The Hoaxcalls and Mirai botnet campaigns are targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8. The vulnerability was first discovered in April 2020, exploiting recently disclosed vulnerabilities in certain models of Grandstream business telephone IP PBX systems, and Draytek Vigor routers. This latest version of the botnet supports additional commands that allow an attacker greater control on the infected devices, such as the possibility to proxy traffic through them, downloading updates, maintaining persistence across device restarts, and a larger number of DDoS attacks that can be launched.”]
Source: https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/