If you see unusual strings like /tmp/runme or suspicious IP addresses, do not restore that backup.
In early 2025, security researchers at NetScout observed a campaign targeting ISP edge routers. Attackers did not brute-force passwords. Instead, they sent spoofed WinBox provisioning packets containing a corrupted .backup file to routers with default ports (8291) open. mikrotik backup patched