Threat Intelligence

Multi-stage campaign targeting exposed Docker APIs: 157K+ commands over 30 days using five container escape techniques (chroot /host, /hostfs, /mnt, cgroup release_agent, host cron persistence). Base64-encoded payloads download cryptominer from 7 C2 IPs. Separate cluster deploys full Xmrig toolchain with cron + systemd persistence and Python reverse shell on TCP:666. Cloud metadata exfiltration (AWS IMDS + GCP) and VMware/ONVIF probing also observed.

Coordinated two-phase campaign: 610K+ credential attempts using 345gs5662d34 as both username and password across 7,900 unique IPs. Upon successful login, injects a hardcoded RSA SSH key (comment: mdrfckr) into authorized_keys — 258K injections. Includes chattr -ia hardening bypass. Same IPs perform both phases — single botnet operation. Active across all sensors for 30 days.

Attacker uses GitLab's release CDN as a malware distribution channel — downloading multi-arch Xmrig static builds from gitlab.com/Kanedias/xmrig-static via the /permalink/latest/ URL. Three weekly deployment waves at ~09:40 UTC from a cloud-hosting source IP. Blocklist evasion: gitlab.com cannot be blocked without impacting development. Hash-based IOCs rotate weekly with each new release build.

Unauthenticated telnet exploitation campaign achieving 37 successful RCE events from 4 IPs. Primary actor (195.86.56.10) achieved 31 successes in 73 minutes (86% success rate) and injected an ed25519 SSH key with comment chaos@kali-57ca9a — direct Kali Linux attribution. Post-exploit sequence includes authorized_keys verification (wc -c, wc -l), suggesting semi-automated tooling with feedback loops.

Mass Redis exploitation from 3,550 unique IPs over 30 days. Three attack patterns: (1) cron/SSH key persistence via CONFIG SET + SAVE — 27K CONFIG events; (2) rogue-master replication via SLAVEOF + MODULE LOAD + SYSTEM.EXEC — 117 IPs attempting RCE through loaded modules; (3) binary protocol fuzzing with crafted RESP frames targeting a parser vulnerability. Top operator ran full exploitation suite: 772 SLAVEOF + 514 MODULE + 4,124 CONFIG.

Coordinated fleet of 4 scanner IPs (abuse-tolerant hosting: Datacamp, M247, HostRoyale, 31173) probing Apache mod_http2 for CVE-2026-23918 — a Rapid Reset variant using RST_STREAM(STREAM_CLOSED=0x5) to bypass the CANCEL-rate-limit patch from CVE-2023-44487. Active Jun 19–23 2026 across 5 fleet nodes; 391 STREAM_CLOSED RSTs, 236 sessions, rotating Mac Chrome/Safari UA fingerprints. No payload delivery — pure vulnerability scan.

Three concurrent campaigns: Flylegit 14-arch IoT worm (t.me/flylegit) with active honeypot evasion and 0/72 VT detections; Frosty Mirai targeting Realtek with live C2 confirmed across 14 sandbox detonations; and a Next.js Server Actions RSC prototype-pollution RCE scanner.

Active IoT botnet exploiting D-Link DSL-2750B HNAP command injection and Realtek miniigd UPnP SOAP RCE (CVE-2014-8361) across 9 architectures. Dual binary naming convention (kaizen.* / kwari.*) suggests split infrastructure or evolving rebranding. C2 confirmed at 185.234.100.154:2310 via sandbox detonation.

Mirai-lineage botnet with the widest architecture coverage observed on fleet (11+ arches including SPARC, SH4/Renesas, m68k, PowerPC). SSH brute-force entry with a four-fallback downloader (wget → busybox wget → curl → busybox curl) and dual-location persistence via /dev/shm and /var. Distribution path /bachekuni/ unique; no prior public reporting.

Opportunistic IoT DDoS botnet exploiting two 2014–2017 SOAP RCE CVEs across Realtek and Huawei CPE devices. Campaign observed across all 36 fleet nodes over 31 days. Self-replication args confirm the Mirai distribution-on-compromise lineage.