Two Tenda router zero-days are anchoring the spread of a Mirai-based botnet called Ttint. In addition to denial-of-service (DoS) attacks, this variant also has remote-access trojan (RAT) and spyware capabilities. 360Netlab observed the attackers using a Google cloud service IP, before switching to a hosting provider in Hong Kong. The first zero-day vulnerability used to spread the botnet has been exploited since at least November of last year.
Source: https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/