Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware.

This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely.

It is worth noting that this is the first time active attacks using this vulnerability have been reported, highlighting a concerning trend where cybercriminals quickly turn newly discovered flaws into tools for their campaigns.

The technical report, shared with Hackread.com, reveals that Akamai’s Security Intelligence and Response Team (SIRT) first noticed suspicious activity in their global network of honeypots in March 2025, just weeks after the flaw was made public in February 2025.

The team identified two distinct botnets leveraging this exploit. The first botnet began its attacks in early March, using the vulnerability to download and run a malicious script. This script then pulls down the main Mirai malware, which is designed to infect a wide range of Internet of Things (IoT) devices.

These Mirai variants, sometimes named morte, are identifiable by a unique message they display, such as lzrd here. These initial attacks used the same authorization details as a publicly available proof of concept (PoC) exploit, meaning attackers quickly adapted known information.

The second botnet emerged in early May 2025, also spreading a Mirai variant called resgod. This botnet caught attention because its associated online addresses (domains) featured Italian-sounding names, like gestisciweb.com, which means manage web. This could suggest the attackers are specifically trying to target devices owned by Italian-speaking users. The resgod malware itself carries the clear message, “Resentual got you!”

While the Wazuh vulnerability is the primary focus, the botnets weren’t limited to it. Akamai observed these malicious groups attempting to exploit several other well-known security flaws. These included older vulnerabilities in systems like Hadoop YARN, TP-Link Archer AX21 routers (CVE-2023-1389), Huawei HG532 routers (CVE-2017-17215), and ZTE ZXV10 H108L routers (CVE-2017-18368). This shows that the attackers use a broad approach, trying to infect systems through any available weakness.

Akamai’s report warns that it remains relatively easy for criminals to reuse old malware code to create new botnets. The speed at which this Wazuh flaw was exploited after its disclosure underlines how critical it is for organizations to apply security patches as soon as they become available.

Unlike some vulnerabilities that only affect outdated devices, CVE-2025-24016 specifically targets active Wazuh servers if they are not updated. Akamai strongly advises all users to upgrade to Wazuh version 4.9.1 or later to protect their systems.