Zerobot Malware Exploits Tenda Router Vulnerabilities to Deploy Malicious Payloads
A sophisticated botnet campaign, known as Zerobot, has resurfaced with enhanced capabilities, actively exploiting critical vulnerabilities in Tenda AC1206 routers and the n8n workflow automation platform. This latest iteration, referred to as zerobotv9, demonstrates a significant evolution in malware targeting strategies, posing substantial risks to both consumer and enterprise networks.
Evolution of Zerobot
Initially identified in 2022, Zerobot was recognized as a Go-based malware primarily targeting Internet of Things (IoT) devices. The current variant, zerobotv9, marks a departure from its predecessor by adopting a more compact form factor, utilizing UPX packing, and incorporating encrypted strings. Notably, it features a hard-coded command and control (C2) domain, 0bot.qzz[.]io, indicating a deliberate effort by its operators to enhance stealth and persistence.
Exploitation of Tenda Router Vulnerabilities
In mid-January 2026, security researchers observed active exploitation attempts targeting specific vulnerabilities in Tenda AC1206 routers. These vulnerabilities, identified as CVE-2025-7544 and CVE-2025-68613, were publicly disclosed in 2025.
– CVE-2025-7544: This critical stack-based buffer overflow vulnerability resides in the `/goform/setMacFilterCfg` endpoint of Tenda AC1206 devices running firmware version 15.03.06.23. Attackers can exploit this flaw remotely by passing an oversized value through the `deviceList` parameter, leading to denial-of-service (DoS) conditions and potential remote code execution (RCE).
– CVE-2025-68613: A critical RCE vulnerability in n8n’s workflow expression evaluation system affects versions 0.211.0 through 1.22.0. The lack of proper sandboxing allows attackers to execute arbitrary code, steal API keys, access server files, and establish persistence.
Infection Mechanism and Payload Delivery
Upon identifying a vulnerable Tenda router or n8n instance, Zerobot initiates the exploitation process by downloading and executing a malicious shell script named `tol.sh` from a U.S.-based IP address (144.172.100.228). This script performs the following actions:
1. Deployment of BusyBox: Copies BusyBox to the `/tmp` directory and assigns execution permissions.
2. Payload Retrieval: Fetches and executes the main Mirai malware payload, zerobotv9, which is compatible with multiple CPU architectures, ensuring broad device compatibility.
The exploitation process involves triggering the buffer overflow by passing 500 repeated characters through the `deviceList` parameter. In the case of n8n, the attack sends commands via the workflow API to execute `tol.sh` and load the same payload.
Enhanced Capabilities of Zerobotv9
Zerobotv9 exhibits several advanced features that distinguish it from earlier versions:
– Stealth Techniques: Incorporates hard-coded user-agent strings that mimic legitimate browser traffic, aiding in evading network detection mechanisms.
– Expanded Attack Methods: Supports multiple attack vectors, including TCPXmas, Mixamp, SSH, and Discord, surpassing the capabilities of the original 2022 Zerobot variant.
– Targeting Additional Vulnerabilities: Beyond Tenda routers and n8n platforms, Zerobotv9 has been observed exploiting other known vulnerabilities, such as CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947, indicating a broad and adaptable threat landscape.
Implications for Network Security
The resurgence of Zerobot, particularly its focus on both IoT devices and enterprise automation platforms like n8n, underscores the evolving nature of cyber threats. Organizations and individuals must adopt proactive measures to mitigate the risks associated with such sophisticated malware campaigns.
Recommended Mitigation Strategies
1. Firmware Updates: Regularly check for and apply firmware updates for all network devices to patch known vulnerabilities.
2. Network Segmentation: Implement network segmentation to limit the spread of malware within internal networks.
3. Access Controls: Enforce strict access controls and authentication mechanisms to prevent unauthorized access to network devices.
4. Monitoring and Detection: Utilize intrusion detection and prevention systems to monitor network traffic for signs of malicious activity.
5. Disable Unnecessary Services: Turn off services and features that are not in use to reduce potential attack surfaces.
Conclusion
The Zerobotv9 campaign highlights the critical importance of maintaining robust cybersecurity practices. By staying informed about emerging threats and implementing comprehensive security measures, organizations and individuals can better protect their networks and devices from sophisticated malware attacks.
