Connect with us

Hi, what are you looking for?


Malware & Threats

Mirai Variant IZ1H9 Adds 13 Exploits to Arsenal

A Mirai botnet variant tracked as IZ1H9 has updated its arsenal with 13 exploits targeting various routers, IP cameras, and other IoT devices.

A variant of the Mirai botnet has recently updated its arsenal of tools with 13 exploits targeting vulnerabilities in IoT devices from D-Link, TP-Link, Zyxel, and various other manufactures, Fortinet reports.

Tracked as IZ1H9 and first discovered in August 2018, this Mirai variant is one of the most active, exploiting unpatched vulnerabilities in IoT devices to ensnare them and abuse them in distributed denial-of-service (DDoS) attacks.

Following the addition of exploits for several new security bugs earlier this year, IZ1H9 has recently expanded its arsenal once again, now packing exploits for more than 30 vulnerabilities in D-Link, Geutebruck, Korenix, Netis, Sunhillo, Totolink, TP-Link, Yealink, and Zyxel devices.

Exploitation of these vulnerabilities peaked on September 6, when Fortinet saw thousands of attack attempts.

Of the newly added exploits, four target D-Link issues tracked as CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382. These critical-severity flaws allow remote attackers to execute arbitrary code on affected devices.

According to Fortinet, eight other exploits target arbitrary command execution bugs impacting the firmware that UDP Technology supplies to Geutebruck and other OEMs for their IP cameras.

The botnet variant also added an exploit for CVE-2023-23295, a command injection flaw in Korenix JetWave routers, one for CVE-2019-19356, a remote code execution (RCE) bug in Netis WF2419 wireless routers (exploited by Mirai variants before), and another for CVE-2021-36380, a critical OS command injection issue in the Sunhillo SureLine application.

According to Fortinet, IZ1H9 also added exploits for 12 command injection vulnerabilities impacting Totolink routers, a recent command injection flaw in TP-Link Archer AX21 routers (CVE-2023-1389), two Yealink Device Management bugs, and an RCE vulnerability in Zyxel EMG3525 and VMG1312 devices.

Advertisement. Scroll to continue reading.

Fortinet says it also noticed that the malware includes a non-functional payload that apparently targets a Prolink PRC2402M router flaw (CVE-2021-35401).

It’s worth noting that for some of the newly added vulnerabilities, such as CVE-2021-36380 and CVE-2023-23295, there do not appear to be any previous reports of in-the-wild exploitation. 

“IoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the most common and concerning threats to both IoT devices and Linux servers. The exposure of vulnerable devices can result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands,” Fortinet concludes.

Related: Mirai Variant V3G4 Targets 13 Vulnerabilities to Infect IoT Devices

Related: Zyxel Firewalls Hacked by Mirai Botnet

Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.