren’t limited to it. Akamai observed these malicious groups attempting to exploit several other well-known security flaws. These included older vulnerabilities in systems like Hadoop YARN, TP-Link Archer AX21 routers (CVE-2023-1389), Huawei HG532 routers (CVE-2017-17215), and ZTE ZXV10 H108L routers (CVE-2017-18368). This shows that the attackers use a broad approach, trying to infect systems through any available weakness.
Akamai’s report warns that it remains relatively easy for criminals to reuse old malware code to create new botnets. The speed at which this Wazuh flaw was exploited after its disclosure underlines how critical it is for organizations to apply security patches as soon as they become available.
Unlike some vulnerabilities that only affect outdated devices, CVE-2025-24016 specifically targets active Wazuh servers if they are not updated. Akamai strongly advises all users to upgrade to Wazuh version 4.9.1 or later to protect their systems.
Related news
### Summary An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. ### Details DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. Using the server API, it quite easy to trigger. For example, using the `run_as` endpoint (implemented by `run_as_login` in `api/api/controllers/security_controller.py`): the `auth_context` argument is completely controlled by the attacker, and is forwarded to the master server to handle. By sending a malicious `run_as` request to a worker server, it is possible to execute code on...
Two separate campaigns are targeting flaws in various IoT devices globally, with the goal of compromising them and propagating malware worldwide.
This article explores the recent campaign of Murdoc_Botnet, a malware variant of Mirai targeting vulnerable AVTECH and Huawei…
While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company's popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.
Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.
Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.
Aqua Nautilus researchers have discovered a campaign powering a series of large-scale DDoS attacks launched by Matrix, which…
Aqua Nautilus researchers have discovered a campaign powering a series of large-scale DDoS attacks launched by Matrix, which…
CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of…
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet. CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle
Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.
By Deeba Ahmed FortiGuard Labs has identified numerous Condi DDoS botnet samples that exploit other known security flaws, putting unpatched software at a higher risk of being exploited by botnet malware. This is a post from HackRead.com Read the original post: New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel
Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil
By Deeba Ahmed HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata--,'" Akamai said in a
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
By Deeba Ahmed Most devices infected by Chaos malware are located in Europe, particularly Italy but infections were also observed in Asia Pacific, South America, and North America. This is a post from HackRead.com Read the original post: New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through