A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks.
The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor to execute arbitrary commands within the context of the phone.
It affects Mitel 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. It was addressed by Mitel in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw became publicly available in August.
Outside of CVE-2024-41710, some of the other vulnerabilities targeted by the botnet include CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution flaw targeting Linksys E-series devices.
“Aquabot is a botnet that was built off the Mirai framework with the ultimate goal of distributed denial-of-service (DDoS),” Akamai researchers Kyle Lefton and Larry Cashdollar said. “It has been known since November 2023.”
The web infrastructure company said it detected active exploitation attempts against CVE-2024-41710 since early January 2025, with the attacks mirroring a “payload almost identical to the PoC” to deploy the botnet malware.
The attack involves executing a shell script that, in turn, uses the “wget” command to retrieve Aquabot for different CPU architectures.
The Aquabot Mirai variant spotted in the attack has been assessed to be a third iteration of the malware, sporting a novel “report_kill” function that reports back to the command-and-control (C2) server when a kill signal is caught on the infected device. However, sending this information hasn’t been found to elicit any response from the server to date.
This new version, besides triggering C2 communication upon detecting certain signals, renames itself to “httpd.x86” to avoid attracting attention and is programmed to terminate processes that match certain requirements, such as local shells. It’s suspected that the signal handling features are likely incorporated to craft more stealthy variants or detect malicious activity from competing botnets.
There is some evidence suggesting that the threat actors behind Aquabot are offering the network of compromised hosts as a DDoS service on Telegram under the monikers Cursinq Firewall, The Eye Services, and The Eye Botnet.
The development is a sign that Mirai continues to plague a wide range of internet-connected devices that often lack proper security features, or have either reached end-of-life or left accessible with default configuration and passwords, making them low-hanging fruits ripe for exploitation and a key conduit for DDoS attacks.
“Threat actors commonly claim that the botnet is used only for DDoS mitigation testing purposes to try to mislead researchers or law enforcement,” the researchers said.
“Threat actors will claim it’s just a PoC or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet on Telegram.”
