FortiGuard Labs Threat Research

Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign

By Joie Salvio and Roy Tay | April 01, 2022

Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.

This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release.

By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expand their botnets before patches are applied to fix these vulnerabilities.

TOTOLINK has already released updated firmware for affected models and users are strongly encouraged to update their devices.

This post details how this threat leverages these vulnerabilities to control affected devices, and ways to protect users from these attacks.

Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical

Exploiting New Vulnerabilities

The Beastmode campaign derives its name from filenames and URLs used for its binary samples (Figure 1), as well as a unique HTTP User-Agent header "b3astmode" (Figure 2) within the exploit requests. Binary samples are based on the publicly available source code of the Mirai botnet.

Figure 1. Honeypot log excerpt displaying usage of “beastmode” and “b3astmode” in filenames and URLs

Like most DDOS botnets, aside from brute-forcing credentials, Beastmode employs a variety of exploits to infect more devices, as listed below.

CVE-2022-26210 targets TOTOLINK A800R, A810R, A830R, A950RG, A3000RU, and A3100R (Figure 2).

Figure 2. CVE-2022-26210 exploit request

CVE-2022-26186 targets TOTOLINK N600R and A7100RU (Figure 3).

Figure 3. CVE-2022-26186 exploit request

CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 are a family of similar vulnerabilities targeting TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers. (Figure 4).

Interestingly, the samples caught on 20 Feb 2022 contained a typo in the URL, where “downloadFile.cgi” was used instead of “downloadFlile.cgi” used by the devices. This had been fixed in samples captured three days later, suggesting active development and operation of this campaign.

Figure 4. CVE-2022-25075 exploit with the correct request

Apart from TOTOLINK products, this campaign also targets discontinued D-Link products (DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L) via CVE-2021-45382      (Figure 5). Note that updated firmware is not available as these products have reached their end of life/support cycles.

Figure 5. CVE-2021-45382 exploit request

It is interesting to note that this campaign also attempts to exploit CVE-2021-4045 (Figure 6), a vulnerability for the TP-Link Tapo C200 IP camera, which we have not observed in other Mirai-based campaigns. While the current implementation of the exploit is incorrect, device owners should still update their camera firmware to fix this vulnerability.

Figure 6. CVE-2021-4045 exploit request

A couple of older vulnerabilities were also found in the samples analyzed by FortiGuard Labs researchers, namely CVE-2017-17215 (Figure 7) targeting Huawei HG532 routers, and CVE-2016-5674 (Figure 8) targeting NUUO NVRmini2, NVRsolo, Crystal Devices, and NETGEAR ReadyNAS Surveillance products.

Figure 7. CVE-2017-17215 exploit request

Figure 8. CVE-2016-5674 exploit request

While affecting a variety of products, these vulnerabilities are all similar in that they allow threat actors to inject commands to be executed after successful exploitation. This usually involves using the wget command to download shell scripts to infect the device with Beastmode.

In addition, exploits lead to slightly different shell scripts. Snippets of the scripts downloaded from the successful exploitation of CVE-2021-45382, CVE-2022-26186, and CVE-2022-25075, respectively are shown below (Figure 9). 

Figure 9. Executing Beastmode with different filenames and parameters

As shown in the above figure, each script downloads the same file to different filenames but is executed with different parameters.

For instance, successful exploitation of CVE-2021-45382, a vulnerability involving a function named “DDNS” within D-Link router firmware, leads to the download and execution (Figure 5) of the shell script “”. Then, as shown in Figure 9, the script then downloads the Beastmode binary, which is saved as “ddns” and executed with the “ddns.exploit” parameter. The parameter (highlighted in blue) allows the infected device to register itself as part of the “ddns.exploit” sub-group within the botnet. It could then be used by the botnet operators to assess the viability of specific exploits by measuring the number of bots or simply for ease of management.

 Once devices are infected by Beastmode, the botnet can be used by its operators to perform a variety of DDoS attacks commonly found in other Mirai-based botnets, including:

  • attack_app_http
  • attack_tcp_ack
  • attack_tcp_syn
  • attack_udp_plain
  • attack_udp_vse
  • attack_udp_ovhhex
  • attack_udp_stdhex
  • attack_udp_CLAMP


Even though the original Mirai author was arrested in fall 2018, this article highlights how threat actors, such as those behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect unpatched devices using the Mirai malware.

By continuously monitoring the evolving threat landscape, FortiGuard Labs researchers identify new vulnerabilities exploited by Mirai variants and malware targeting IoT devices to bring greater awareness to such threats and better secure our customers’ networks.

Fortinet Protections

Fortinet customers are protected by the following:

FortiGuard IP Reputation & Anti-Botnet Security Service proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.


Download URLs













C2 IPs




Samples (SHA256)























Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.