A new botnet malware is hunting down and transforming infected routers, DVRs, and UPnP network devices into honeypots. The infected devices are helping the botnet to find other targets to infect.

The malware was named ZHtrap by the 360 Netlab, the security researchers that spotted it.

ZHtrap is loosely based on Mirai’s source code, and it supports x86, ARM, MIPS, and other CPU architectures.

How does ZHtrap work?

Once it takes over a device, it prevents other malware from re-infecting its bots with the help of a whitelist that only allows already running system processes, blocking all attempts to run new commands.

ZHtrap bots use a Tor command-and-control (C2) server to communicate with other botnet nodes and a Tor proxy to conceal malicious traffic.

The botnet’s main abilities are DDoS attacks and also scanning for more vulnerable devices that can become victims.


Interestingly enough it also comes with a backdoor functionality that permits the operators to download and execute malicious payloads.

In order to propagate, the botnet is using exploits that are aimed at four N-day security vulnerabilities in Realtek SDK Miniigd UPnP SOAP endpoints, MVPower DVR, Netgear DGN1000, and a long list of CCTV-DVR devices, whilst also scanning for devices with weak Telnet passwords.

The passwords come from a list of randomly generated IP addresses that are collected with the help of the honeypot it deploys on devices already infected.

What makes ZHtrap special?

Maybe the most interesting feature of this botnet is how it turns infected devices into honeypots in order to obtain IP addresses of more targets likely vulnerable to its propagation methods or already infected with different malware.


Once deployed, ZHtrap’s honeypot listens to 23 ports and sends all IPs connecting to them to its scanning module as potential targets in its future attacks.

Compared to other botnets we have analyzed before, the most interesting part of ZHtrap is its ability to turn infected devices into a honeypot.

Honeypots are usually used by security researchers as a tool to capture attacks, such as collecting scans, exploits, and samples.

But this time around, we found that ZHtrap uses a similar technique by integrating a scanning IP collection module, and the collected IPs are used as targets in its own scanning module.


So far three versions of this botnet have been seen, this is suggesting the botnet it’s still being actively developed and upgraded with new functionality.

Leave a Reply

Your email address will not be published. Required fields are marked *