A Deep Dive into the Attempted Exploitation of CVE-2023-33538

    Friday, April 17, 2026 In: Threat Research Print

    Date: 04/17/2026

    Severity: Medium

    Summary

    We detected active automated scans attempting to exploit CVE-2023-33538 in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N variants). The payloads involved Mirai-like malware designed to download and execute on vulnerable devices. This activity followed CISA adding the CVE to its Known Exploited Vulnerabilities catalog in June 2025. To assess impact, we emulated a TL-WR940N router and analyzed the exploit behavior via reverse engineering. Our findings show the observed attacks are flawed and would fail, though the vulnerability itself is real. Successful exploitation requires authentication to the router’s web interface.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    http://bot.ddosvps.cc/top1hbt.arm

    http://bot.ddosvps.cc/top1hbt.arm5

    http://bot.ddosvps.cc/top1hbt.arm6

    http://bot.ddosvps.cc/top1hbt.arm7

    http://bot.ddosvps.cc/top1hbt.mips

    http://bot.ddosvps.cc/top1hbt.mpsl

    http://bot.ddosvps.cc/top1hbt.x86_64

    http://bot.ddosvps.cc/top1hbt.sh4

    http://51.38.137.113/arm

    http://51.38.137.113/arm5

    http://51.38.137.113/arm6

    http://51.38.137.113/arm7

    http://51.38.137.113/x86_64

    http://51.38.137.113/mips

    http://51.38.137.113/sh4

    cnc.vietdediserver.shop

    bot.ddosvps.cc

    IP Address :

    51.38.137.113

    Hash : 

    3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7

    4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da

    9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402

    7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20

    00078aeeaca54b5d3c1237e964e9f956690b782e4ea160d81edc3c6b44e7f620

    534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b

    919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4

    c321933e4e5970ba7299fe21778dab9398994c22ca0ba0422c6cbc3fbb95ea26

    56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://bot.ddosvps.cc/top1hbt.mips" or url like "http://bot.ddosvps.cc/top1hbt.mips" or siteurl like "http://bot.ddosvps.cc/top1hbt.mips" or domainname like "http://51.38.137.113/arm" or url like "http://51.38.137.113/arm" or siteurl like "http://51.38.137.113/arm" or domainname like "http://51.38.137.113/arm6" or url like "http://51.38.137.113/arm6" or siteurl like "http://51.38.137.113/arm6" or domainname like "cnc.vietdediserver.shop" or url like "cnc.vietdediserver.shop" or siteurl like "cnc.vietdediserver.shop" or domainname like "bot.ddosvps.cc" or url like "bot.ddosvps.cc" or siteurl like "bot.ddosvps.cc" or domainname like "http://bot.ddosvps.cc/top1hbt.x86_64" or url like "http://bot.ddosvps.cc/top1hbt.x86_64" or siteurl like "http://bot.ddosvps.cc/top1hbt.x86_64" or domainname like "http://bot.ddosvps.cc/top1hbt.sh4" or url like "http://bot.ddosvps.cc/top1hbt.sh4" or siteurl like "http://bot.ddosvps.cc/top1hbt.sh4" or domainname like "http://51.38.137.113/x86_64" or url like "http://51.38.137.113/x86_64" or siteurl like "http://51.38.137.113/x86_64" or domainname like "http://bot.ddosvps.cc/top1hbt.arm6" or url like "http://bot.ddosvps.cc/top1hbt.arm6" or siteurl like "http://bot.ddosvps.cc/top1hbt.arm6" or domainname like "http://51.38.137.113/arm7" or url like "http://51.38.137.113/arm7" or siteurl like "http://51.38.137.113/arm7" or domainname like "http://bot.ddosvps.cc/top1hbt.mpsl" or url like "http://bot.ddosvps.cc/top1hbt.mpsl" or siteurl like "http://bot.ddosvps.cc/top1hbt.mpsl" or domainname like "http://51.38.137.113/sh4" or url like "http://51.38.137.113/sh4" or siteurl like "http://51.38.137.113/sh4" or domainname like "http://bot.ddosvps.cc/top1hbt.arm7" or url like "http://bot.ddosvps.cc/top1hbt.arm7" or siteurl like "http://bot.ddosvps.cc/top1hbt.arm7" or domainname like "http://51.38.137.113/mips" or url like "http://51.38.137.113/mips" or siteurl like "http://51.38.137.113/mips" or domainname like "http://51.38.137.113/arm5" or url like "http://51.38.137.113/arm5" or siteurl like "http://51.38.137.113/arm5" or domainname like "http://bot.ddosvps.cc/top1hbt.arm" or url like "http://bot.ddosvps.cc/top1hbt.arm" or siteurl like "http://bot.ddosvps.cc/top1hbt.arm" or domainname like "http://bot.ddosvps.cc/top1hbt.arm5" or url like "http://bot.ddosvps.cc/top1hbt.arm5" or siteurl like "http://bot.ddosvps.cc/top1hbt.arm5"

    Detection Query 2 :

    dstipaddress IN ("51.38.137.113") or srcipaddress IN ("51.38.137.113")

    Detection Query 3 :

    sha256hash IN ("56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6","534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b","4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da","9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402","3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7","7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20","919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4","00078aeeaca54b5d3c1237e964e9f956690b782e4ea160d81edc3c6b44e7f620","c321933e4e5970ba7299fe21778dab9398994c22ca0ba0422c6cbc3fbb95ea26")

    Reference:    

    https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/


    Tags

    MalwareVulnerabilityCVE-2023ExploitMirai

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.