IZ1H9 Mirai-Based Botnet Enhances its Arsenal with 13 New Exploits | Cyware Hacker News

A Mirai botnet variant tracked as IZ1H9 has updated its arsenal with 13 new exploit payloads to target various Linux-based routers, IP cameras, and other IoT devices. These exploits target vulnerabilities in D-Link, TP-Link, Zyxel, Netis, Sunhillo SureLine, Geutebruck, Yealink Device Management, Zyxel, TP-Link Archer, Korenix JetWave, and TOTOLINK devices. 
The significant evolution in the botnet comes to notice during the discovery of a new DDoS campaign. FortiGuard Labs observed a peak in the exploitation of vulnerabilities on September 6, with trigger counts reaching tens of thousands.

New exploits added

Fortinet reports that the botnet uses exploits for flaws dating from 2015 to 2023.

  • Four of these flaws concern D-Link devices. 
  • Eight other exploits target arbitrary command execution flaws belonging to products from Geutebruck.
  • One flaw tracked as CVE-2019-19356 targets Netis WF2419. 
  • The arsenal of IZ1H9 also includes an exploit for a command injection vulnerability (CVE-2023-23295) in Korenix JetWave routers, one for remote code execution vulnerability (for CVE-2019-19356) in Netis WF2419 wireless routers, and another for a command injection issue (CVE-2021-36380) Sunhillo SureLine application.
  • Additionally, the botnet incorporates exploits 12 command execution vulnerabilities affecting TOTOLINK routers.

Infection process

  • After exploiting one of the aforementioned CVEs, a IZ1H9 botnet payload is injected into the device. 
  • This payload contains a command that instructs the device to download a shell script downloader named “” from a specific URL.
  • When the downloaded script is executed, it first deletes logs to hide any malicious activity. 
  • It then retrieves bot clients that are designed to work on different system architectures.
  • After completing these actions, the bot establishes communication with a C2 server to launch different types of DDoS attacks such as UDP, UDP Plain, HTTP Flood, and TCP SYN.


Exposure of devices to these vulnerabilities can result in severe risks. As the botnet expands its arsenal with new exploit triggers, it underscores the importance of applying security patches on time.