A new Mirai botnet variant, named Murdoc, has been actively compromising AVTECH IP cameras and Huawei HG532 routers in a widespread campaign that began in mid-2024.
Researchers at Qualys have identified that Murdoc exploits two known vulnerabilities CVE-2024-7029 and CVE-2017-17215 to achieve remote code execution (RCE) and deploy malware on targeted devices.
Unpatchable Command Injection Vulnerability in AVTECH Cameras
CVE-2024-7029 is an unpatchable command injection vulnerability impacting end-of-life AVTECH IP cameras.
These devices, no longer supported with security updates, remain highly susceptible to exploitation unless properly secured.
This CVE has also been targeted previously by other Mirai variants, such as the Corona Mirai strain.
Huawei HG532 Router Exploitation at Scale
The second vulnerability, CVE-2017-17215, affects Huawei HG532 routers and allows arbitrary command execution.

This vulnerability has been extensively targeted, with GreyNoise sensors reporting 37,796 unique malicious IPs attempting exploitation, peaking on January 16, 2025.
According to Censys scans as of January 22, there are 221 confirmed Murdoc-infected hosts, concentrated in Indonesia, the United States, and Taiwan.
However, other sources estimate over 1,300 infections, though this figure likely includes false positives, such as hosts with suspicious pseudoservices responding across 100+ open ports.
Notably, 93 infected hosts exhibit behavior indicative of Mirai command-and-control (C2) servers, which initiate further attacks on vulnerable devices.
Using compromised AVTECH cameras as C2 servers has been observed, further exacerbating the malware distribution.
Search queries for identifying Murdoc-infected hosts on Censys are available:
- Infected hosts:
services.http.response.body:"murdoc_botnet"
- Mirai C2 servers:
services.http.response.body:"murdoc_botnet" and services.http.response.body:"$(echo -ne"
GreyNoise data highlights ongoing exploit attempts for both vulnerabilities.
While there are over 36,182 internet-exposed AVTECH cameras globally, not all are confirmed vulnerable to CVE-2024-7029.
However, these legacy devices are no longer maintained and should not be accessible via public networks, given their susceptibility to attacks.
Organizations and users are strongly advised to isolate vulnerable devices from external networks or replace them with supported hardware.
Legacy devices like AVTECH cameras must not remain publicly exposed to prevent their exploitation in future campaigns.