I adapted this article from my LinkedIn newsfeed to highlight not only a new cyber threat but also a brilliant cybersecurity researcher: Ms. Tammy HARPER.
She published a detailed article on July 10, 2025, exposing a new exploitation framework named MIKRONET that has been put up for sale on Russian-speaking forums. Sold for $2,800 per license (15 units available), this kit allows complete takeover of MikroTik routers through advanced functionalities including bruteforce, centralized control, data exfiltration, lateral movement, and monetization via proxy or VPN services.
Here is a comprehensive summary of MIKRONET’s operational workflow and technical capabilities, based on Tammy Harper’s excellent research, translated into English.
Initial Access: Discovery and Bruteforce MIKRONET integrates automated bruteforce modules targeting exposed MikroTik router services, including:
- Winbox (port 8291)
- API (ports 8728/8729)
- SSH (port 22)
The framework attempts common username/password combinations (admin, root, admin1, etc.). Upon success, it can:
- Enable SSH access if disabled
- Install an SSH key for persistence
- Export compromised credentials in ip:login:pass format
Centralized Control and Bot Management Once routers are compromised, they are integrated into a centralized admin interface:
- Real-time bot display with status (GOOD/BAD), firmware, model, architecture, credentials
- Bulk import and management via text files
- Execute commands across all bots simultaneously
- Deploy custom scripts on all devices
This system enables coordinated, persistent remote control of large heterogeneous infrastructures.
Sensitive Data Exfiltration MIKRONET provides comprehensive inventory capabilities of compromised devices:
- List of users, groups, and active sessions
- ARP tables, IP routes, LAN topology
- Hardware details: model, serial, CPU, RAM, firmware
- Extraction of VPN (PPTP, L2TP, IPSec), Wi-Fi, and email passwords
This data helps with internal mapping, preparing lateral movement, and understanding the attack surface.
Persistence, Evasion, and Security The framework integrates features to:
- Delete system logs and disable logging
- Encrypt all botnet database data
- Elevate user account privileges (write to full)
- Install SSH keys to avoid reauthentication
The goal is to hide the infection, evade detection, and ensure long-term access.
Offensive Network Modules MIKRONET can turn routers into network abuse platforms:
- Deploy HTTP/SOCKS proxies for traffic relay and anonymization
- Install VPN servers (PPTP, OpenVPN, WireGuard)
- Launch ICMP floods for load testing or internal DDoS
- DNS spoofing, ARP/NetBIOS scans to identify Windows machines and nearby infrastructure
The collected data enables precise subnet mapping, detection of vulnerable targets, and botnet expansion.
Traffic Analysis and Credential Theft MIKRONET includes a network sniffing module enabling:
- Packet capture (.pcap)
- Analysis of unencrypted or weak protocols (HTTP, FTP, SMTP)
- Automatic extraction of credentials, session tokens, or enrollment data
Intercepted connections are analyzed in real time and stored in technical logs for future exploitation.
Complementary Functions and Integrations
- Shodan API: gathers info on detected routers
- IP-API.com: geolocates IP addresses
- Automated exports of proxy or VPN access lists
These features enrich the operational environment of the botnet and support access resale or targeted attack preparation.
Summary: Industrialized Compromise MIKRONET marks a new level in the professionalization of infrastructure compromise tools:
- Automated and stealthy bruteforce
- Full system takeover
- Centralized multi-bot management
- Advanced evasion, sniffing, and exploitation capabilities
- Direct monetization via VPN, proxy, or data theft
This toolkit turns each compromised router into an entry point, relay, or technical asset within a cybercriminal or covert operation framework.
Recommendations For security managers, CERTs, and CISOs, it is critical to:
- Disable unnecessary services on MikroTik routers (Winbox, API)
- Apply all official security patches
- Restrict access to critical ports to internal IP ranges
- Monitor logs for anomalies or suspicious deletions
- Implement specific hardening policies for network routers
Sources:
LinkedIn Article: https://www.linkedin.com/pulse/next-gen-mikronet-botnet-toolkit-appears-tammy-harper-w6htc
Tammy Harper LinkedIn Profile: https://www.linkedin.com/in/tammyharper11/
