A new botnet, comprising 13,000 hijacked MikroTik devices, has been leveraging a misconfiguration in domain name system (DNS) records to bypass email protections and distribute malware through spoofed emails.
The attack exploits a flaw in the Sender Policy Framework (SPF) used to authenticate email senders by listing all authorized servers. According to DNS security firm Infoblox, the threat actor took advantage of SPF records with an overly permissive configuration—specifically the "+all" option, which allows any server to send emails on behalf of a domain. This made it easy for attackers to spoof legitimate email addresses and deliver malicious payloads.
Around 20,000 web domains, including well-known entities like DHL Express, were impacted in the attack. Many of the spam emails impersonated the shipping company and contained fake freight invoices. The emails came with ZIP archives that, when opened, executed a JavaScript file designed to trigger a PowerShell script. The script then established a connection to a command and control (C2) server, which was previously linked to Russian hacker groups.
Infoblox noted that the widespread SPF misconfiguration allowed attackers to send email from virtually any server, undermining the protective mechanism of SPF.
The compromised MikroTik devices were configured as SOCKS4 proxies, making them ideal for launching Distributed Denial of Service (DDoS) attacks, sending phishing emails, and exfiltrating sensitive data.
“Even though the botnet consists of 13,000 devices, their configuration as SOCKS proxies allows tens or even hundreds of thousands of compromised machines to use them for network access, significantly amplifying the potential scale and impact of the botnet’s operations,” Infoblox noted.