Condi

Malware updated a month ago (2024-11-29T14:06:45.646Z)

Download STIX

Preview STIX

The Condi botnet, a form of malware, has been identified as a significant threat to unpatched TP-Link devices. The malware is recognized by the string "condi" and upon execution, sends numerous DNS queries to "trcpay[.]xyz." The botnet first attempts to resolve the Command and Control (C2) server address and function. In addition to this, it has been noted for exploiting the vulnerability CVE-2023-1389 to gain control over devices and execute its malicious activities. This flaw was previously exploited by another botnet known as Mirai Variant - JenX. FortiGuard Labs' analysis in 2023 revealed that the Condi botnet, along with another called Unstable, were utilizing cloud storage and computing services operators to distribute malware payloads and updates to a wide range of devices. FortiGuard had previously disclosed the spread of the Condi DDoS botnet via TP-Link's CVE-2023-1389. Both Condi and Unstable have been under scrutiny for their ability to exploit these vulnerabilities and conduct distributed denial-of-service (DDoS) attacks. A threat actor began advertising the Condi botnet through a "Condi Network" Telegram channel launched in May 2022. The actor monetized the service by offering DDoS attacks and selling the source code for the botnet itself. Furthermore, Fortinet reported in 2023 a DDoS-for-hire service selling website disruptions using Condi, which is also a variant of the Mirai botnet. These developments highlight the increasing sophistication and commercialization of such cyber threats.

Description last updated: 2024-10-17T12:15:42.679Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Botnet

Exploit

Fortiguard

Ddos

Malware

Ddos Botnet

Vulnerability

Denial of Se...

denial-of-se...

Android

exploitation

Bot

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Mirai Malware is associated with Condi. Mirai is a type of malware that primarily targets Internet of Things (IoT) devices, converting them into a botnet, which is then used to launch Distributed Denial of Service (DDoS) attacks. In early 2022, Mirai botnets accounted for over seven million detections worldwide, though there was a 9% quar	is related to	5

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-1389 Vulnerability is associated with Condi. CVE-2023-1389 is a command injection vulnerability discovered in TP-Link Archer AX21 routers. This flaw in software design or implementation was publicly released in March of the year 2023 and has since been exploited by various malicious actors. Attack traffic through the vulnerable routers has bee	Unspecified	5

Source Document References

Information about the Condi Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	4 months ago	Multiple malware families delivered exploiting GeoServer GeoTools flaw CVE-2024-36401
Fortinet	4 months ago	Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 \| FortiGuard Labs
InfoSecurity-magazine	6 months ago	Cyber Attackers Turn to Cloud Services to Deploy Malware
Fortinet	6 months ago	The Growing Threat of Malware Concealed Behind Cloud Services \| FortiGuard Labs
BankInfoSecurity	8 months ago	Exploited TP-Link Vulnerability Spawns Botnet Threats
DARKReading	8 months ago	Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks
Fortinet	8 months ago	Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread \| FortiGuard Labs
Fortinet	9 months ago	Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 \| FortiGuard Labs
SANS ISC	a year ago	CVE-2023-1389: A New Means to Expand Botnets - SANS Internet Storm Center
CERT-EU	a year ago	CVE-2023-1389: A New Means to Expand Botnets, (Wed, Nov 22nd) – Cybersafe NV
BankInfoSecurity	a year ago	Breach Roundup: Winter Vivern Hunting For Emails
CERT-EU	a year ago	Several bugs added to CISA vulnerability catalog
CERT-EU	a year ago	安全事件周报 2023-06-19 第25周 - 360CERT
CERT-EU	2 years ago	In Other News: Microsoft Win32 App Isolation,Tsunami Hits Linux Servers, ChatGPT Credentials Exposed on Dark Web
CERT-EU	2 years ago	Cyber security week in review: June 23, 2023
CERT-EU	2 years ago	New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks
CERT-EU	2 years ago	Condi DDoS botnet distributed through TP-Link WiFi router flaw
BankInfoSecurity	2 years ago	Breach Roundup: European Investment Bank Suffers Cyberattack
CERT-EU	2 years ago	Most organizations use a dedicated vulnerability management system for all security
CERT-EU	2 years ago	Novi malver Condi inficira ranjive TP-Link Wi-Fi rutere