The current patched critical security flaws of the Wazur server are exploited by threat actors, dropping two different Mirai Botnet variants and using them to carry out distributed denial of service (DDOS) attacks.
Akamai, who first discovered the exploitation effort in late March 2025, said that the malicious campaign was targeting CVE-2025-24016 (CVSS score: 9.9).
Security flaws affecting all versions of server software, including 4.4.0 and above, were addressed in February 2025 with the release of 4.9.1. The Proof of Concept (POC) exploit was released around the same time the patch was released.
The problem is rooted in the Wazuh API, where the parameters of the distribution are serialized as JSON and are derelied using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. Threat actors can weaponize vulnerabilities by injecting malicious JSON payloads and running arbitrary Python code remotely.
Web Infrastructure Company said it has discovered attempts to exploit CVE-2025-24016 by two different botnets. The attack was registered in early March and May 2025.
“This is the latest example of the timeline that botnet operators have adopted for their newly released CVEs to a constantly shrinking time,” security researchers Kyle Lefton and Daniel Messing said in a report shared with Hacker News.
In the first example, a successful exploit paves the way for running a shell script that acts as a downloader for Mirai Botnet payloads from external servers (“176.65.134(.)62”) of various architectures. The malware sample is rated as a variant of Lzrd Mirai, which has been around since 2023.
It is also worth noting that LZRD has recently been deployed in attacks that utilize GeoVision End of Life (EOL) Mintern of Things (IoT) devices. However, Akamai told Hacker News that there is no evidence that these two clusters of activity are works of the same threat actor, given that LZRD is being used by countless botnet operators.
Further infrastructure analysis of “176.65.134(.)62” and its associated domains revealed the discoveries of other Mirai Botnet versions, including the LZRD variants named “Neon” and “Vision”, as well as updated versions of V3G4.
Other security flaws exploited in botnets include Hadoop Yarn flaws, TP-Link Archer AX21 (CVE-2023-1389), and remote code execution bugs on ZTE ZXV10 H108L routers.
The second botnet that abuses CVE-2025-24016 employs a similar strategy that uses a malicious shell script to provide another Mirai Botnet variant called Resbot (aka Resential).
“One of the interesting things we noticed about this botnet was the related language. It was spreading malware using all domains, all with Italian nomenclature,” the researchers said. “The language naming conventions may indicate campaigns that target devices owned and operated by Italian-speaking users, particularly those that.”
In addition to spreading over FTP to port 21 and performing Telnet scans, the botnet has been found to utilize a wide range of exploits targeting the Huawei HG532 router (CVE-2017-17215), RealTek SDK (CVE-2014-8361), and the TrueNlineLline Zyxel P660hn-T V1 Router. (CVE-2017-18368).
“The Mirai propagation continues relatively unabated as it remains fairly easy to reuse and reuse old source code to set up or create new botnets,” the researchers said. “And botnet operators can often be successful by simply leveraging newly released exploits.”
CVE-2025-24016 is far from the only vulnerability abused by the Mirai Botnet variant. In recent attacks, threat actors have also taken advantage of CVE-2024-3721, a moderately radical command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices to join the botnet.
The vulnerability is used to download and run mirai botnet from a remote server (“42.112.26(.)36”) and trigger execution of shell scripts not before running it, but before checking whether it is running within a virtual machine or qemu.
Russian cybersecurity company Kaspersky said infections are concentrated in China, India, Egypt, Ukraine, Russia, Turkey and Brazil, and have identified more than 50,000 exposed DVR devices online.
“The widespread use of malware targeting Linux-based systems, as well as the use of known security flaws on unpatched IoT devices and servers, leading to a considerable number of bots that constantly search the internet and infect devices.
Disclosures will be made as China, India, Taiwan, Singapore, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea and Bangladesh appeared as the most targeted countries in the APAC region in the first quarter of 2025, according to statistics shared by Stormwall.
“API flooding and carpet bombing are growing faster than traditional volumetric TCP/UDP attacks, encouraging businesses to adopt smarter and more flexible defenses,” the company said. “At the same time, the growing geopolitical tensions have driven a surge in attacks on the government system and Taiwan, highlighting the increased activity by hattitivisists and state-sponsored threat actors.”
And following a recommendation from the US Federal Bureau of Investigation (FBI), Badbox 2.0 botnets have infected millions of internet-connected devices, most of which are manufactured in China and are turned into housing commissions to promote criminal activity.
“Cybercriminals gain unauthorized access to their home networks by configuring their products with malicious software before they make a purchase, or by infecting their devices to download necessary applications, usually including backdoors, during the setup process,” the FBI said.
“The Badbox 2.0 botnet consists of millions of infected devices, providing free access to compromised home networks used for a variety of criminal activities, or maintaining numerous backdoors for proxy services exploited by cybercriminalists.”
