A significant resurgence of the Zerobot malware has been detected, specifically exploiting vulnerabilities in Tenda AC1206 routers and the n8n workflow automation platform. This campaign is now operating under its ninth iteration, referred to as zerobotv9, which has been actively distributing malware across compromised networks and connected devices.
Zerobot initially appeared in 2022 as a Go-based malware targeting Internet of Things (IoT) devices. The latest version, zerobotv9, marks a departure from its predecessor. Unlike the original, this variant is not written in Go. Instead, it features reduced file size, is UPX packed, and includes encrypted strings alongside a hard-coded command and control (C2) domain, 0bot.qzz[.]io. The evolution of Zerobot indicates that its operators are continuously enhancing their malware capabilities.
According to researchers at Akamai, attempts to exploit these vulnerabilities were first identified in mid-January 2026, utilizing a global network of honeypots. The origins of this campaign can be traced back to early December 2025, making it one of the initial confirmed cases of exploitation of these specific vulnerabilities following their public disclosure in 2025. The investigation was led by Kyle Lefton, a security researcher with expertise in threat research and cyber defense.
The campaign exploits two primary vulnerabilities: CVE-2025-7544 and CVE-2025-68613. CVE-2025-7544, disclosed in July 2025, is a critical stack-based buffer overflow found in the /goform/setMacFilterCfg endpoint of Tenda AC1206 devices operating on firmware version 15.03.06.23. Attackers can trigger this vulnerability remotely by inputting an oversized value via the deviceList parameter, potentially leading to denial-of-service (DoS) and remote code execution (RCE). In contrast, CVE-2025-68613, published in December 2025, affects the n8n workflow expression evaluation system, enabling arbitrary code execution due to insufficient sandboxing.
What heightens concerns about this campaign is its focus on n8n, a platform typically used for enterprise automation, alongside traditional IoT hardware. Many organizations depend on n8n for connecting databases and managing sensitive systems. A successful compromise could facilitate serious breaches within an organization’s critical infrastructure.
Mechanism of Infection and Malware Delivery
Once a vulnerable Tenda router or n8n instance is detected, Zerobot activates the corresponding exploit, prompting the device to download a malicious shell script named tol.sh from a U.S.-based IP address, 144.172.100.228. This script installs busybox in the /tmp directory, assigns execution permissions, and retrieves the main Mirai malware payload — zerobotv9. The payload is designed to be compatible with multiple CPU architectures, a characteristic commonly seen in Mirai-based downloaders.
The exploit is initiated by sending 500 repeated characters through the deviceList parameter to trigger the buffer overflow. In the case of the n8n attack, commands are sent via the workflow API to execute tol.sh and load the same payload. The zerobotv9 binary incorporates hard-coded user-agent strings that mimic legitimate browser traffic, helping it evade network detection. This malware also features enhanced attack methods, including TCPXmas, Mixamp, SSH, and Discord, expanding its capabilities beyond the original Zerobot variant from 2022.
Further observations revealed that the botnet targets other vulnerabilities, such as CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947, employing fallback connection techniques like netcat, socat, and Perl socket methods.
Organizations utilizing Tenda AC1206 routers with firmware version 15.03.06.23 are strongly advised to implement immediate patches or replace outdated hardware. Users of n8n should upgrade beyond version 1.22.0, limit access to the workflow execution interface, and enforce stringent user privilege controls. Additionally, network defenders should monitor or block known malicious IP addresses: 103.59.160.237, 140.233.190.96, 144.172.100.228, 172.86.123.179, and 216.126.227.101, as well as the C2 domain 0bot.qzz[.]io. Implementing the YARA and Snort detection rules published by Akamai’s SIRT will further assist security teams in identifying and responding to related activities across their networks.