Campaign Identifier: AdvancedRouterScanner-Global-Router-Exploitation

Last Updated: October 25, 2025

---

BLUF (Bottom Line Up Front)

Executive Summary

Business Impact Summary

AdvancedRouterScanner represents a sophisticated, custom exploitation framework actively targeting embedded network devices globally. This is not commodity malware but a purpose-built weaponization tool transitioning from research to operational botnet recruitment. Defensive actions are recommended to prevent large-scale infrastructure compromise.

Key Risk Factors

Risk Factor	Score	Business Impact
Global Infrastructure Targeting	9/10	65,000+ network devices targeted, with 50,000+ successfully compromised across multiple continents
Botnet Recruitment	8/10	Infrastructure compromise enabling DDoS attacks, proxy abuse, and resale of network access
Custom Exploitation Framework	8/10	Unique, highly attributable tool indicating sophisticated threat actor with specific capabilities
Geographic Concentration	7/10	45.5% of targets in Brazil, creating regional infrastructure vulnerability and supply chain risk

Recommended Actions

1. BLOCK known malicious infrastructure (185.38.150.7:9999, 176.65.137.13:80)
2. AUDIT all exposed network devices, particularly Huawei/Four-Faith OEM equipment
3. MONITOR for exploitation patterns and credential brute-forcing attempts
4. ISOLATE potentially compromised devices from critical networks
5. UPDATE firmware on all embedded network devices
6. IMPLEMENT network segmentation to limit lateral movement

---

Table of Contents

• Quick Reference
• BLUF (Bottom Line Up Front)
  • Executive Summary
  • Recommended Actions
• 1. Executive Summary
  • Key Takeaways
  • Summary
• 2. Tool Overview (poc.py)
• 3. Targeting (ips.txt)
• 4. Results Analysis
• 5. Campaign Flow
• 6. Unique Fingerprints (Pivot Anchors)
• 7. External Search Findings
• 8. Threat Assessment
  • Overall Assessment
  • Confidence Levels
• 9. Defensive Recommendations
• 10. Key Takeaways
• Target Analysis & Geographic Distribution
  • Target Enrichment Summary
  • Country Distribution Analysis
  • Top Targeted Network Providers
• Follow-Up: Certificate Pivot
• Additional Findings After Pivots (176[.]65[.]137[.]13)
• MITRE ATT&CK Mapping
• Incident Response Procedures
  • Priority 1: Initial Response
  • Priority 2: Investigation & Analysis
  • Priority 3: Remediation & Recovery
• Operational Impact Assessment
  • Impact Scenarios
  • Operational Impact Timeline
• Long-term Defensive Strategy
  • Technology Enhancements
  • Process Improvements
  • Organizational Measures
• Frequently Asked Questions
  • Technical Questions
  • Business Questions
• IOCs
• Detections

---

Quick Reference

Detections & IOCs:

• AdvancedRouterScanner Detections
• AdvancedRouterScanner IOCs

---

1. Executive Summary

Key Takeaways

• This is not commodity malware, it is a custom exploitation framework with unique fingerprints, making it highly attributable.
• The campaign is global in scope, but disproportionately impacts Latin America, Southeast Asia, and parts of Africa.
• Attackers could have or soon will transition from research (PoC) to full operationalization (hub infrastructure, payload hosting, reverse shells).
• The end goal is botnet recruitment, enabling DDoS, proxy abuse, and potential resale of access.
• Immediate defensive actions include blocking known infrastructure, auditing exposed devices, and monitoring for exploitation patterns.

---

Summary

This investigation uncovered a coordinated exploitation campaign targeting embedded network devices (Huawei/Four‑Faith and similar OEMs) through exposed CGI endpoints and weak/default credentials. The campaign demonstrates a clear progression from proof‑of‑concept (PoC) research into fully weaponized exploitation infrastructure, with evidence of both opportunistic scanning and operationalized attack hubs.

The first discovery, an open directory on 185[.]38[.]150[.]7:9999, contained a Python script (poc[.]py) named AdvancedRouterScanner. This tool is not publicly available and appears to be custom or semi‑private. It combines global opportunistic scanning with vendor‑specific exploitation logic. Its capabilities include threaded scanning, service enumeration (FTP, SSH, Telnet), vendor fingerprinting, brute forcing of default credentials, and exploitation.

The second discovery, an exposed directory on 176[.]65[.]137[.]13:80, revealed a far more mature operator hub. Artifacts including .bash_history and exploit_log.txt provided direct insight into attacker tradecraft. These scripts automated credential brute forcing, endpoint probing, and command injection via the adj_time_year parameter. Payload delivery was confirmed. This host functioned as a launchpad for mass exploitation, bridging reconnaissance into active botnet recruitment.

Enrichment of ~65,000 IPs targeted by this campaign revealed ~50,000 successfully resolved with ASN/ISP/Country metadata. The geographic distribution was heavily skewed toward Brazil (45.5%), followed by Vietnam, South Africa, Colombia, and Argentina. ASN analysis showed concentration within a handful of regional ISPs, underscoring systemic exposure in specific markets. Approximately 15,000 IPs could not be enriched, highlighting coverage gaps but also reinforcing the scale of attempted exploitation.

---

2. Tool Overview (poc.py)

Name: poc.py (generic filename).
Unique Class: AdvancedRouterScanner.
Capabilities:

• Parallel scanning with ThreadPoolExecutor.
• Service detection (HTTP/HTTPS, SSH, Telnet, FTP).
• Vendor fingerprinting via HTML keyword checks.
• Default credential brute attempts per vendor.
• Vendor‑specific endpoint probing (Huawei).

Output:

• Results stored in results/advanced_scan_/results.txt.
• Format: [HH:MM:SS] <IP>:<Port> - <Vendor/Service> - <Vulnerability> followed by a 60‑dash separator.

Note: This file was not found in VirusTotal and when uploaded, came back with no detections and was clean.

---

3. Targeting (ips.txt)

Scope: Global, ~954 KB of IPs.
Regional Clusters:

• Southeast Asia (Vietnam, Bangladesh, India).
• Latin America (Brazil, Chile, Argentina, Mexico).
• Europe (Poland, Italy, Germany, Turkey).
• Africa (Nigeria, Kenya, Tanzania).
• North America (US broadband + AWS).

Characteristics:

• Sequential ranges (CIDR sweeps).
• Duplicates.
• Inclusion of private IPs (10.x, 192.168.x) → sloppy aggregation.

Assessment: Aggregated from multiple sources (scan dumps, ISP sweeps, configs). Opportunistic, not curated.

---

4. Results Analysis

File 1: Huawei Exploitation

• Region: Vietnam (117.x.x.x ranges).
• Findings: Default credentials (admin:admin) successful. Exposed endpoints accessible: /api/system/execute_command, /web_shell_cmd.gch, /shell.
• Impact: Full remote control of routers possible.
• Pattern: Multiple consecutive IPs vulnerable → systemic ISP misconfiguration.

File 2: Service Enumeration

• Regions: Vietnam, Bangladesh, India.
• Findings: FTP (21), SSH (22), Telnet (23) open across many IPs.
• Impact: Confirms widespread exposure of insecure services.
• Role: Likely Stage 1 mapping before exploitation.

Timeline Analysis

• Scan cadence: Entries logged every 1–2 seconds → consistent threaded scanning.
• Sequential IPs: Many consecutive IPs in 117.x.x.x exploited → confirms systemic ISP misconfiguration.
• Stage separation: One results file shows service enumeration only, another shows Huawei exploitation → suggests modular workflow.

---

5. Campaign Flow

[Aggregated IP List]
└─ Global ISP ranges (Asia, LATAM, EU, Africa, NA, private IPs)

[Stage 1: Service Enumeration]
└─ Identify open FTP (21), SSH (22), Telnet (23)

[Stage 2: Vendor Fingerprinting]
└─ Parse HTML banners for vendor keywords

[Stage 3: Exploitation Attempts]
└─ Default credentials per vendor
└─ Huawei-specific endpoints

[Stage 4: Results Collection]
└─ Results stored in results/advanced_scan_/results.txt

[Stage 5: Operational Use]
└─ Compromised routers leveraged for botnet recruitment, proxy infrastructure, resale of access

---

6. Unique Fingerprints (Pivot Anchors)

• High‑Fidelity: AdvancedRouterScanner, run_advanced_scan, advanced_scan_, telecomadmin:admintelecom, Huawei endpoint trio.
• Medium‑Fidelity: Vendor combo (Huawei, ZTE, Raisecom), output format with 60‑dash separator.
• Broad Discovery: Vendor names alone, generic creds.
• Attribution Value: High — unique enough to track as a distinct campaign family.

---

7. External Search Findings

• GitHub: Many unrelated poc.py files, but none with AdvancedRouterScanner or the same vendor logic.
• Router scanning repos: Exist, but do not use the same class names, results format, or Huawei endpoint trio.
• Huawei research repos: Confirm known defaults, but not packaged into this scanner.
• Exploit write‑ups: Mention endpoints, but not in Python scanners.
• Conclusion: This script is not public; it appears custom or semi‑private.

---

8. Threat Assessment

Overall Assessment

• Nature: Custom/semi-private router exploitation tool
• Scope: Global IP list, confirmed exploitation in Vietnam
• Intent: Botnet recruitment, proxy infrastructure, or resale of access
• Attribution Value: High

Confidence Levels

CONFIRMED (Highest Confidence):

• Tool uniqueness and custom development (AdvancedRouterScanner class)
• Global targeting scope and IP enrichment data
• Exploitation confirmation in Vietnam (Huawei router compromise)
• Infrastructure analysis and operational hubs
• Results file format and scanning methodology
• Geographic distribution and ISP targeting patterns

LIKELY (Strong Evidence):

• Botnet recruitment intent and operationalization
• Transition from research to operational exploitation
• Vendor-specific exploitation logic and success rates
• Infrastructure abuse for DDoS and proxy services

POSSIBLE (Analytical Judgment):

• Specific threat actor identification and attribution
• Full scope of global campaign (unseen portions)
• Exact timeline of operationalization
• Relationship to other known campaigns or threat groups

---

9. Defensive Recommendations

• ISPs: Audit router fleets for defaults and exposed endpoints.
• Enterprises: Monitor outbound connections to unusual IPs in these ranges, especially on ports 21/22/23.
• Defenders: Build detection rules for repeated default login attempts, flag Huawei endpoint traffic, watch for parallel outbound connections.

---

10. Key Takeaways

• The poc.py script is a unique campaign artifact.
• Combines global opportunistic scanning with vendor‑specific exploitation.
• Results confirm Huawei routers in Vietnam were compromised.
• Unique fingerprints (class names, results format, Huawei endpoint trio, Raisecom inclusion, rare creds) make it a high‑value pivot.
• External searches confirm this is not commodity — if seen again, it’s almost certainly the same actor.

---

Target Analysis & Geographic Distribution

Target Enrichment Summary

Metric	Value	Confidence Level
Total IPs Targeted	~65,000	CONFIRMED
Successfully Enriched	~50,000	CONFIRMED
Unenriched IPs	~15,000	CONFIRMED
Data Quality	UTF-8 standardized, legacy encoding handled	CONFIRMED

Country Distribution Analysis

Country	Percentage	Risk Assessment
Brazil (BR)	45.5%	CRITICAL - Primary target zone
Vietnam (VN)	15.1%	HIGH - Secondary concentration
South Africa (ZA)	14.2%	HIGH - Notable presence
Colombia (CO)	13.7%	HIGH - Regional focus
Argentina (AR)	11.6%	MEDIUM - Tertiary target

Top Targeted Network Providers

ASN	Provider	Target Count	Geographic Focus
AS198949	WPT Corp	1,557	Regional ISP
AS7348	Vecell Group	1,282	Regional ISP
AS1740	Comnet Limited	987	Regional ISP
AS1511	UNINET	880	Educational Network
AS26622	T-E-S-MI	864	Regional ISP

Interpretation: Concentration across specific regional ISPs indicates targeted infrastructure exploitation rather than random scanning. Normalization gaps in enrichment data should be remediated for complete threat landscape visibility.

---

Follow-Up: Certificate Pivot

PoC host now presents TLS cert Issuer CN yuyu, seen on only three hosts:

• 185[.]38[.]150[.]7 (PoC)
• 39[.]97[.]249[.]120 (RDP open)
• 219[.]151[.]188[.]41 (RDP open)

Why it matters: Shared cert + RDP exposure suggests linked infrastructure or victims.
Defensive actions: Monitor for CN yuyu, RDP traffic, and block if observed.

---

Additional Findings After Pivots (176[.]65[.]137[.]13)

The second exposed directory (176[.]65[.]137[.]13:80) revealed a more operationalized attacker hub compared to the PoC host.

Key observations

• Artifacts: .bash_history and exploit_log.txt files captured operator activity. This operator also used a similar very large IP list file as targets.
• Environment prep: Installed Python 3.11, pip, SSL libraries, and zmap.
• Scanning: Used zmap to sweep port 90, feeding results into exploit scripts.

Exploitation

• Targeted endpoints: /web_shell_cmd.gch, /apply.cgi, /boaform/admin/formLogin, /cgi-bin/config.cgi.
• Default credential brute forcing (admin:admin, admin:password, admin:1234, root:root, etc.).
• Injection via adj_time_year parameter.

Payload delivery

• Downloaded binaries (boatnet.*, main_mpsl) from 107[.]189[.]4[.]201 and bot[.]gribostress[.]pro.
• Reverse shell established to 107[.]189[.]4[.]201:3778.

Exploit logs

• Showed thousands of attempts, mostly failed (404s, resets, refused).
• Some successes indicated by HTTP 200 responses and ARM architecture detection.

Assessment This host functioned as an operator hub, staging tools, scanning, and launching exploitation at scale.
Note: The exploit file was not found in VirusTotal and when uploaded, came back with no detections and was clean.

---

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	Implementation
Initial Access	T1190	Exploit Public-Facing Application	CGI endpoint exploitation, command injection
Initial Access	T1078	Valid Accounts	Default credential brute forcing
Execution	T1059	Command and Scripting Interpreter	Python script execution, shell commands
Execution	T1203	Exploitation for Client Execution	Code execution via vulnerable endpoints
Persistence	T1547	Boot or Logon Autostart Execution	Botnet persistence on compromised devices
Privilege Escalation	T1068	Exploitation for Privilege Escalation	Command injection for privilege escalation
Defense Evasion	T1036	Masquerading	Legitimate service impersonation
Credential Access	T1110	Brute Force	Default credential dictionary attacks
Discovery	T1046	Network Service Scanning	Global port scanning and service enumeration
Discovery	T1082	System Information Discovery	Device fingerprinting and vendor identification
Lateral Movement	T1021	Remote Services	SSH/Telnet access to compromised devices
Command and Control	T1071	Application Layer Protocol	HTTP/HTTPS communication with C2 infrastructure
Command and Control	T1095	Non-Application Layer Protocol	Raw TCP/UDP communication for botnet control

<tr>
  <td><strong>Exfiltration / Impact</strong></td>
  <td>T1041</td>
  <td>Exfiltration Over C2 Channel</td>
  <td>Data theft through botnet infrastructure</td>
</tr>
<tr>
  <td><strong>Impact</strong></td>
  <td>T1499</td>
  <td>Endpoint Denial of Service</td>
  <td>DDoS capabilities via compromised devices</td>
</tr>

</tbody> </table>

---

Incident Response Procedures

Priority 1: Initial Response

1. BLOCK known malicious infrastructure at network perimeter
2. ISOLATE potentially compromised network devices from critical systems
3. AUDIT all exposed network devices, particularly Huawei/Four-Faith OEM equipment
4. MONITOR for exploitation patterns and credential brute-forcing attempts
5. DOCUMENT all potentially compromised devices and network segments

Priority 2: Investigation & Analysis

1. FORENSIC ANALYSIS of network device logs for exploitation attempts
2. LOG ANALYSIS for connections to known malicious IPs (185.38.150.7, 176.65.137.13)
3. VULNERABILITY ASSESSMENT of all embedded network devices
4. TRAFFIC ANALYSIS for unusual scanning patterns and command injection attempts
5. THREAT HUNTING for AdvancedRouterScanner artifacts in network traffic

Priority 3: Remediation & Recovery

1. UPDATE firmware on all embedded network devices
2. RESET credentials on all potentially compromised devices
3. IMPLEMENT network segmentation to isolate critical infrastructure
4. DEPLOY enhanced monitoring for exploitation patterns
5. ESTABLISH baseline security configuration for network devices

---

Operational Impact Assessment

Impact Scenarios

Impact Category	Severity Level	Recovery Time
Infrastructure Compromise	HIGH	several weeks
DDoS Attack Impact	HIGH	several weeks
Device Replacement	MEDIUM	several weeks
Operational Disruption	HIGH	several weeks

Operational Impact Timeline

• Immediate Response: Network isolation, service disruption, emergency response
• Investigation Phase: Device assessment, firmware updates, security hardening
• Recovery Phase: Infrastructure recovery, enhanced monitoring deployment
• Long-term Phase: Process improvements, vendor management, security architecture review

---

Long-term Defensive Strategy

Technology Enhancements

1. Network Access Control to segment and monitor embedded devices
2. Intrusion Detection Systems with specific rules for exploitation patterns
3. Vulnerability Management for embedded network device firmware
4. Threat Intelligence Integration for emerging exploitation frameworks
5. Security Information and Event Management (SIEM) with correlation rules

Process Improvements

1. Device Lifecycle Management for procurement, deployment, and decommissioning
2. Regular Security Assessments of network infrastructure
3. Vendor Risk Management for embedded device suppliers
4. Incident Response Playbooks specific to network device compromises
5. Change Management procedures for firmware updates and configuration changes

Organizational Measures

1. Security Awareness Training for network operations teams
2. Regular Security Assessments including penetration testing of network infrastructure
3. Threat Intelligence Subscription for emerging IoT/embedded device threats
4. Executive Security Briefings on infrastructure security risks
5. Investment in Security Tools and personnel training for network defense

---

Frequently Asked Questions

Technical Questions

Q: What makes AdvancedRouterScanner unique compared to other exploitation tools?
A: It’s a custom, semi-private framework with unique fingerprints (class names, result formats) that indicates a sophisticated threat actor rather than commodity malware.

Q: Why is the geographic concentration significant?
A: The 45.5% concentration in Brazil suggests targeted infrastructure exploitation rather than random scanning, potentially indicating regional threat actor focus or specific supply chain vulnerabilities.

Q: How does the two-stage attack work?
A: Stage 1 involves global scanning and reconnaissance, while Stage 2 involves operational exploitation hubs that deliver payloads and establish botnet control.

Business Questions

Q: What are the regulatory implications of network device compromise?
A: Significant - compromised network infrastructure can impact data protection compliance, critical infrastructure regulations, and industry-specific security requirements.

Q: Should we replace or patch compromised devices?
A: REPLACE is recommended for devices with confirmed compromise, while PATCH may be sufficient for devices with only exposure to scanning attempts.

Q: How can we prevent similar attacks?
A: Implement network segmentation, regular firmware updates, credential management, and continuous monitoring for exploitation patterns.

---

IOCs

• AdvancedRouterScanner IOCs

Detections

• AdvancedRouterScanner Detections

---

License

© 2025 Joseph. All rights reserved.
Free to read, but reuse requires written permission.