Alleged Chinese malware targets your router

Emre Çitak
May 17, 2023

Researchers have uncovered a malicious firmware that exploits a wide range of residential and small office routers, effectively creating a covert network used to relay traffic to command and control servers operated by Chinese state-sponsored hackers. The discovery, detailed by Check Point Research, exposes a comprehensive backdoor within the firmware, granting attackers the ability to establish communication channels, conduct file transfers, issue remote commands, and manipulate files.

Although initially targeting TP-Link routers, the adaptable nature of the meticulously crafted C++ code allows for easy modifications to accommodate other router models.

Relaying traffic and concealing origins

The primary purpose of the malware is to facilitate the transmission of data between compromised targets and the command and control servers, all while obscuring the true origins and destinations of the communication. Further investigation by Check Point Research revealed that the control infrastructure was linked to Mustang Panda, an advanced persistent threat actor known to operate on behalf of the Chinese government, as confirmed by security firms Avast and ESET.

The researchers highlighted that router implants are typically deployed on random devices, rather than being specifically targeted at homeowners, with the intention of establishing a chain of nodes between main infections and real command and control centers. In this way, infecting a home router serves as a means to an end, rather than a direct attack on the homeowner.

Malware targets TP-Link routers

The functionality of the implant

The researchers identified the presence of an implant, internally referred to as Horse Shell, while investigating a series of targeted attacks against European foreign affairs entities. Horse Shell encompasses three primary functions: a remote shell for executing commands on infected devices, a file transfer mechanism for uploading and downloading files, and the utilization of SOCKS5 protocol for exchanging data between devices and forwarding UDP packets.

The SOCKS5 functionality appears to be the ultimate objective of the implant, enabling the creation of an encrypted chain of infected devices that establish connections with only the closest neighboring nodes, making it difficult for outsiders to discern the true origin or purpose of the infection.

Installation methods

The employment of routers and Internet of Things (IoT) devices to mask control servers and clandestinely proxy traffic is a well-established tactic employed by threat actors. Notable examples include the VPNFilter malware, attributed to the Kremlin-backed APT28 (also known as Fancy Bear), which infected over 500,000 networking devices from various manufacturers.

Similarly, ZuoRAT and Hiatus targeted routers made by Cisco, Netgear, Asus, and DrayTek, transforming them into SOCKS proxies. The researchers acknowledge that the method of implant installation remains uncertain, speculating that attackers may exploit unpatched vulnerabilities or exploit weak or default administrative credentials. TP-Link users with technical expertise are advised to verify the cryptographic hash of their current firmware against those provided by Check Point Research.

Cross-Platform capabilities

While the discovered firmware image currently targets TP-Link devices, there is nothing preventing the threat actors from creating images compatible with a broader range of hardware. This versatility stems from the incorporation of multiple open-source libraries into the code, including Telnet for remote shell access, libev for event handling, libbase32 for binary data encoding and decoding, and various containers based on the TOR smartlist.

The implant architects also drew inspiration from projects such as Shadowsocks-libev and udptun UDP tunnel, while utilizing HTTP headers from open-source repositories.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Iron Heart said on May 17, 2023 at 4:26 pm

    OpenWRT is a thing, you know. Don’t trust the closed source firmware that ships with your router!

  2. John G. said on May 17, 2023 at 12:03 pm

    All the chinese IPs should have supervision in the EU.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.