A new variant of the Mirai botnet, dubbed Aquabot, is actively exploiting a security vulnerability (CVE-2024-41710) in Mitel phones to create a network for DDoS attacks. The medium-severity flaw, which allows command injection during the boot process, affects various Mitel phone series including 6800, 6900, 6900w, and the 6970 Conference Unit.

First detected in November 2023, Aquabot has expanded its targeting scope to include multiple vulnerabilities beyond the Mitel exploit, such as CVE-2018-10561, CVE-2018-10562, and several others affecting various IoT devices.

Key Features of Aquabot:
– Implements a new “report_kill” function for C2 server communication
– Disguises itself as “httpd.x86” to avoid detection
– Terminates specific processes, including local shells
– Targets multiple device architectures

According to Akamai researchers Kyle Lefton and Larry Cashdollar, exploitation attempts began in early January 2025, following the public release of a proof-of-concept exploit in August 2024. The attackers are reportedly offering DDoS services on Telegram under various names including Cursinq Firewall and The Eye Services.

This development highlights the ongoing threat of Mirai-based botnets targeting vulnerable IoT devices, particularly those with default configurations or lacking proper security measures. While the operators claim educational purposes, analysis reveals commercial DDoS service offerings through their botnet infrastructure.