Do Son 
Hackers are actively compromising outdated GeoVision IoT devices to conscript them into the Mirai botnet. According to researchers at Akamai, the attacks have been ongoing since early April 2025 and exploit two critical vulnerabilities—CVE-2024-6047 and CVE-2024-11120—both rated 9.8 on the CVSS scale. These flaws allow remote attackers to execute arbitrary commands on the system.
The primary target is an obsolete CGI endpoint, /DateSetting.cgi, through which commands are injected via the szSrvIpAddr parameter to download and launch a version of the Mirai malware compiled for ARM architecture. This particular variant has been dubbed LZRD.
Beyond GeoVision, the botnet also leverages other well-known vulnerabilities, including one in Hadoop YARN (CVE-2018-10561) and another affecting DigiEver hardware, first documented in December 2024 but lacking an official CVE designation. Researchers suspect the campaign may be linked to the group previously tracked under the alias InfectedSlurs.
Experts underscore that attacks on devices running outdated firmware remain one of the most straightforward and effective methods of botnet expansion. Many of these products are no longer supported by their manufacturers—some of whom have ceased operations entirely—leaving vulnerable systems indefinitely exposed without security updates.
Given that the targeted GeoVision devices are officially end-of-life, users are strongly advised to replace them with modern, actively supported alternatives.
Meanwhile, the Mirai botnet has broadened its scope beyond surveillance cameras and is now infiltrating corporate Samsung systems. Through a vulnerability in MagicINFO 9 (CVE-2024-7399), attackers deploy a shell that downloads a modified version of Mirai directly onto digital signage and advertising panels. In a particularly ironic twist, many of these compromised displays are located in shopping malls and airports—now serving not only advertisements but also quietly contributing to large-scale DDoS attacks.
