A new variant of the Mirai-based botnet malware, Aquabot, has surfaced, actively exploiting a command injection flaw (CVE-2024-41710) in Mitel SIP phones. Akamai’s Security Intelligence and Response Team (SIRT) has identified this as the third known version of the malware, which has now evolved with new evasion and monitoring capabilities.
Aquabot’s Evolution: A Growing Threat
Aquabot first appeared in 2023, quickly making its mark in the botnet ecosystem. Later that year, a second variant introduced persistence mechanisms, ensuring the malware could survive device reboots. Now, with the emergence of Aquabotv3, attackers have taken things a step further.
This latest version incorporates a unique feature—reporting process kill attempts back to its command-and-control (C2) server. Akamai notes that this is an unusual tactic for botnets, suggesting that the malware’s operators are prioritizing real-time monitoring. This added visibility could help attackers fine-tune their campaigns, adjusting their tactics if security measures start disrupting infections.
One sentence alone: This botnet isn’t just spreading—it’s watching.
Exploiting CVE-2024-41710 in Mitel SIP Phones
Mitel’s SIP phones are widely used in corporate offices, government agencies, hospitals, hotels, and financial institutions—making them attractive targets for cybercriminals. The vulnerability at play, CVE-2024-41710, is a command injection flaw that stems from improper input sanitization during the boot process.
- The flaw allows attackers with admin credentials to execute arbitrary commands.
- It impacts Mitel’s 6800, 6900, and 6900w Series SIP phones.
- Mitel released a security fix on July 17, 2024, urging immediate upgrades.
Despite these patches, the situation escalated when security researcher Kyle Burns published a proof-of-concept (PoC) exploit on GitHub two weeks later. Attackers wasted no time, repurposing the PoC for real-world exploitation.
By early January 2025, Akamai’s honeypots detected exploitation attempts that closely mirrored the PoC, confirming that threat actors had integrated this vulnerability into active attacks.
How Attackers Are Exploiting Mitel Phones
The attack sequence is sophisticated but effective. It starts with a brute-force attack to gain administrative access, allowing attackers to send a malicious HTTP POST request to the vulnerable 8021xsupport.html endpoint. This page is responsible for authentication settings on Mitel phones.
From there, attackers inject a manipulated configuration file that tricks the device into executing a remote shell script on its next reboot. That script then downloads and installs Aquabotv3, setting the stage for further infections.
Here’s how it works:
- Brute-forcing credentials – Attackers try weak or default admin passwords.
- Exploiting 8021xsupport.html – Malicious input is injected via an HTTP POST request.
- Executing a remote script – The injected payload fetches Aquabotv3 from the attacker’s server.
- Installing the malware – The script sets execution permissions and erases traces of installation.
Once infected, the device becomes part of the botnet, ready to receive further commands and contribute to larger attacks.
Aquabotv3’s Expanding Attack Arsenal
Aquabotv3 isn’t just attacking Mitel devices—it’s using them as stepping stones to target other IoT and networking equipment. The malware actively exploits multiple known vulnerabilities, including:
- CVE-2018-17532 (TP-Link)
- CVE-2023-26801 (IoT firmware RCE)
- CVE-2022-31137 (Web App RCE)
- CVE-2018-10562 / CVE-2018-10561 (Dasan routers)
Additionally, it attempts brute-force attacks on SSH and Telnet services, seeking poorly secured devices on the same network.
One sentence alone: This isn’t just a Mitel problem—it’s a gateway to a broader cyber threat.
A Weaponized DDoS Botnet for Sale
Aquabotv3 isn’t just an experimental malware—it’s being actively marketed. Its operators advertise DDoS-for-hire services on Telegram, branding themselves under names like Cursinq Firewall, The Eye Services, and The Eye Botnet. They claim to offer a “testing tool” for DDoS mitigation but, in reality, are arming cybercriminals with a powerful attack platform.
The botnet is capable of launching a variety of DDoS attacks, including:
- TCP SYN Floods – Overwhelming a target’s connection queue.
- TCP ACK Floods – Disrupting legitimate traffic.
- UDP Floods – Consuming bandwidth with junk traffic.
- GRE IP Attacks – Exploiting encapsulated packets for stealth.
- Application-layer attacks – Targeting specific services or websites.
The combination of stealthy infection tactics and aggressive DDoS capabilities makes Aquabotv3 a serious concern.
Detection and Mitigation
Akamai has released indicators of compromise (IoCs), along with Snort and YARA rules to help detect Aquabotv3 infections. While Mitel has provided patches, organizations that fail to update their devices remain vulnerable.
Security teams should take the following steps immediately:
- Apply Mitel’s security updates to patch CVE-2024-41710.
- Monitor authentication logs for unusual login attempts.
- Deploy intrusion detection rules using Akamai’s provided IoCs.
- Enforce strong admin credentials to prevent brute-force attacks.
One sentence alone: Ignoring this vulnerability is an open invitation for an attack.
As Aquabotv3 continues to evolve, organizations must stay vigilant. The malware’s ability to monitor kill attempts and adapt its tactics makes it more resilient than previous versions. With DDoS services being openly marketed, we can expect more attacks in the coming months.
