A sophisticated botnet comprising approximately 13,000 compromised MikroTik routers has been identified conducting malicious spam operations worldwide. According to Infoblox security researcher David Brunsdon, this network exploits misconfigured DNS records to bypass email security protocols.

The campaign, dubbed “Mikro Typo,” was first detected in November 2024 when researchers uncovered spam emails using freight invoice-themed lures. These emails contained ZIP archives housing obfuscated JavaScript files, which deployed PowerShell scripts to establish connections with a command-and-control server.

Technical Details:
– Affected routers run various firmware versions vulnerable to CVE-2023-30799
– Compromised devices utilize SOCKS protocols as TCP redirectors
– Botnet exploits SPF TXT record misconfigurations in 20,000 domains
– Malicious actors leverage the permissive “+all” SPF option to bypass security

Security Implications:
The botnet’s infrastructure poses significant threats, including:
– DDoS attack capabilities
– Phishing campaign distribution
– Data theft potential
– Complex detection evasion through SOCKS4 proxies

Recommended Security Measures:
MikroTik router owners should:
– Maintain current firmware updates
– Change default credentials
– Implement robust security protocols

The botnet’s sophisticated architecture and exploitation of legitimate domains highlight the growing complexity of cyber threats targeting network infrastructure.