Mirai botnet exploits D-Link router flaw

Akamai SIRT has detected the first in-the-wild exploitation of CVE-2025-29635, a command-injection vulnerability in D-Link DIR-823X routers. The campaign deploys a Mirai variant called "tuxnokill" by sending malicious POST requests to vulnerable endpoints, downloading shell scripts, and installing DDoS-capable malware. The flaw was disclosed in February 2025, but active exploitation only began in March 2026 according to Akamai's analysis. Affected devices reached end-of-life in November 2024, making security patches unlikely, and the same threat actor is also targeting TP-Link and ZTE routers with similar tactics.