The ever-strengthening IoT botnet has another threat up their sleeve. It is Mushtik, the 2-year-old botnet that can target cloud infrastructures by wrongfully using web applications exploits. This botnet mines cryptocurrency by a DDoS attack, XMRrig & cgmining. Recently, it has come to light due to its intrusion of infrastructure & the possible attribution. 

What is IoT botnet Mushtik?

Muhstik also is known as Mushtik is a botnet that can compromise IoT devices in order to mine cryptocurrency. It can take advantage of exploits in web applications to do so. It can use IRC servers for its command-and-control (C2) activities. In the past, it has exploited vulnerabilities like Drupal RCE Flaw (CVE-2018-7600) and the Oracle WebLogic Server bugs (CVE-2019-2725 and CVE-2017-10271). 

How does IoT botnet Mushtik work?

Mushtik botnet has been exploiting vulnerabilities since 2018. In December of 2019 though, the latest variant of Mushtik came to light. It was identified by Palo Alto Networks and could attack & take over Tomato routers.

The Cloud Security firm Lacework has analyzed Mushtik & created a stepwise process of how it executes an attack. 

  • A payload file is initially downloaded from the attackers’ server. This file must have a name ‘pty’ along with a number. For example, 
  • hxxp://
  • hxxp://
  • Once it is successfully installed, the IRC channel is contacted by Mushtik in order to receive commands.
  • Often, Mushtik is instructed to download an XMRrig miner along with a scanning module. Here, the scanning module is employed for growing the botnet through targeting other Linux servers and residential routers.
  • Mirai ASCII source code is utilized by Mushtik to encrypt configurations of its payload along with scanning module via a single-byte XOR encryption.
  • Sample files that have Mushtik configuration data often have the following byte sequence – 4F 57 4A 51 56 4B 49 0F, which is the XOR’d (by 0x22) equivalent value of the “mushtik” keyword. It may be identified in unpacked binaries.

 The ‘Anime’ references

When the researchers at Lacework analyzed the botnet more & tried to trace its origin, they stumbled upon some weird attribution. An SSL cert was shared with site by the IRC C2 What’s interesting is that is actually a game site, where the plot revolves around the Amine character ‘Jay’ and has a Google Analytics ID UA-120919167-1.

Also read,

But the same ID was also found to be associated with 2 more domains, viz. and However, in another analysis by Bleeping Computer, the given analytics ID is present on but not the other two domains. Experts say that any malevolent entity can include a genuine website’s Google Analytics ID on their own website. 

But isn’t the only one. Mushtik used another domain that has an anime reference, viz. In fact, Kei (in might also have an anime reference. Such similarities are what helped Lacework trace the origin of Mushtik. The origin was found to be at a Chinese Forensics firm, Shen Zhou Wang Yun Information Technology Co. Ltd. 

This firm might actually be the originator of malware. After all, in the past, Shen Zhou Wang Yun firm had been associated with malware like the HiddenWasp Linux Malware. The cloud security firm Lacework looks into the possibility of attacks due to Mushtik & explains in thorough detail how it executes an attack.

What to do?

According to cybersecurity experts, if you wish to stay safe of the botnet, the best you can do is to stay cautious. You must be vigilant every time you are installing an open-source firmware. To ensure constant security of your device, keep it updated at all times. Install all security patches & updates from time to time. In fact, instant vulnerability patches are also recommended along with timely scans.

IoT botnet Mushtik is a malicious botnet & one should do all that is possible to stay safe of it. You must practice all security precautions in a timely manner to ensure you are always safe. It is only by staying vigilant can you stay safe from it or similar such malicious entities in the virtual world.