Pro-Russian hackers boost capacity with Mirai variants


Pro-Russian hacker collective Zarya, formerly operating under Killnet’s wing, is believed to have started employing variants of Mirai malware to put more juice into its offensive capabilities.

Hacktivist groups supporting Russia’s illegal invasion of Ukraine increasingly cooperate, trying to increase the power of distributed denial-of-service (DDoS) botnets used to target organizations supporting Kyiv.

According to researchers at cybersecurity firm Radware, pro-Russian hacktivist group Zarya started developing its own version of Mirai malware, meant to recruit more devices from the web that could potentially become the group’s unwilling soldiers.

First discovered in 2016, the Mirai botnet used malware that infected Linux-operated devices, then self-propagating via open Telnet ports to infect other machines. Botnet operators have been trying to balloon their capabilities using variants of Mirai since.

Worryingly, Zarya appears to have befriended threat actors from Akur Group, a hosting provider for pro-Russian hacktivist groups. Researchers claim that Zarya’s propaganda website, as well as the collective’s campaign log and malware, are hosted by Akur.

Daniel Smith, the head of research for Radware’s threat intelligence division, believes Zarya’s methods forecast a more mature phase of the cyber conflict that’s begun since Moscow’s tanks rolled into Ukraine on February 24, 2022.

“Pro-Russian hacktivists have moved beyond basic denial-of-service scripts and crowdsourced attacks to more advanced and potent techniques. The significant impact of Zarya’s recent activities offers just one case in point,” Smith said.

Researchers uncovered Zarya’s attempts earlier this month, after discovering a compromised server in Vietnam attempting to exploit Radware’s honeypot via a known vulnerability. The bug allows threat actors to carry out remote code execution (RCE) attacks on MVPower CCTV DVR devices, effectively enabling them to hack into and take over the digital video recording technology from afar.

Further investigation revealed that the attack’s payload was hosted on Akur Group’s servers, and the malware is a variation of the infamous Mirai malware. Mirai-based botnets are among the most dangerous due to their capability to conduct large-scale DDoS attacks.

Zarya, which means “dawn” in Russian, was first spotted in March 2022. At first, the group operated under the command of a now-infamous pro-Russian hacktivist collective, Killnet. However, Zarya started conducting separate operations in the summer of that year. While the group is primarily known for DDoS attacks, it doesn’t shy away from website defacement campaigns and data leaks.