October 3, 2023

Researchers have identified a vulnerability tracked as CVE-2023-1389 earlier this year that resides in the firmware of TP-LINK’s AX21/AX1800 routers, allowing attackers to inject via the ‘Country’ field within the Web management interface, consequently resulting in router infections.

TP-LINK has released updated firmware to rectify it. However, botnets had already capitalized on this flaw. Variants based on the Mirai worm exploited AX21/AX1800 to convert routers into botnets.

Fortinet in the recent report revealed that the Condi botnet had infected a significant number of AX21/AX1800 routers, offering DDoS services for purchase or rental. This purchase will in turn take control over these router botnets already commandeered by Condi, or directly pay Condi to launch DDoS attacks against a specific website or service, incapacitating targets.


Due to vast number of users failed to update their router firmware promptly, thus operating vulnerable firmware and exposure on the public network, making them an easy target for automatic infections by the Mirai worm.

Mirai-infected router botnets would scan for TCP port 5555 within internal networks, a port utilized by the Android Debug Bridge, also known as the ADB. Enabling USB debugging does not by default open port 5555; however, enabling ADB necessitates the activation of Android developer options.

It’s a paramount to routinely check for router firmware updates. Routers represent the critical entrance for home networks, and a successful breach implies potential surveillance of all network activities. Attackers can also hijack and redirect visits to phishing websites.

Android developer options and USB debugging functions should be enabled only when required and must always be disabled when not in use to prevent inadvertent infections.

Malware campaigns, are always looking for ways to expand. Exploiting recently discovered vulnerabilities has always been one of their favored methods, as we highlighted above for the Condi botnet. Thus, it is strongly recommended to always apply the latest security patches and updates as soon as possible.


Indicators of Compromise

  • 091d1aca4fcd399102610265a57f5a6016f06b1947f86382a2bf2a668912554f
  • 291e6383284d38f958fb90d56780536b03bcc321f1177713d3834495f64a3144
  • 449ad6e25b703b85fb0849a234cbb62770653e6518cf1584a94a52cca31b1190
  • 4e3fa5fa2dcc6328c71fed84c9d18dfdbd34f8688c6bee1526fd22ee1d749e5a
  • 509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828eefb30828c485a3084
  • 593e75b5809591469dbf57a7f76f93cb256471d89267c3800f855cabefe49315
  • 5e841db73f5faefe97e38c131433689cb2df6f024466081f26c07c4901fdf612
  • cbff9c7b5eea051188cfd0c47bd7f5fe51983fba0b237f400522f22ab91d2772
  • ccda8a68a412eb1bc468e82dda12eb9a7c9d186fabf0bbdc3f24cd0fb20458cc
  • e7a4aae413d4742d9c0e25066997153b844789a1409fd0aecce8cc6868729a15
  • f7fb5f3dc06aebcb56f7a9550b005c2c4fc6b2e2a50430d64389914f882d67cf

Download URLs

  • hxxp://85[.]217[.]144[.]35/arm
  • hxxp://85[.]217[.]144[.]35/arm5
  • hxxp://85[.]217[.]144[.]35/arm6
  • hxxp://85[.]217[.]144[.]35/arm7
  • hxxp://85[.]217[.]144[.]35/m68k
  • hxxp://85[.]217[.]144[.]35/mips
  • hxxp://85[.]217[.]144[.]35/mpsl
  • hxxp://85[.]217[.]144[.]35/ppc
  • hxxp://85[.]217[.]144[.]35/sh4
  • hxxp://85[.]217[.]144[.]35/x86
  • hxxp://85[.]217[.]144[.]35/x86_64
  • hxxp://85[.]217[.]144[.]35/abc3.sh
  • hxxp://cdn2[.]duc3k[.]com/t


  • 85[.]217[.]144[.]35
  • cdn2[.]duc3k[.]com

Leave a Reply

%d bloggers like this: