Security researchers have discovered a new variant of the Mirai botnet, named Aquabot, actively exploiting vulnerabilities in Mitel phones to build a network for launching distributed denial-of-service (DDoS) attacks.
The latest version, Aquabotv3, targets a command injection vulnerability (CVE-2024-41710) affecting Mitel's 6800, 6900, and 6900w series SIP phones. This security flaw allows attackers to execute arbitrary commands and gain root access to affected devices.
What makes this variant unique is its novel "report_kill" function that notifies the command-and-control server when the infected device attempts to terminate the malware. While this reporting capability has been observed, researchers haven't detected any response from the attacker's infrastructure.
The threat actors behind Aquabot are marketing their botnet as a DDoS-for-hire service on Telegram under various names, including Cursinq Firewall, The Eye Services, and The Eye Botnet. While they claim the service is only for DDoS mitigation testing, analysis reveals it's being used for malicious attacks.
Akamai researchers detected active exploitation attempts beginning in January 2025, with attacks using code similar to a public proof-of-concept exploit. The malware supports multiple CPU architectures and attempts to conceal itself by renaming to "httpd.x86" on infected systems.
The rise of Aquabot highlights ongoing security challenges with Internet of Things (IoT) devices, particularly those using default configurations or lacking proper security features. Organizations are advised to change default credentials and regularly audit their IoT devices to protect against such threats.
This development demonstrates that Mirai-based botnets continue to pose a serious threat to internet-connected devices and remain a popular choice for cybercriminals due to their effectiveness and ease of modification.