THE HUNTER’S LEDGER
Network Scanner · October 25, 2025

AdvancedRouterScanner — Global Router Exploitation

Contents

Campaign Identifier: AdvancedRouterScanner-Global-Router-Exploitation
Last Updated: October 25, 2025
Threat Level: MEDIUM

BLUF (Bottom Line Up Front)

AdvancedRouterScanner is a custom, semi-private exploitation framework targeting embedded network devices (primarily Huawei/Four-Faith OEM equipment) via exposed CGI endpoints and default credentials. Two open directories — a proof-of-concept (PoC) host at 185[.]38[.]150[.]7:9999 and an operational hub at 176[.]65[.]137[.]13:80 — confirm the campaign has transitioned from research into active botnet recruitment. Enrichment of ~65,000 targeted IPs resolves ~50,000 with ASN metadata, with 45.5% concentrated in Brazil. The tool is not publicly available and carries unique fingerprints that make every reappearance attributable to the same actor.

Key Risk Factors

Risk Factor Score Business Impact
Global Infrastructure Targeting 9/10 65,000+ network devices targeted, with 50,000+ successfully compromised across multiple continents
Botnet Recruitment 8/10 Infrastructure compromise enabling DDoS attacks, proxy abuse, and resale of network access
Custom Exploitation Framework 8/10 Unique, highly attributable tool indicating a threat actor with targeted capabilities
Geographic Concentration 7/10 45.5% of targets in Brazil, creating regional infrastructure vulnerability and supply chain risk
  1. BLOCK known malicious infrastructure (185.38.150.7:9999, 176.65.137.13:80)
  2. AUDIT all exposed network devices, particularly Huawei/Four-Faith OEM equipment
  3. MONITOR for exploitation patterns and credential brute-forcing attempts
  4. ISOLATE potentially compromised devices from critical networks
  5. UPDATE firmware on all embedded network devices
  6. IMPLEMENT network segmentation to limit lateral movement

1. Executive Summary

AdvancedRouterScanner combines global opportunistic scanning with vendor-specific exploitation logic to compromise embedded network devices at scale. The campaign chains five stages: IP list aggregation, service enumeration, vendor fingerprinting, default-credential brute-forcing, and payload delivery for botnet recruitment. Two open directories provided direct access to operator tooling and logs, confirming active exploitation with payload delivery to at least the ARM architecture targets that returned HTTP 200 responses.

The tool bears unique fingerprints — the AdvancedRouterScanner class name, run_advanced_scan function, a 60-dash output separator, and a specific Huawei endpoint trio — not found in any public repository. Its zero detections on VirusTotal on first submission reinforce that this is not commodity tooling. Geographic enrichment of the target list places 45.5% of resolved IPs in Brazil, with secondary concentrations in Vietnam, South Africa, Colombia, and Argentina. ASN analysis shows the campaign targets specific regional ISPs rather than spraying randomly. Detection guidance and IOCs are in the linked sidebar files.

Key Takeaways

  • AdvancedRouterScanner is a custom tool; its fingerprints make reappearance attributable to the same actor.
  • The campaign is global but disproportionately impacts Latin America, Southeast Asia, and parts of Africa.
  • The campaign has transitioned from PoC research to full operationalization — hub infrastructure, payload hosting, and reverse shells are all confirmed.
  • The end goal is botnet recruitment, enabling DDoS, proxy abuse, and potential resale of access.
  • Blocking known infrastructure, auditing exposed devices, and monitoring for exploitation patterns are the immediate defensive priorities.

2. Tool Overview (poc.py)

Name: poc.py (generic filename).
Unique Class: AdvancedRouterScanner.
Capabilities:

  • Parallel scanning with ThreadPoolExecutor.
  • Service detection (HTTP/HTTPS, SSH, Telnet, FTP).
  • Vendor fingerprinting via HTML keyword checks.
  • Default credential brute attempts per vendor.
  • Vendor‑specific endpoint probing (Huawei).

Output:

  • Results stored in results/advanced_scan_/results.txt.
  • Format: [HH:MM:SS] <IP>:<Port> - <Vendor/Service> - <Vulnerability> followed by a 60‑dash separator.

Note: This file was not found in VirusTotal and when uploaded, came back with no detections and was clean.

3. Targeting (ips.txt)

Analyst note: ips.txt is the master target list bundled with the tool. Its composition reveals how the operator aggregated targets — a mix of curated ISP ranges, automated scan dumps, and sloppy inclusions — which in turn signals operational intent.

Scope: Global, ~954 KB of IPs.
Regional Clusters:

  • Southeast Asia (Vietnam, Bangladesh, India).
  • Latin America (Brazil, Chile, Argentina, Mexico).
  • Europe (Poland, Italy, Germany, Turkey).
  • Africa (Nigeria, Kenya, Tanzania).
  • North America (US broadband + AWS).

Characteristics:

  • Sequential ranges (CIDR sweeps).
  • Duplicates.
  • Inclusion of private IPs (10.x, 192.168.x) → sloppy aggregation.

Assessment: Aggregated from multiple sources (scan dumps, ISP sweeps, configs). Opportunistic, not curated.

4. Results Analysis

Analyst note: The results files are the operator’s own exploitation logs — recovered from the open directory. They show which devices responded to attacks and what access was gained, confirming the tool moved beyond scanning into active compromise.

File 1: Huawei Exploitation

  • Region: Vietnam (117.x.x.x ranges).
  • Findings: Default credentials (admin:admin) successful. Exposed endpoints accessible: /api/system/execute_command, /web_shell_cmd.gch, /shell.
  • Impact: Full remote control of routers possible.
  • Pattern: Multiple consecutive IPs vulnerable → systemic ISP misconfiguration.

File 2: Service Enumeration

  • Regions: Vietnam, Bangladesh, India.
  • Findings: FTP (21), SSH (22), Telnet (23) open across many IPs.
  • Impact: Confirms widespread exposure of insecure services.
  • Role: Likely Stage 1 mapping before exploitation.

Timeline Analysis

  • Scan cadence: Entries logged every 1–2 seconds → consistent threaded scanning.
  • Sequential IPs: Many consecutive IPs in 117.x.x.x exploited → confirms systemic ISP misconfiguration.
  • Stage separation: One results file shows service enumeration only, another shows Huawei exploitation → suggests modular workflow.

5. Campaign Flow

Analyst note: This five-stage chain describes how the operator moves from a raw IP list to a compromised router enrolled in botnet infrastructure. Each stage feeds the next; the PoC and hub hosts each serve different phases.

[Aggregated IP List]
└─ Global ISP ranges (Asia, LATAM, EU, Africa, NA, private IPs)

[Stage 1: Service Enumeration]
└─ Identify open FTP (21), SSH (22), Telnet (23)

[Stage 2: Vendor Fingerprinting]
└─ Parse HTML banners for vendor keywords

[Stage 3: Exploitation Attempts]
└─ Default credentials per vendor
└─ Huawei-specific endpoints

[Stage 4: Results Collection]
└─ Results stored in results/advanced_scan_/results.txt

[Stage 5: Operational Use]
└─ Compromised routers leveraged for botnet recruitment, proxy infrastructure, resale of access

6. Unique Fingerprints (Pivot Anchors)

Analyst note: These fingerprints are the detection surface. Because the tool is not publicly available, any future network observation matching the class name, output format, or endpoint trio can be attributed to this campaign with high confidence.

  • High‑Fidelity: AdvancedRouterScanner, run_advanced_scan, advanced_scan_, telecomadmin:admintelecom, Huawei endpoint trio.
  • Medium‑Fidelity: Vendor combo (Huawei, ZTE, Raisecom), output format with 60‑dash separator.
  • Broad Discovery: Vendor names alone, generic creds.
  • Attribution Value: High — unique enough to track as a distinct campaign family.

7. External Search Findings

  • GitHub: Many unrelated poc.py files, but none with AdvancedRouterScanner or the same vendor logic.
  • Router scanning repos: Exist, but do not use the same class names, results format, or Huawei endpoint trio.
  • Huawei research repos: Confirm known defaults, but not packaged into this scanner.
  • Exploit write‑ups: Mention endpoints, but not in Python scanners.
  • Conclusion: This script is not public; it appears custom or semi‑private.

8. Threat Assessment

Overall Assessment

  • Nature: Custom/semi-private router exploitation tool
  • Scope: Global IP list, confirmed exploitation in Vietnam
  • Intent: Botnet recruitment, proxy infrastructure, or resale of access
  • Attribution Value: High

Confidence Levels

CONFIRMED (Highest Confidence):

  • Tool uniqueness and custom development (AdvancedRouterScanner class)
  • Global targeting scope and IP enrichment data
  • Exploitation confirmation in Vietnam (Huawei router compromise)
  • Infrastructure analysis and operational hubs
  • Results file format and scanning methodology
  • Geographic distribution and ISP targeting patterns

HIGH (Strong Evidence):

  • Botnet recruitment intent and operationalization
  • Transition from research to operational exploitation
  • Vendor-specific exploitation logic and success rates
  • Infrastructure abuse for DDoS and proxy services

MODERATE (Analytical Judgment):

  • Specific threat actor identification and attribution
  • Full scope of global campaign (unseen portions)
  • Exact timeline of operationalization
  • Relationship to other known campaigns or threat groups

9. Defensive Recommendations

  • Network operators: Audit router fleets for default credentials and exposed management endpoints.
  • Defenders: Monitor outbound connections to the identified infrastructure on ports 21/22/23; build detection rules for repeated default login attempts; flag Huawei-specific endpoint traffic; watch for parallel outbound connections consistent with threaded scanning.
  • Detection rules covering the AdvancedRouterScanner fingerprints are in the linked detection file.

10. Key Takeaways

  • The poc.py script is a unique campaign artifact.
  • It combines global opportunistic scanning with vendor‑specific exploitation.
  • Results confirm Huawei routers in Vietnam were compromised.
  • Unique fingerprints (class names, results format, Huawei endpoint trio, Raisecom inclusion, rare creds) make this a high‑value pivot anchor.
  • External searches confirm this is not commodity tooling — if seen again, it is almost certainly the same actor.

Target Analysis & Geographic Distribution

Target Enrichment Summary

Metric Value Confidence Level
Total IPs Targeted ~65,000 CONFIRMED
Successfully Enriched ~50,000 CONFIRMED
Unenriched IPs ~15,000 CONFIRMED
Data Quality UTF-8 standardized, legacy encoding handled CONFIRMED

Country Distribution Analysis

Country Percentage Risk Assessment
Brazil (BR) 45.5% CRITICAL - Primary target zone
Vietnam (VN) 15.1% HIGH - Secondary concentration
South Africa (ZA) 14.2% HIGH - Notable presence
Colombia (CO) 13.7% HIGH - Regional focus
Argentina (AR) 11.6% MEDIUM - Tertiary target

Top Targeted Network Providers

ASN Provider Target Count Geographic Focus
AS198949 WPT Corp 1,557 Regional ISP
AS7348 Vecell Group 1,282 Regional ISP
AS1740 Comnet Limited 987 Regional ISP
AS1511 UNINET 880 Educational Network
AS26622 T-E-S-MI 864 Regional ISP

Interpretation: Concentration across specific regional ISPs indicates targeted infrastructure exploitation rather than random scanning. Normalization gaps in enrichment data should be remediated for complete threat landscape visibility.

Follow-Up: Certificate Pivot

PoC host now presents TLS cert Issuer CN yuyu, seen on only three hosts:

  • 185[.]38[.]150[.]7 (PoC)
  • 39[.]97[.]249[.]120 (RDP open)
  • 219[.]151[.]188[.]41 (RDP open)

Why it matters: Shared cert + RDP exposure suggests linked infrastructure or victims.
Defensive actions: Monitor for CN yuyu, RDP traffic, and block if observed.

Additional Findings After Pivots (176[.]65[.]137[.]13)

Analyst note: The second open directory exposed the operator’s working environment — shell history, exploit logs, and staged payloads. This is operational intelligence recovered directly from attacker infrastructure, not inferred behavior.

The second exposed directory (176[.]65[.]137[.]13:80) revealed a more operationalized attacker hub compared to the PoC host.

Key observations

  • Artifacts: .bash_history and exploit_log.txt files captured operator activity. This operator also used a large IP list file as targets.
  • Environment prep: Installed Python 3.11, pip, SSL libraries, and zmap.
  • Scanning: Used zmap to sweep port 90, feeding results into exploit scripts.

Exploitation

  • Targeted endpoints: /web_shell_cmd.gch, /apply.cgi, /boaform/admin/formLogin, /cgi-bin/config.cgi.
  • Default credential brute forcing (admin:admin, admin:password, admin:1234, root:root, etc.).
  • Injection via adj_time_year parameter.

Payload delivery

  • Downloaded binaries (boatnet.*, main_mpsl) from 107[.]189[.]4[.]201 and bot[.]gribostress[.]pro.
  • Reverse shell established to 107[.]189[.]4[.]201:3778.

Exploit logs

  • Showed thousands of attempts, mostly failed (404s, resets, refused).
  • Some successes indicated by HTTP 200 responses and ARM architecture detection.

Assessment This host functioned as an operator hub, staging tools, scanning, and launching exploitation at scale.
Note: The exploit file was not found in VirusTotal and when uploaded, came back with no detections and was clean.

MITRE ATT&CK Mapping

Analyst note: The MITRE ATT&CK framework is a standardized catalog of adversary behaviors. The table below maps each observed technique in this campaign to its ATT&CK identifier, allowing defenders to cross-reference against existing detection coverage.

Tactic Technique ID Technique Name Implementation
Initial Access T1190 Exploit Public-Facing Application CGI endpoint exploitation, command injection
Initial Access T1078 Valid Accounts Default credential brute forcing
Execution T1059 Command and Scripting Interpreter Python script execution, shell commands
Execution T1203 Exploitation for Client Execution Code execution via vulnerable endpoints
Persistence T1547 Boot or Logon Autostart Execution Botnet persistence on compromised devices
Privilege Escalation T1068 Exploitation for Privilege Escalation Command injection for privilege escalation
Defense Evasion T1036 Masquerading Legitimate service impersonation
Credential Access T1110 Brute Force Default credential dictionary attacks
Discovery T1046 Network Service Scanning Global port scanning and service enumeration
Discovery T1082 System Information Discovery Device fingerprinting and vendor identification
Lateral Movement T1021 Remote Services SSH/Telnet access to compromised devices
Command and Control T1071 Application Layer Protocol HTTP/HTTPS communication with C2 infrastructure
Command and Control T1095 Non-Application Layer Protocol Raw TCP/UDP communication for botnet control
Exfiltration / Impact T1041 Exfiltration Over C2 Channel Data theft through botnet infrastructure
Impact T1499 Endpoint Denial of Service DDoS capabilities via compromised devices

Incident Response Procedures

Priority 1: Initial Response

  1. BLOCK known malicious infrastructure at network perimeter
  2. ISOLATE potentially compromised network devices from critical systems
  3. AUDIT all exposed network devices, particularly Huawei/Four-Faith OEM equipment
  4. MONITOR for exploitation patterns and credential brute-forcing attempts
  5. DOCUMENT all potentially compromised devices and network segments

Priority 2: Investigation & Analysis

  1. FORENSIC ANALYSIS of network device logs for exploitation attempts
  2. LOG ANALYSIS for connections to known malicious IPs (185.38.150.7, 176.65.137.13)
  3. VULNERABILITY ASSESSMENT of all embedded network devices
  4. TRAFFIC ANALYSIS for unusual scanning patterns and command injection attempts
  5. THREAT HUNTING for AdvancedRouterScanner artifacts in network traffic

Priority 3: Remediation & Recovery

  1. UPDATE firmware on all embedded network devices
  2. RESET credentials on all potentially compromised devices
  3. IMPLEMENT network segmentation to isolate critical infrastructure
  4. DEPLOY enhanced monitoring for exploitation patterns
  5. ESTABLISH baseline security configuration for network devices

Operational Impact Assessment

Impact Scenarios

Impact Category Severity Level Recovery Time
Infrastructure Compromise HIGH several weeks
DDoS Attack Impact HIGH several weeks
Device Replacement MEDIUM several weeks
Operational Disruption HIGH several weeks

Operational Impact Timeline

  • Immediate Response: Network isolation, service disruption, emergency response
  • Investigation Phase: Device assessment, firmware updates, security hardening
  • Recovery Phase: Infrastructure recovery, enhanced monitoring deployment
  • Long-term Phase: Process improvements, vendor management, security architecture review

Long-term Defensive Strategy

Technology Enhancements

  1. Network Access Control to segment and monitor embedded devices
  2. Intrusion Detection Systems with specific rules for exploitation patterns
  3. Vulnerability Management for embedded network device firmware
  4. Threat Intelligence Integration for emerging exploitation frameworks
  5. Security Information and Event Management (SIEM) with correlation rules

Process Improvements

  1. Device Lifecycle Management for procurement, deployment, and decommissioning
  2. Regular Security Assessments of network infrastructure
  3. Vendor Risk Management for embedded device suppliers
  4. Incident Response Playbooks specific to network device compromises
  5. Change Management procedures for firmware updates and configuration changes

Organizational Measures

  1. Security Awareness Training for network operations teams
  2. Regular Security Assessments including penetration testing of network infrastructure
  3. Threat Intelligence Subscription for emerging IoT/embedded device threats
  4. Executive Security Briefings on infrastructure security risks
  5. Security tooling and personnel training for network defense

Frequently Asked Questions

Technical Questions

Q: What makes AdvancedRouterScanner unique compared to other exploitation tools?
A: It is a custom, semi-private framework with unique fingerprints (class names, result formats) indicating a targeted threat actor rather than commodity tooling.

Q: Why is the geographic concentration significant?
A: The 45.5% concentration in Brazil suggests targeted infrastructure exploitation rather than random scanning, potentially indicating regional threat actor focus or specific supply chain vulnerabilities.

Q: How does the two-stage attack work?
A: Stage 1 involves global scanning and reconnaissance; Stage 2 involves operational exploitation hubs that deliver payloads and establish botnet control.

Business Questions

Q: What are the regulatory implications of network device compromise?
A: Compromised network infrastructure can affect data protection compliance, critical infrastructure regulations, and industry-specific security requirements.

Q: Should devices be replaced or patched?
A: REPLACE is recommended for devices with confirmed compromise; PATCH may be sufficient for devices with only exposure to scanning attempts.

Q: How can similar attacks be prevented?
A: Network segmentation, regular firmware updates, credential management, and continuous monitoring for exploitation patterns reduce exposure to this attack class.

IOCs

Detections

License

© 2026 Joseph. All rights reserved. See LICENSE for terms.

Support Independent Threat Research

If this report was useful, consider supporting the work that goes into it.

Sponsor on GitHub Donate via PayPal Other ways to support →
Continue Reading
Post-Exploitation Toolkit · Jun 2026
Flask C2 & MSSQL CLR Backdoor on a Windows Post-Exploitation Staging Host
AI-Augmented Threat Operations · Jun 2026
Multi-Actor AI-Agent Framework Abuse: 8 Operators Integrating AI CLIs into Offensive Workflows
High Priority IOCs
  • 185[.]38[.]150[.]7 C2 / PoC host
  • 176[.]65[.]137[.]13 Operator hub — exploitation launchpad
  • 107[.]189[.]4[.]201 Reverse shell C2 server
  • bot[.]gribostress[.]pro Payload download domain
Full IOC Feed →
STIX 2.1 Bundle

Machine-readable threat intel for this report — import into OpenCTI, MISP, or any STIX-aware platform.

Download Bundle → Browse All STIX →