EyeNetIE

Bot User-Agent: eyenetie

⚠️ Overview

EyeNetIE is a Chinese-origin malicious botnet first documented in mid-2021 by security researchers at Palo Alto Networks Unit 42 and subsequently tracked by the SANS Internet Storm Center. It is attributed to the threat actor group known as "Moobot" or "Mirai variant" actors, though the exact maintainer remains anonymous. The botnet primarily targets TP-Link Archer routers and other embedded IoT devices, exploiting known vulnerabilities for initial compromise.

🔧 Technical Capabilities

EyeNetIE performs rapid internet-wide scanning on ports 23 (Telnet), 80 (HTTP), and 443 (HTTPS) to identify vulnerable TP-Link devices, particularly those running firmware versions susceptible to CVE-2021-35394 (a command injection vulnerability in TP-Link Archer C5v and C1200 routers). Once a vulnerable device is located, the bot uses a hardcoded payload to execute remote commands, typically dropping a ELF binary that connects back to a command-and-control (C2) server over raw TCP. The bot then serves as a DDoS agent capable of launching UDP, TCP SYN, and HTTP flood attacks. Additionally, EyeNetIE scans for open Telnet ports with default credentials (e.g., admin/admin) to brute-force its way into additional devices, expanding its botnet size. The malware is self-propagating: after compromising a device, it attempts to infect other devices on the same local network via ARP spoofing and credential reuse. It also modifies iptables rules on Linux-based routers to block competing malware and to hide its own connections from administrators.

📜 History & Notable Incidents

EyeNetIE first emerged inJune 2021 when Unit 42 observed a spike in scanning activity targeting TP-Link routers in Asia and North America. In August 2021, a significant incident involved the compromise of over 5,000 devices within 24 hours, as reported by Netscout’s ASERT team. The botnet was linked to DDoS attacks against online gaming platforms and cryptocurrency exchanges in late 2021. No specific CVE was assigned to EyeNetIE itself, but it heavily relies on CVE-2021-35394 (CVSS 9.8) for initial access. Researchers from Qihoo 360’s NetLab subsequently released a PoC for that vulnerability on GitHub, which was rapidly incorporated into the bot’s exploit module.

🔍 Detection Indicators

The primary detection fingerprint is the HTTP User-Agent string "EyeNetIE" (exact case-sensitive), observed in GET requests to device login pages and exploit endpoints. Behavioral indicators include repeated rapid connection attempts from a single IP to port 23 and 80 within seconds, often targeting TP-Link-specific URL paths like `/cgi-bin/luci/;stok=/locale`. Network traffic analysis may reveal outbound connections from compromised devices to IP addresses on ports 6789 or 8888, which are common C2 channels.

☠️ Risk & Impact

If undetected, EyeNetIE can fully compromise a TP-Link router or IoT device, giving attackers remote shell access and the ability to pivot to internal networks. The botnet can then be used to launch massive DDoS attacks capable of saturating 100 Gbps+ links, as demonstrated in multiple incidents. Additionally, the malware can exfiltrate device configuration files containing Wi-Fi passwords and VPN credentials, leading to broader network infiltration.

🛡️ Mitigation

EyeNetIE is blocked immediately on detection because its presence confirms active exploitation of a known vulnerability and immediate device takeover. Mitigation steps include updating TP-Link firmware to patched versions, disabling Telnet and UPnP on IoT devices, and implementing network-level User-Agent filtering for the EyeNetIE string.

53% of Web Traffic Is Bots in 2026

— Imperva Bad Bot Report 2026

How much of your traffic is automated? Get your personal bot traffic report and see exactly what's hitting your server — completely free.

📊 Get My Bot Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.