vcimanagement.x64, Uirusu/2.0 Mirai-derivative IoT botnet

Mirai-derivative IoT botnet, x86-64 ELF build. Recovered 2026-05-06 from a Tencent Cloud Beijing victim host (101.34.81.166) that had been compromised via unauthenticated Jupyter Notebook on port 8888 and was also infected sequentially by Hilix-classic (separate sample, see dropped_by_sha256).

The botnet author’s signature is the literal User-Agent string Uirusu/2.0, uirusu / ウイルス is Japanese for “virus.”

Bundled exploit modules

This sample is broader than the Hilix-classic build. Embedded RCE primitives:

• UPnP-Huawei-HG532 SOAP CmdInjection (CVE-2017-17215)
• ThinkPHP invokefunction RCE (CVE-2018-20062)
• MVPower DVR ViewLog.asp RCE
• Hardcoded Huawei dslf-config:HuaweiHomeGateway Digest-auth admin RCE

Indicators

• C2 / payload distribution: 173.232.146.173 (Eonix Corporation, rDNS zknotes.com, separately reported to net-abuse@eonix.net)
• Payload paths: /bins/x86, /mips, /8UsA.sh (shell installer)
• Campaign argv: mips, ThinkPHP
• Foothold pattern: open Jupyter :8888 → kernel exec → reverse shell → drop bot

Public availability

• MalwareBazaar: bazaar.abuse.ch/sample/38dce395… (reporter: nuclide, auto-classified Mirai family; carries dropped_by_sha256 link to the Hilix sample)
• VirusTotal: virustotal.com/gui/file/38dce395…
• First public submission: 2026-05-07 (NuClide). Pre-submission lookups confirmed not previously known to VT, MB, AlienVault OTX, or GitHub-indexed code.

Source

Full incident: multi-hilix-jupyter-campaign-2026-05-06. Evidence pack: evidence/hilix-uirusu-jupyter-campaign-2026-05-06.