Skip to content

Novel malware is being used to target popular routers since 2020

  • by
  • 3 min read

Researchers have discovered an unusually sophisticated malware that has targeted at least 80 routers made by Cisco, Netgear, Asus, and DrayTek. The new malware, named ZuoRAT, has been active since at least Q4 2020.

The malware takes complete control of any Windows, macOS or Linux devices connected to the router and primarily targets North American and European users. Researchers at Black Lotus Labs believe it’s part of a larger hacking campaign that’s still ongoing.

ZuoRAT seems to be custom-built for the MIPS architecture and compiled for small-scale home and office routers and often gets installed by exploiting unpatched SOHO vulnerabilities. It can track all devices connected to the router, list DNS lookups and track all network traffic going through the infected router without being detected.

In the News: Firefox can now automatically remove tracking queries from URLs

A broader campaign at work

The researchers have pointed out that at least four parts to the campaign, starting with ZuoRAT. Three of these parts seem to have been written from scratch, displaying a level of sophistication that led researchers to believe that the campaign may be run by a state-sponsored group.

Novel malware is being used to target popular routers since 2020
An overview of the campaign components. | Source: Black Lotus Labs

Once a router is infected, ZuoRAT can further infect connected devices using two methods.

  • DNS Hijacking: The method replaces valid IP addresses used for DNS in the router with malicious ones used by the hackers.
  • HTTP Hijacking: The malware injects itself into the connection between the router and the device generating a 302 error which redirects the user to a malicious website. 

These two methods are used to further deploy other malware on infected devices. This malware includes at least two custom-made malware named CBeacon and GoBeacon, as well as the popular Cobalt Strike backdoor. 

The command and control infrastructure for the malware is also intentionally complex and divided into two parts. One part is dedicated to controlling infected routers, and the other is reserved for connected devices should they get infected later. 

However, as sophisticated as it is, ZuoRAT can’t survive device reboots like most router malware. Restarting the device can eliminate the initial exploit, which is saved as a set of temporary files on the device itself. However, a factory reset is suggested to fully purge the malware infection. 

In the News: Shady applicants are using deepfakes to apply for remote jobs; FBI warns

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: