A massive botnet comprising approximately 13,000 hijacked MikroTik routers has been deployed to distribute malware through spam campaigns, highlighting the persistent security risks tied to misconfigured networking devices.

Dubbed Mikro Typo by DNS security firm Infoblox, the campaign abuses vulnerabilities in MikroTik routers to send malicious emails that appear to originate from legitimate domains. These emails entice recipients with fraudulent freight invoice attachments, tricking them into launching a ZIP archive containing a harmful payload. The payload includes obfuscated JavaScript that runs a PowerShell script, connecting to a remote command-and-control (C2) server to further execute attacks.

The entry point for compromising the routers remains unclear, but several outdated firmware versions—including those susceptible to CVE-2023-30799, a critical privilege escalation vulnerability—are implicated. According to Infoblox researcher David Brunsdon, attackers have embedded scripts within the compromised devices to enable SOCKS proxies, transforming the routers into TCP redirectors that obscure the true origin of malicious traffic. This setup complicates efforts to trace and mitigate the threat while posing serious risks due to the lack of authentication for these proxies. This vulnerability allows other attackers to harness the botnet for a variety of malicious actions, from distributed denial-of-service (DDoS) attacks to phishing and data exfiltration schemes.

Compounding the impact, the malspam campaign exploits sender policy framework (SPF) misconfigurations in the DNS records of 20,000 domains. Specifically, the overly permissive "+all" setting undermines SPF’s purpose, allowing any device—including compromised MikroTik routers—to spoof legitimate domains and bypass email security controls. Experts urge MikroTik device owners to secure their routers by updating firmware and changing default credentials to prevent further exploitation. As Brunsdon cautioned, the scale of the compromised network and the use of SOCKS proxies present significant challenges, underscoring the importance of implementing robust security defenses to protect against this evolving threat landscape.