The Zerobot malware, a sophisticated botnet campaign, has re-emerged, actively exploiting critical vulnerabilities in Tenda AC1206 routers and the n8n workflow automation platform. This latest iteration, known as zerobotv9, demonstrates a concerning evolution, moving beyond traditional IoT devices to target enterprise-level automation tools, potentially posing a significant threat to organizational security.
Security researchers have identified active exploitation attempts by Zerobot targeting these vulnerabilities since mid-January, with the campaign tracing back to at least early December. This marks one of the earliest confirmed instances of active exploitation of these specific CVEs following their public disclosure. The campaign’s persistence and diversification highlight the adaptive nature of modern cyber threats.
Zerobot Malware Evolves with New Targets and Exploits
Zerobot first gained attention in 2022 as a Go-based malware primarily focused on Internet of Things (IoT) devices. However, the current zerobotv9 variant represents a significant departure. It is smaller in file size, utilizes UPX packing, and incorporates encrypted strings along with a hard-coded command and control (C2) domain, 0bot.qzz[.]io. This evolution suggests a deliberate effort by its operators to refine their tools and enhance stealth capabilities.
The malicious campaign is leveraging two key vulnerabilities: CVE-2025-7544 and CVE-2025-68613. CVE-2025-7544, disclosed in mid-July 2025, is a critical stack-based buffer overflow affecting Tenda AC1206 devices running firmware version 15.03.06.23 via the `/goform/setMacFilterCfg` endpoint. An attacker can exploit this remotely by sending an oversized value in the `deviceList` parameter, potentially leading to denial-of-service (DoS) or remote code execution (RCE).
Additionally, CVE-2025-68613, published in mid-December 2025, is a critical RCE vulnerability within n8n’s workflow expression evaluation system, impacting versions 0.211.0 through 1.22.0. The lack of proper sandboxing in these versions allows attackers to execute arbitrary code, potentially leading to the compromise of API keys, server files, and the establishment of persistent access within affected systems.
The inclusion of n8n among Zerobot’s targets is particularly noteworthy. Historically, botnets have predominantly focused on consumer-grade hardware like routers, cameras, and DVRs. By targeting n8n, a platform widely used for connecting databases, automating data processing, and managing sensitive systems, Zerobot’s operators can gain a more significant foothold within organizations, enabling lateral movement and access to critical infrastructure.
Infection Mechanism and Payload Delivery
Upon identifying a vulnerable Tenda router or n8n instance, Zerobot initiates the exploit to force the target device to download and execute a malicious shell script named `tol.sh` from a U.S.-based IP address (144.172.100.228). This script then copies busybox to the `/tmp` directory, grants it execution permissions, and subsequently retrieves and runs the primary Mirai malware payload, zerobotv9.
The zerobotv9 payload is designed for broad device compatibility, supporting multiple CPU architectures, a common characteristic of Mirai-based downloaders. The exploit for the Tenda router involves triggering the buffer overflow by submitting 500 repeated characters within the `deviceList` parameter. For n8n, attackers send commands via the workflow API to execute `tol.sh` and load the same payload.
The zerobotv9 binary incorporates hard-coded user-agent strings that mimic legitimate browser traffic. This technique is employed to evade network detection and blend in with normal network activity. The malware’s capabilities have expanded beyond the original 2022 Zerobot variant, now including attack methods such as TCPXmas, Mixamp, SSH, and Discord. The botnet has also been observed targeting other vulnerabilities, including CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947, utilizing fallback connection methods like netcat, socat, and Perl sockets.
Organizations currently running Tenda AC1206 devices with firmware version 15.03.06.23 are strongly advised to apply immediate patches or consider replacing the hardware. Users of the n8n workflow automation platform should upgrade to versions beyond 1.22.0, implement restrictions on access to the workflow execution interface, and enforce stringent user privilege controls. Network defenders are recommended to block or monitor the known malicious IP addresses: 103.59.160.237, 140.233.190.96, 144.172.100.228, 172.86.123.179, and 216.126.227.101, as well as the C2 domain `0bot.qzz[.]io`.
Additionally, the implementation of YARA and Snort detection rules published by the Akamai SIRT can assist security teams in identifying and responding to related activities across their networks. The ongoing evolution of the Zerobot malware necessitates continuous vigilance and proactive security measures to counter its expanding threat profile.