ET EXPLOIT_KIT Mirai Variant Payload Inbound

SID: 2065911Rev: 11 viewsHistory

Sourceet/open

CreatedNovember 25, 2025

UpdatedNovember 25, 2025

Classificationattempted-admin

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Mirai Variant Payload Inbound"; flow:established,to_client; http.response_body; content:"|2e|x86|5f|64|7c 7c|curl|20 2d|O|20|http"; fast_pattern; content:"|7c 7c|busybox|20|wget|20|http"; content:"|7c 7c|busybox|20|chmod|20|777"; reference:md5,a3f22f1acce4d1473bea36d86c82e448; reference:url,trendmicro.com/en_us/research/25/j/rondodox.html; classtype:attempted-admin; sid:2065911; rev:1; metadata:affected_product Linux, attack_target Server, tls_state plaintext, created_at 2025_11_25, deployment Perimeter, malware_family Mirai, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

References

md5	a3f22f1acce4d1473bea36d86c82e448 Google Search Brave Search
url	trendmicro.com/en_us/research/25/j/rondodox.html

Metadata

affected productLinux

attack targetServer

tls stateplaintext

created at2025_11_25

deploymentPerimeter

malware familyMirai

confidenceHigh

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2025_11_25

mitre tactic idTA0001

mitre tactic nameInitial_Access

mitre technique idT1190

mitre technique nameExploit_Public_Facing_Application

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!