Threat analysis by The RabitaNoor (RBTN) Cyber Research Center

Exploitation of Wazuh Server Vulnerability by Mirai Botnets

The goals of this document is to provide technical and strategic analysis of a much larger document, audio etc.

The document is a product of the RBTN - CYOI Pulpit


Main Image

Photo by Yeshi Kangrang


Document Summary

The article discusses the exploitation of a critical vulnerability (CVE-2025-24016) in Wazuh Server by two distinct Mirai botnet variants, LZRD and Resbot, to conduct DDoS attacks. Discovered by Akamai in March 2025, the flaw allows remote code execution via unsafe deserialization in the Wazuh API. The vulnerability affects versions 4.4.0 and above, patched in February 2025 with version 4.9.1. The botnets use malicious shell scripts to download Mirai payloads, targeting various IoT devices. The article highlights the rapid exploitation of new CVEs, the spread of Mirai botnets, and the geopolitical tensions driving cyber attacks in the APAC region. It also mentions the FBI's advisory on the BADBOX 2.0 botnet exploiting residential proxies.

Analysis

Overview

Timestamp: 2025-06-09

Title: Exploitation of Wazuh Server Vulnerability by Mirai Botnets

Severity: High

The incident involves threat actors exploiting a critical vulnerability in Wazuh Server to deploy Mirai botnet variants, LZRD and Resbot. The adversaries leverage the CVE-2025-24016 vulnerability to conduct DDoS attacks, using compromised IoT devices and servers as infrastructure. The victims are organizations using vulnerable Wazuh Server versions and IoT devices, with a high impact severity due to potential service disruptions.

Adversary

Adversary: Threat actors exploiting Wazuh Server vulnerability using Mirai botnet variants.

Motivation: Conducting DDoS attacks and expanding botnet networks.

Sophistication: Moderate, leveraging known vulnerabilities and existing botnet code.

TTPs:

Capability

Capability: Exploitation of Wazuh Server vulnerability to deploy Mirai botnet variants.

Tools: Mirai botnet, Shell scripts

Evasion: Use of known vulnerabilities, Rapid exploitation post-disclosure

Infrastructure

Description: Botnet infrastructure leveraging compromised IoT devices and servers.

C2 Servers: 176.65.134[.]62, 42.112.26[.]36

IPs: 176.65.134[.]62, 42.112.26[.]36

Botnets: LZRD, Resbot

Communication Protocols: FTP, Telnet

Victim Profile

Targets: Organizations using vulnerable Wazuh Server versions and IoT devices.

Industry: Various, including those using IoT devices.

Assets: Wazuh Servers, IoT devices

Data at Risk: Network availability

Impact: High, due to potential for widespread DDoS attacks.

References

botnet-wazuh-server-vulnerability

Two Botnets, One Flaw: Mirai Spreads Through Wazuh ...

Mirai Botnets Exploit Flaw in Wazuh Security Platform

Here Comes Mirai: IoT Devices RSVP to Active Exploitation

Critical Wazuh bug exploited in growing Mirai botnet infection

Two Distinct Botnets Exploit Wazuh Server Vulnerability to ...

Home | Website Blogs | About

© 2025 RabitaNoor (RBTN) Cyber Research Center | The open community | Opensource Tools