Akamai’s Security Intelligence and Response Team (SIRT) has uncovered a concerning development in the cybersecurity landscape: a third version of Aquabot, a Mirai-based botnet, has emerged with advanced capabilities.
Dubbed “Aquabotv3,” this malware is targeting unpatched vulnerabilities in Mitel SIP phones to propagate distributed denial of service (DDoS) attacks.
Notably, this variant introduces unprecedented functionality, including communication with its command-and-control (C2) server upon receiving “kill signals.”
At the core of this malicious campaign is CVE-2024-41710, a critical command injection vulnerability affecting Mitel 6800, 6900, and 6900w series SIP phones running outdated firmware (up to R6.4.0.HF1).
The vulnerability stems from flawed input sanitization, allowing attackers to execute arbitrary commands via a manipulated HTTP POST request targeting the “802.1x Support” configuration endpoint.
Discovered in mid-2024, public proof-of-concept (PoC) code has been leveraged by attackers starting in January 2025, as detected by Akamai’s global honeypot network.
The observed attack payload attempts to install a shell script (bin.sh) to download and execute Aquabot malware compatible with various architectures, including x86, ARM, and MIPS.
This payload mirrors prior exploitation strategies seen in Mirai-based botnets but is now refocused on SIP phones as entry points.
Innovative Features in Aquabotv3
While earlier iterations of Aquabot (v1 and v2) closely adhered to Mirai’s baseline framework, version 3 stands out for introducing new functions that enhance both persistence and botnet health monitoring.
A key feature is the “report_kill” functionality. When a kill signal such as SIGTERM or SIGINT is sent to an infected device, the malware sends a notification to its C2 server, indicating it has been terminated.
While no active C2 response has been observed, this communication suggests the attackers are monitoring their botnet’s status to potentially improve resilience against disruption.
Furthermore, the malware employs obfuscation techniques, renaming itself as “httpd.x86” to evade detection and consistently communicating with C2 servers over specific ports.
Analyses reveal connections to infrastructure IPs (e.g., 89.190.156.145) and domains (e.g., “intenseapi.com”), with patterns that indicate organized scaling of its botnet operations.
Broader Attack Surface
Aquabotv3’s threat potential extends beyond Mitel phones. It also exploits vulnerabilities in other systems, including Hadoop YARN (CVE-2018-17532) and Linksys routers (CVE-2018-10562).
This broad targeting strategy significantly increases the botnet’s capacity to mount DDoS attacks.
Alarmingly, the malware appears to be marketed as “DDoS-as-a-service” via Telegram, misleading buyers with claims that it is a legitimate DDoS testing tool.
Organizations relying on Mitel SIP phones and other vulnerable IoT devices must prioritize patch management to mitigate this emerging threat.
Ensuring strong authentication practices, removing default credentials, and deploying network traffic monitoring are essential defenses.
Akamai’s findings underscore the persistent threat posed by Mirai-based malware variants—and their continued evolution toward more sophisticated capabilities.
%20attacks.){kind=link}