Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Mirai Variant V3G4 Targets 13 Vulnerabilities to Infect IoT Devices

A recent variant of the Mirai malware has been observed targeting 13 IoT vulnerabilities to ensnare devices into a botnet.

During the second half of 2022, a variant of the Mirai malware called V3G4 was seen targeting 13 vulnerabilities to ensnare Internet of Things (IoT) devices into a botnet, Palo Alto Networks reports.

Following the successful exploitation of the targeted security flaws, the malware takes full control of the vulnerable devices and then abuses them to conduct various types of malicious activities, including distributed denial-of-service (DDoS) attacks.

Starting July 2022, Mirai variant V3G4 was used in multiple attack campaigns, likely by the same threat actor, based on the used hardcoded command-and-control (C&C) domains, malware downloaders, XOR decryption key, identical functions, and a ‘stop list’.

To compromise devices, the threat actor targets 13 remote code execution vulnerabilities that allow them to run specific utilities to download and execute the Mirai malware on the target devices.

The targeted vulnerabilities impact FreePBX Elastix (CVE-2012-4869), Gitorious, FRITZ!Box webcams (CVE-2014-9727), Mitel AWC, Geutebruck IP cameras (CVE-2017-5173), Webmin (CVE-2019-15107), Spree Commerce, FLIR Thermal cameras, DrayTek Vigor (CVE-2020-8515 and CVE-2020-15415), Airspan AirSpot (CVE-2022-36267), Atlassian Confluence (CVE-2022-26134), and C-Data Web Management System (CVE-2022-4257).

Following successful execution on a vulnerable device, the Mirai variant makes sure that only one instance of the malware runs, then attempts to terminate processes included in the hardcoded ‘stop list’.

Malware samples collected over the course of three different campaigns showed slight changes in the code. While some Mirai samples spread by brute-forcing weak credentials, others also use embedded exploits, but samples seen between September and December 2022 contain none of these capabilities.

“The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. Once the attacker gains control of a vulnerable device in this manner, they could take advantage by including the newly compromised devices in their botnet to conduct further attacks such as DDoS,” Palo Alto Networks notes.

Organizations are advised to ensure that all devices in their environments are patched against known vulnerabilities, that they are protected using strong, unique passwords, and that unused ports and services, which are often targeted by cybercriminals, are either blocked or not accessible from the internet.

Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server

Related: New BotenaGo Variant Infects Lilin Security Cameras With Mirai

Related: Spring4Shell Vulnerability Exploited by Mirai Botnet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.