MalwareHunterTeam identified an ELF backdoor uploaded from Japan to VirusTotal with zero detections, disguised as libjson_script.so.0 and targeting Linux-based iKuai routers. The sample uses encrypted C2 communications, task-based command execution, and device profiling to control compromised systems via 47.80.111[.]129:7380. #iKuai #OpenWrt #libjson_script.so.0 #47.80.111.129
Keypoints
- The sample was first uploaded to VirusTotal from Japan on 2026-06-08 and had zero AV detections when shared on 2026-07-01.
- It is an ELF backdoor masquerading as the legitimate OpenWrt component libjson_script.so.0 / libubox.
- The backdoor appears to target Chinese iKuai routers and uses device-specific checks such as GWID and VERSTRING values.
- It establishes encrypted HTTPS communications with the C2 server at 47.80.111[.]129:7380 using AES-GCM and AES-256.
- The malware collects host profiling data including hostname, local IP, PID, architecture, current directory, and release-file information before beaconing.
- It supports commands for downloading and executing payloads, canceling scheduled tasks, exfiltrating files, changing directories, and running shell commands.
- Configuration strings, URIs, and operational parameters are hidden with single-byte XOR using key 0x5A.
MITRE Techniques
- [T1036 ] Masquerading – The backdoor impersonates a legitimate OpenWrt library to blend in with trusted software (‘the ELF impersonates the legitimate libjson_script.so’).
- [T1547.006 ] Boot or Logon Autostart Execution: Kernel Modules and Extensions – The sample uses a library-style filename on Linux to appear as part of system software (‘part of the OpenWrt Project, specifically part of libubox’).
- [T1027 ] Obfuscated Files or Information – Configuration strings are hidden using XOR and encrypted values (‘uses an XOR decryption algorithm with a single byte key’ and ‘the strings decrypted as part of the configuration decryption’).
- [T1573 ] Encrypted Channel – The backdoor sends profiling data and task results over AES-encrypted HTTPS communications (‘This information is AES-encrypted before it is sent’ and ‘sent to the C2 as an encrypted JSON’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – The malware communicates with its C2 over HTTPS endpoints (‘beacons to the C2’ and sends data to ‘https://47.80.111[.]129:7380/cdn-cgi/trace’).
- [T1105 ] Ingress Tool Transfer – It downloads payloads from URLs for execution (‘Downloads payload from a url and executes it as a “scheduled task”’ and ‘__uu__ Downloads, executes, and deletes an ELF’).
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – It executes shell commands through /bin/sh -c (‘Executes shell commands’ and ‘runs shell commands with “/bin/sh -c”’).
- [T1005 ] Data from Local System – It reads local files for exfiltration (‘__dd__ Reads a file, base64 encodes it, and exfiltrates it’).
- [T1021 ] Remote Services – The operator can direct commands remotely through the C2 task loop (‘Enters an infinite loop that beacons to the C2 to receive tasks’).
- [T1053.003 ] Scheduled Task/Job: Cron – The malware supports scheduled execution of downloaded payloads (‘Downloads payload from a url and executes it as a “scheduled task”’ and ‘__sched__’).
- [T1106 ] Native API – It uses system calls and native Linux functions such as chdir() and getpid() to operate (‘Gets the process ID’ and ‘changes directories via chdir()’).
Indicators of Compromise
- [File name ] disguised ELF backdoor sample – libjson_script.so.0
- [SHA-256 ] identified sample hash – 4e6276cc400b3b9e9616d04474b64a8fa0c35375b9673ab41a92a6d5bce72d8d
- [IP address and port ] C2 server – 47.80.111[.]129:7380
- [URLs ] encrypted C2 endpoints used for profiling and results – /cdn-cgi/trace, /cdn-cgi/bm/cv/result
- [URL ] payload download endpoint – /cdn-cgi/challenge-platform/generate/ov1
- [File path ] cache and release-file locations used for GWID and version checks – /etc/release, /usr/share/misc/.runlevel.cache
- [File path ] working and staging directory – /var/tmp and /var/tmp/.
- [User-Agent ] HTTP client string used by the malware – Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
- [Repository URL ] unused GitHub URL found in configuration – https://raw.githubusercontent.com/pnzzuv09911cast11/googlehub/refs/heads/main/readme.txt
Read more: https://dmpdump.github.io/posts/Backdoor_iKuai_Routers/