/

Threat Intelligence

Campaign briefs and adversary profiles derived from the cowrAI distributed honeypot fleet — 36 nodes across 7 providers.

Fleet active · 36 nodes SSH/Telnet + 9 alt-protocol lures LLM-mode engagement
Active Campaigns

FROSTY — Mirai-Lineage IoT Botnet

Mirai

Opportunistic IoT DDoS botnet exploiting two 2014–2017 SOAP RCE CVEs across Realtek and Huawei CPE devices. Campaign observed across all 36 fleet nodes over 31 days. Self-replication args confirm the Mirai distribution-on-compromise lineage.

33,431 events
41/62 VT detections
10 triage score
3 C2/distrib nodes
31d window
CVE-2014-8361 CVE-2017-17215
Read brief →

About These Reports

Each brief is derived from live honeypot data collected by the cowrAI fleet — 36 cowrie nodes running SSH, Telnet, and alt-protocol lures (soaplure, httplure, adbhoney, and others). All lure-captured payloads are automatically submitted to VirusTotal and tria.ge; confirmed samples are detonated in an isolated WARP-egress sandbox for behavioral analysis.

Reports include: IOC tables, MITRE ATT&CK mappings, Suricata detection rules, raw exploit payload captures, and C2 infrastructure profiling. Distribution frequency: as-observed (one brief per distinct campaign or threat actor).