Botnet C2 Detections

Example botnet command-and-control (C2) servers detected by Bad Packets® Cyber Threat Intelligence

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 199.195.253.85 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
2323/tcp
10444/tcp
64334/tcp

Vulnerability exploited:
HiSilicon DVR RCE https://t.co/qaFAEk7lkF #threatintel

— Bad Packets Report (@bad_packets) August 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 198.98.62.146 (🇺🇸)
Hosting provider: FranTech (AS53667)

C2 ports:
23/tcp
91/tcp

Vulnerability exploited: CVE-2014-9727

Malware payload script: https://t.co/Um0xNXbBuz #threatintel pic.twitter.com/N1n47hQh1z

— Bad Packets Report (@bad_packets) August 18, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 51.91.202.137 (🇫🇷)
Hosting provider: Infinity Hosting

C2 ports:
8811/tcp
12345/tcp

Payload:
arm6https://t.co/wg7Y65kbm5
ftp://51.91.202.137/ #malware #opendir #threatintel https://t.co/dI5w8SLDb6 pic.twitter.com/oc9h62GQWn

— Bad Packets Report (@bad_packets) August 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 185.172.110.224 (🇳🇱)
Hosting provider: BladeServers (AS206898)

C2 ports:
993/tcp
11751/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2017-18368

ftp://185.172.110.224/ #malware #opendir #threatintel pic.twitter.com/WN2RnLQ3S5

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 45.95.147.26 (🇳🇱)
DNS: switchnets[.]net
Hosting provider: Alsycon
ASN: AS51942

C2 ports:
79/tcp
6968/tcp

Payload:
"unstable" https://t.co/pccK4P2Qra
http://45.95.147.26/b/ #opendir #malware #threatintel pic.twitter.com/6JiL8XNITr

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 164.68.116.122 (🇩🇪)
Hosting provider: Contabo (AS51167)

C2 ports:
1337/tcp
65535/tcp

Exploit target:
Linksys routers

Malware payload:
"mipsel"https://t.co/69FzpKONBF #threatintel pic.twitter.com/IHbj1NJrOD

— Bad Packets Report (@bad_packets) August 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 213.139.205.242 (🇳🇱)
Hosting provider: @ShockHosting
ASN: AS136175 (Serverhosh)

C2 ports:
35668/tcp
455/tcp

Multiple "cloudbot" malware binaries:https://t.co/bPxvVRnDYa #threatintel https://t.co/Xm1lKNqdWi pic.twitter.com/Vd1bv1MhVA

— Bad Packets Report (@bad_packets) August 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 142.44.251.105 (🇨🇦)
Hosting provider: OVH (AS16276)

C2 ports:
11751/tcp
65535/tcp

Vulnerabilities exploited:
CVE-2017-18368
CVE-2014-8361
Linksys RCE

ftp://142.44.251.105/ #malware #opendir #threatintel pic.twitter.com/mgeZuxnmCW

— Bad Packets Report (@bad_packets) August 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) C2 server detected!

IP address: 31.13.195.49 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS34224 (Neterra)

C2 ports:
79/tcp
6968/tcp

Vulnerabilities exploited:
JAWS web server RCE

Payload:
http://31.13.195.49/x #malware #threatintel pic.twitter.com/4XV9dyLjl2

— Bad Packets Report (@bad_packets) August 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 141.105.69.49 (🇷🇺)
Hosting provider: @Hostkey_Rus (AS49335)
C2 port: 8915/tcp

Exploit target: ZyXEL routers (CVE-2017-18368)
ftp://141.105.69.49/ #malware #opendir #threatintel pic.twitter.com/2pxycZoXiS

— Bad Packets Report (@bad_packets) August 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.82.202.24 (🇳🇱)
Hosting provider: HostSailor (🇦🇪)
ASN: AS60117

C2 ports:
11751/tcp
65535/tcp

Malware payload:
arm7https://t.co/INtpCkIRTg

ftp://185.82.202.24/ #opendir #threatintel pic.twitter.com/PXSVRuoCBB

— Bad Packets Report (@bad_packets) August 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 23.254.204.46 (🇺🇸)
Hosting provider: Hostwinds (AS54290)

C2 ports:
5301/tcp
9545/tcp

Vulnerabilities exploited:
CVE-2014-8361
CVE-2018-10561

Payload scripts:
/cool
/poo#threatintel https://t.co/Mfptg6GGXf pic.twitter.com/M99SC2ZAhN

— Bad Packets Report (@bad_packets) August 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 167.71.128.164 (🇬🇧)
Hosting provider: DigitalOcean (AS14061)

C2 ports:
1337/tcp
3663/tcp

Payload: /rep/zyxel.sh

Exploit target: ZyXEL routers (CVE-2017-18368)

ftp://167.71.128.164/ #opendir #threatintel pic.twitter.com/qtcQACqEnp

— Bad Packets Report (@bad_packets) August 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 40.89.175.73 (🇫🇷)
Hosting provider: Microsoft Azure (AS8075)

C2 ports:
1280/tcp
44460/tcp

Payload: http://40.89.175.73/distortion.mips
Exploit target: Linksys routers#threatintel pic.twitter.com/DAQ9jTGf9X

— Bad Packets Report (@bad_packets) August 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 91.134.120.7 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)

C2 ports:
666/tcp
850/tcp

Payload: https://t.co/kDIqJHkUS5
ftp://164.132.213.119 #malware #opendir #threatintel pic.twitter.com/43uiyQcxV1

— Bad Packets Report (@bad_packets) August 9, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 91.92.66.192 (🇧🇬)
Hosting provider: VPS[.]bg
ASN: AS60355 (Neterra)

C2 port:
63236/tcp

Vulnerabilities exploited:
JAWS RCE
Realtek RCE (CVE-2014-8361)

http://91.92.66.192/ #malware #opendir #threatintel pic.twitter.com/ODC4mv2IXw

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.185 (🇳🇱)
Hosting provider: KV Solutions (AS60355)

C2 ports:
1312/tcp (panel)
3912/tcp
43195/tcp

Payload:
Jaws[.]sh
http://185.244.25.185/loot/ #malware #opendir #threatintel pic.twitter.com/FDxxFiHoRN

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.35.138.156 (🇳🇱)
C2 port: 655/tcp
Hosting provider: Zyztm Research Division (AS62454)

Payload:
http://185.35.138.156/c
ftp://185.35.138.156/ #malware #opendir #threatintel pic.twitter.com/okhMp8kkvO

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) C2 server detected!

IP address: 164.132.213.119 (🇫🇷)
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)
C2 ports:
54268/tcp
1098/tcp

Malware payload:https://t.co/QThjOvn4KR
ftp://164.132.213.119 #opendir #threatintel pic.twitter.com/8JQS4Whv6j

— Bad Packets Report (@bad_packets) August 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.77 (🇳🇱)
Hosting provider: KV Solutions (AS60355)
C2 ports:
88/tcp (panel)
1/tcp (logs)

Payload:
m-i.p-s.SNOOPY Gafgyt-like #malware https://t.co/pKh9dvamuM #threatintel pic.twitter.com/DHTEMgxE8U

— Bad Packets Report (@bad_packets) August 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 185.244.25.75 (🇳🇱)
C2 ports:
7318/tcp (panel)
43594/tcp (logs)
Hosting provider: KV Solutions (AS60355)

Payload:
SinixV4.armv6l Gafgyt-like #malware https://t.co/crpjCEGtIF #threatintel pic.twitter.com/qIK5BQkbg6

— Bad Packets Report (@bad_packets) August 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet (DDoS) command-and-control (C2) server detected!

IP address: 158.255.5.216 (🇷🇺)
C2 port: 8915/tcp
ftp://158.255.5.216/ #opendir
Hosting provider: @Hostkey_Rus (AS49335)

Exploit targets:
D-Link routers
ZyXEL routers (CVE-2017-18368)#threatintel pic.twitter.com/Pmn4dnIGnt

— Bad Packets Report (@bad_packets) August 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 45.129.3.130 (🇷🇺)
C2 port: 1994/tcp (h/t @0xrb)
Hosting provider: https://t.co/D690YPqKCi (AS51659)#threatintel https://t.co/D3b8J89ZH9 pic.twitter.com/pBybObfP7I

— Bad Packets Report (@bad_packets) August 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!

IP address: 185.244.25.181 (🇳🇱)
C2 port: 9375/tcp
Hosting provider: KV Solutions (AS60355)#Malware payload:
z3hir.mips https://t.co/SSEbT7YV2d
http://185.244.25.77/zehir/ #opendir #threatintel pic.twitter.com/dlTKpfdI6W

— Bad Packets Report (@bad_packets) August 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 server still active!

IP address: 185.244.25.181 (🇳🇱)
Hosting provider: KV Solutions

New C2 ports:
Panel: 121/tcp
Logs: 8361/tcp

Malware payload: NENAVIST2https://t.co/jQ1h7wChIw

PDoS (bricker) functionality per @MasafumiNegishi.#threatintel https://t.co/svWPsvrqPR pic.twitter.com/Lq32WYt1Wg

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 185.244.150.111 (🇳🇱)
C2 port: 38344/tcp
Hosting provider: Host Sailor (🇦🇪)
ASN: AS60117

http://185.244.150.111/b/ #opendir

Malware payload:https://t.co/3GIwISL5X1 #threatintel pic.twitter.com/jMbQtNEvT2

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 147.135.116.64 (🇫🇷)
C2 port: 45/tcp

ftp://147.135.116.64/Hilix.* #opendir
Hosting provider: Infinity Hosting
Network provider: OVH (AS16276)

Malware payload:https://t.co/8UnnQ2yIRu #threatintel pic.twitter.com/qpLxabCATS

— Bad Packets Report (@bad_packets) August 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 185.244.25.181 (🇳🇱)
C2 port: 131/tcp
Hosting provider: KV Solutions (AS60355)

Payload:
NENAVIST2https://t.co/jQ1h7wChIw
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/1reyZPomYm

— Bad Packets Report (@bad_packets) August 1, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 103.1.186.118 (🇦🇺)
C2 port: 44/tcp (logs via 6949/tcp)
Hosting provider: Mammoth Cloud (AS133159)

Payload:
a.arm5https://t.co/qYcm2vlPLa
http://103.1.186.118/bins/ #opendir

Type: Mirai-like #malware #threatintel pic.twitter.com/O231zjZDTL

— Bad Packets Report (@bad_packets) July 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.172.110.216 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
/Jaws.shhttps://t.co/e8yX6eDY0J
http://185.172.110.216/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/DQzgH2RKiF

— Bad Packets Report (@bad_packets) July 31, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 51.91.202.137 (🇫🇷)
C2 port: 9999/tcp

Payload:
a-r.m-4.SNOOPY
a-r.m-6.SNOOPY
a-r.m-7.SNOOPY
ftp://51.91.202.137/ #opendir

Type: Gafgyt (DDoS) #malware #threatintel https://t.co/UlJ4YEtsQo pic.twitter.com/q3nSbxHPz1

— Bad Packets Report (@bad_packets) July 28, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 165.22.209.154 (🇮🇳)
C2 port: 26663/tcp
Hosting provider: DigitalOcean (AS14061)

Payload:
r4z0r.mipshttps://t.co/nm5COeFb6C
Type: Mirai-like #malware
ftp://165.22.209.154/ #opendir #threatintel pic.twitter.com/zAxmo34R54

— Bad Packets Report (@bad_packets) July 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 142.11.238.236 (🇺🇸)
C2 port: 34/tcp
Hosting provider: Hostwinds
ASN: AS54290

Payload:
arm7 (https://t.co/6zvHH2WZsC)
ftp://142.11.238.236/ #opendir
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/4DM9PebG6v

— Bad Packets Report (@bad_packets) July 27, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.246.152.89 (🇳🇱)
C2 port: 37212/tcp
Hosting provider: Melbicom (🇱🇹)
ASN: AS56630

Payload:
http://185.246.152.89/bins/telnet.* #opendir https://t.co/Fd6dQCr7wz

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/nOOETagFpk

— Bad Packets Report (@bad_packets) July 26, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected!

IP address: 185.172.110.203 (🇳🇱)
C2 port: 1024/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
http://185.172.110.203/Jaws.sh
http://185.172.110.203/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/rxDsuHJ5m4

— Bad Packets Report (@bad_packets) July 25, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 159.89.41.188 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: DigitalOcean

Payload:
http://159.89.41.188/bin
http://159.89.41.188/bins/ #opendir

Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/5gapuwXiTM

— Bad Packets Report (@bad_packets) July 25, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 67.205.169.73 (🇺🇸)
C2 port: 1791/tcp
Hosting provider: DigitalOcean

Payload:
arm7.akiraghttps://t.co/ByGukMWvCR
ftp://67.205.169.73/ #opendir
Type: Mirai-like (DDoS) #malware #threatintel pic.twitter.com/OxrjKGe28r

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 104.168.215.139 (🇺🇸)
C2 port: 5301/tcp
Hosting provider: Hostwinds
ASN: AS54290

Payload:
http://104.168.215.139/mips
http://104.168.215.139/arm7

Type:
Mirai-like (DDoS) #malware #threatintel pic.twitter.com/MKurB6rlax

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 185.172.110.224 (🇳🇱)
C2 port: 70/tcp
Hosting provider: BladeServers
ASN: AS206898

Payload:
http://185.172.110.224/mipshttps://t.co/wLCAOB3OcZ
Type: Mirai-like (DDoS) #malware #threatintel https://t.co/WD2T3jtRJh pic.twitter.com/65mQIlAHFN

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 87.120.37.148 (🇧🇬)
C2 port: 38/tcp

Payload:
http://87.120.37.148/bins/autism.* #opendir https://t.co/Kb5G9eHkJ9

Type: Mirai-like (DDoS) #malware #threatintel https://t.co/ceO9rfM4rG pic.twitter.com/h4vE976Evo

— Bad Packets Report (@bad_packets) July 24, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!

IP address: 80.211.90.245 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
C2 port: 6666/tcp

Payload:
http://80.211.90.245/k1337.*
ftp://80.211.90.245/ #opendir

Type: Gafgyt (DDoS) #malware #threatintel pic.twitter.com/hBfPXJttCx

— Bad Packets Report (@bad_packets) July 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet C2 server detected!

IP address: 185.244.25.134 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: KV Solutions

Payload:
loligang.mipshttps://t.co/x2PnIj7GsQ

Target: Huawei routers
Vulnerability exploited: CVE-2017-17215#threatintel https://t.co/rTk8y1XOpG pic.twitter.com/tEmSjoOupT

— Bad Packets Report (@bad_packets) July 22, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!

IP address: 80.211.9.40 (🇮🇹)
Hosting provider: Aruba Cloud (AS31034)
DNS: ch.silynigr[.]xyz
C2 port: 495/tcp

Payload:
http://ch.silynigr[.]xyz/bins/u.*
http://ch.silynigr[.]xyz/bins/adb.*

Type: Mirai-like #malware #threatintel pic.twitter.com/2DUVZ9ZUf4

— Bad Packets Report (@bad_packets) July 21, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected!
IP address: 195.231.6.216 (🇮🇹)
C2 port: 48/tcp
Hosting provider: Aruba Cloud
ASN: AS202242#threatintel https://t.co/rZ6Or7RVR6 pic.twitter.com/iXN5NQzQpS

— Bad Packets Report (@bad_packets) July 20, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 51.91.202.137 (🇫🇷)
C2 port: 5301/tcp
Hosting provider: OVH
ASN: AS16276#threatintel https://t.co/prnFtujy49 pic.twitter.com/HRpecl5OUC

— Bad Packets Report (@bad_packets) July 19, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected!

IP address: 46.246.38.178 (🇸🇪)
DNS: ardp.hldns[.]ru
C2 port: 1791/tcp

Payload:
loligang.mipshttps://t.co/9kHLgjBYs8
loligang.mpsl https://t.co/l3q9IMg0qk

Type: Mirai-like #malware

Target: Linksys and D-Link routers#threatintel https://t.co/Oj5jvo9IWu pic.twitter.com/ltWFIyncii

— Bad Packets Report (@bad_packets) July 19, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 89.248.174.198 (🇳🇱)
C2 port: 9999/tcp
Hosting provider: IP Volume Inc
ASN: AS202425

Ports mass scanned with ZMap:
34567/tcp
50000/tcp
60001/tcp (see below)#threatintel https://t.co/tHj0H3eaaY

— Bad Packets Report (@bad_packets) July 18, 2019

Active Mirai-like botnet C2 detected:
89.248.174.198 (IP Volume Inc 🇳🇱)

C2 port:
9999/tcp

Exploit attempts targeting:
60001/tcp (JAWS Web Server – MVPower DVR RCE)

Payload:
http://89.248.174.198/jaws.sh
arm (https://t.co/ww1yQQ8geg)
arm7 (https://t.co/CZAWpe7z3r)#threatintel pic.twitter.com/SekQpD6CnU

— Bad Packets Report (@bad_packets) July 18, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected!
IP address: 192.236.162.197 (🇺🇸)
New C2 port: 1791/tcp
Hosting provider: Hostwinds
ASN: AS54290#threatintel https://t.co/MJToNHi8Sm pic.twitter.com/2kD0YncQ7s

— Bad Packets Report (@bad_packets) July 17, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
209.141.55.8 (🇺🇸)

C2 port:
6666/tcp

Payload:
puss.arm7 #malware https://t.co/FNrPn7DhlO
ftp://209.141.55.8/ #opendir

Exploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)

Exploit source IPs:
37.49.230.21 (🇮🇸)#threatintel pic.twitter.com/CT54gbxi0V

— Bad Packets Report (@bad_packets) July 16, 2019

Exploit attempt (https://t.co/Jawhp0SAZg) source IPs:
101.108.14.144 🇹🇭
49.117.81.101 🇨🇳
109.116.203.139 🇮🇹
151.70.138.75 🇮🇹
2.45.252.16 🇮🇹
114.235.35.12 🇨🇳#threatintel

— Bad Packets Report (@bad_packets) July 16, 2019

Active Mirai-like botnet C2 detected:
192.236.162.197 (Hostwinds 🇺🇸)

C2 port:
4426/tcp

Exploit attempts targeting:
Linksys routers (https://t.co/Jawhp0SAZg)

Payload:
Amakano.mpslhttps://t.co/KXFXHInsy8 #malware
http://192.236.162.197/vb/ #opendir #threatintel pic.twitter.com/skgxeJ7YQj

— Bad Packets Report (@bad_packets) July 16, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 detected:
169.239.128.18 (🇿🇦)

C2 port: 5301/tcp
Payload:
http://169.239.128.18/mips
http://169.239.128.18/arm7

Type: Mirai-like #malware https://t.co/qejUbpYWmA https://t.co/mD25CFLHrM #threatintel pic.twitter.com/a3TEemvzSA

— Bad Packets Report (@bad_packets) July 14, 2019

Ongoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)
JAWS Web Server (MVPower DVR RCE)

Exploit attempt source IPs:
165.22.107.99 (DigitalOcean 🇸🇬)
165.22.206.167 (DigitalOcean 🇳🇱)
188.166.60.205 (DigitalOcean 🇳🇱)#threatintel pic.twitter.com/SNvE5CdoqS

— Bad Packets Report (@bad_packets) July 14, 2019

Active botnet C2 detected:
91.209.70.174 (🇷🇺)

C2 port: 40/tcp
Payload: http://91.209.70.174/Corona.mips
Type: Gafgyt #malware variant

Ongoing exploit attempts targeting:
Realtek UPnP SOAP RCE (CVE-2014-8361)

Exploit source IPs:
165.22.244.168 (DigitalOcean 🇸🇬)#threatintel pic.twitter.com/BddyZ59TTA

— Bad Packets Report (@bad_packets) July 14, 2019

Active Mirai-like botnet C2:
194.99.22.138 (🇩🇪)

Ongoing exploit attempts targeting:
JAWS Web Server (MVPower DVR RCE)
Realtek UPnP SOAP RCE (CVE-2014-8361)
GPON routers (CVE-2018-10561)

Exploit source IPs:
209.97.168.152 (🇸🇬)
165.22.107.99 (🇸🇬)
188.166.60.205 (🇳🇱)#threatintel https://t.co/NancSne6GJ pic.twitter.com/41FQaBCTjr

— Bad Packets Report (@bad_packets) July 14, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/19fDRoC2eo

— Bad Packets Report (@bad_packets) July 13, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 194.99.22.138 (🇩🇪)
C2 port: 5301/tcp
Hosting provider: MVPS LTD
ASN: AS202448#threatintel https://t.co/B8xmWdP450 pic.twitter.com/84QuaVXCH9

— Bad Packets Report (@bad_packets) July 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/S132qANef2 pic.twitter.com/hrWbOjnU7h

— Bad Packets Report (@bad_packets) July 12, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 209.141.56.142 (🇺🇸)
C2 port: 37215/tcp
Hosting provider: Frantech
ASN: AS53667#threatintel https://t.co/ts1NKiPkgD pic.twitter.com/SbLN6nPbB3

— Bad Packets Report (@bad_packets) July 11, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 89.190.159.178 (🇳🇱)
C2 port: 85/tcp
Hosting provider: Alsycon B.V.
Network provider: SpectraIP B.V. (AS62068)#threatintel https://t.co/HOm7FuDdU0 pic.twitter.com/8a6vM6PjPi

— Bad Packets Report (@bad_packets) July 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet C2 server detected
IP address: 176.31.78.54 (🇫🇷)
http://176.31.78.54/bins/5743.* #opendir
Hosting provider: Infinity Hosting
C2 port: 45587/tcp

Type: Mirai-like #malware https://t.co/3tWlbyM5Rh

Exploit source IP: 125.227.22.243 (🇹🇼)#threatintel pic.twitter.com/ZuHx43svoa

— Bad Packets Report (@bad_packets) July 10, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.224 (🇳🇱)
C2 port: 65532/tcp
Hosting provider: BladeServers
ASN: AS206898#threatintel https://t.co/Eq7GtzzsbH pic.twitter.com/tsZogpCLuJ

— Bad Packets Report (@bad_packets) July 10, 2019

Botnet C2 IP address: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel pic.twitter.com/ffmf31uIZz

— Bad Packets Report (@bad_packets) July 9, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: CenterHop
ASN: AS17831#threatintel https://t.co/lTYo8EcZRE

— Bad Packets Report (@bad_packets) July 8, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Botnet C2 is still active.
Exploit attempts targeting Huawei routers are ongoing.#threatintel https://t.co/ex4Rv6xSfj pic.twitter.com/GzvSIhcxoQ

— Bad Packets Report (@bad_packets) July 7, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 198.98.59.176 (🇺🇸)
C2 port: 90/tcp
Hosting provider: Frantech#threatintel https://t.co/Wxm1v0qm47 pic.twitter.com/XgGWvzo2Sq

— Bad Packets Report (@bad_packets) July 6, 2019

Looks like someone logged out of the C2 after our tweet. pic.twitter.com/Axi7WiPGGl

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 185.172.110.224 (🇳🇱)
C2 port: 65533/tcp
Hosting provider: BladeServers#threatintel https://t.co/hGvD2Kzyw5 pic.twitter.com/axADWUZU8T

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active Mirai-like botnet command-and-control (C2) server detected.
IP address: 188.166.87.227 (🇳🇱)
C2 port: 5301/tcp
Hosting provider: DigitalOcean (AS14061)#threatintel https://t.co/QOen6TGFae

— Bad Packets Report (@bad_packets) July 6, 2019

New payload targeting #GPON routers detected:
http://188.166.87.227/bin (DigitalOcean 🇳🇱)
http://188.166.87.227/bins/ #opendir https://t.co/wIIYSZ5JQS
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 68.183.167.121 (DigitalOcean 🇺🇸)#threatintel pic.twitter.com/yHdidmVhFO

— Bad Packets Report (@bad_packets) July 6, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 128.199.235.119 (🇸🇬)
C2 port: 81/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/OSxregNnrJ pic.twitter.com/fA2WyNbz7G

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP address: 159.89.143.217 (🇺🇸)
C2 port: 2269/tcp
Hosting provider: @digitalocean (AS14061)#threatintel https://t.co/FgjKPxhrfi pic.twitter.com/yKktKmbDj8

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected.
IP: 103.83.157.46 (🇸🇬)
C2 port: 5301/tcp
Hosting provider: @centerhopcom
ASN: AS17831#threatintel https://t.co/LgojxLVqdy

— Bad Packets Report (@bad_packets) July 4, 2019

New payload targeting #GPON routers detected:
http://103.83.157.46/gai (🇸🇬)
http://103.83.157.46/bins/ #opendir https://t.co/rYnZBBEwBY
Type: Mirai-like #malware
C2 port: 5301/tcp
Exploit attempt source IP: 165.22.206.167 (Digital Ocean 🇳🇱)#threatintel pic.twitter.com/LnN5sHo4UE

— Bad Packets Report (@bad_packets) July 4, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.172.110.226 (🇳🇱)
C2 port: 1791/tcp
Hosting provider: @BladeServers_eu (AS206898)#threatintel https://t.co/HswW0KDsdp

— Bad Packets Report (@bad_packets) July 3, 2019

Active payload targeting 60001/tcp (IP camera interface/JAWS) detected:
http://185.172.110.226/lmaoWTF/Jaws.sh (🇳🇱)
http://185.172.110.226/lmaoWTF/ #opendir https://t.co/LkS7JKqYLe
Type: Mirai-like #malware
C2 port: 1791/tcp
Exploit source IP: 185.244.25.84 (🇳🇱)#threatintel pic.twitter.com/NdBPdqglXY

— Bad Packets Report (@bad_packets) July 3, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 198.98.59.176 (🇺🇸)
C2 port: 3301/tcp#threatintel https://t.co/UqPTvSioFa pic.twitter.com/igVioXdTQ3

— Bad Packets Report (@bad_packets) July 2, 2019

🚨 𝗔𝗟𝗘𝗥𝗧 🚨
Active botnet command-and-control (C2) server detected.
IP: 185.244.25.241 (🇳🇱 KV Solutions AS60355)
C2 port: 38344/tcp#threatintel https://t.co/Y7cS169YYM pic.twitter.com/F7P5kwMuYq

— Bad Packets Report (@bad_packets) June 30, 2019

Active botnet C2: 103.83.157.41 (🇸🇬)#threatintel pic.twitter.com/wiblOelpCm

— Bad Packets Report (@bad_packets) June 30, 2019

🚨 ALERT 🚨
Active botnet command-and-control (C2) server detected. #threatintel https://t.co/ugaYD6M5BE

— Bad Packets Report (@bad_packets) June 27, 2019

New payload targeting #Huawei routers detected:
http://103.83.157.41/bins/mips (🇸🇬)
http://103.83.157.41/bins/#opendir
C2 port: 5301/tcp
Type: Mirai-like #malware https://t.co/CfJOoDZTBB
Vulnerability exploited: CVE-2017-17215
Source IP: 167.71.64.218 (🇺🇸)#threatintel pic.twitter.com/vVhiYmvwgA

— Bad Packets Report (@bad_packets) June 27, 2019

Active botnet C2 and payload:
http://185.244.25.241/b/mips (🇳🇱 KV Solutions AS60355)https://t.co/olalKAGfD9 #threatintel https://t.co/ClcDuCdAix

— Bad Packets Report (@bad_packets) June 26, 2019

Active payload targeting #Huawei routers detected:
http://104.248.93.159/bins/frosty.mips (🇳🇱)
http://104.248.93.159/bins/ #opendir
C2 port: 8372/tcp
Type: Mirai-like #malware https://t.co/ghvpHMmhF4
Exploit source IP: 68.183.151.62 (🇺🇸)
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/YIZumv5k9B

— Bad Packets Report (@bad_packets) June 23, 2019

⚠️ WARNING ⚠️
Mirai-like botnet C2 server detected: 91.134.120.5 (🇫🇷)
Hosting provider: Infinity Hosting Services (🇩🇪)
Network provider: OVH (AS16276 🇫🇷)#threatintel pic.twitter.com/sDwnBFhtPR

— Bad Packets Report (@bad_packets) June 20, 2019

🚨 ALERT 🚨
Active command-and-control (C2) server detected. https://t.co/unTTHRfMp8

— Bad Packets Report (@bad_packets) June 18, 2019

New payload targeting #Huawei routers detected:
http://178.62.27.133/bins/frosty.mips (🇬🇧)
http://178.62.27.133/bins/ #opendir
Type: Mirai-like #malware https://t.co/mr8u5HFPdL
C2 IP: 68.183.151.62 (DigitalOcean 🇺🇸)
C2 port: 8372/tcp
Vulnerability: CVE-2017-17215#threatintel pic.twitter.com/SYZYqZBjuf

— Bad Packets Report (@bad_packets) June 18, 2019

C2 server: 185.244.25.157
C2 port: 5034/tcp https://t.co/ViNKvvCPb2 pic.twitter.com/XOJBbAbsnI

— Bad Packets Report (@bad_packets) June 18, 2019

New payload targeting @SchneiderElec "U.motion LifeSpace Management Systems" detected:
http://31.13.195.251/EC (🇧🇬 @VPSBG_EU)
Vulnerability exploited: CVE-2018-7841
Exploit (C2) IP: 188.165.179.9 (🇫🇷 @infinityhostcom)
C2 ports: 666, 358/tcp
Recon scan: Mirai-like#threatintel

— Bad Packets Report (@bad_packets) June 17, 2019

C2 server: 68.183.55.5
C2 port: 9375/tcp (Telnet) pic.twitter.com/ppTmHCfQbw

— Bad Packets Report (@bad_packets) June 17, 2019

⚠️ WARNING ⚠️
Ongoing exploit attempts
Active C2 server#threatintel https://t.co/G8soHUAa8w pic.twitter.com/ssIdF9Ejmm

— Bad Packets Report (@bad_packets) June 16, 2019

New payload targeting #Linksys routers detected:
http://79.137.123.208/bins/mpsl (🇫🇷)https://t.co/vTYSzWkrhM
ftp://79.137.123.208/ #opendir
C2 port: 555/tcp (Telnet)
Type: Mirai-like #malware
Exploit source IP: 74.210.238.108 (🇨🇦)
Target Port: 8080/tcp pic.twitter.com/eVCifhPw9U

— Bad Packets Report (@bad_packets) June 15, 2019

ANDYPANDY botnet C2 detections last 7 days:
104.244.76.15 (🇱🇺)
209.141.55.73 (🇺🇸)
193.70.26.48 (🇫🇷)
181.197.5.215 (🇵🇦)

Mainly targets #Android Debug Bridge (ADB) endpoints (5555/tcp). Recon scan uses ZMap.

— Bad Packets Report (@bad_packets) June 13, 2019

⚠️ WARNING ⚠️
New payload targeting D-Link devices detected:
http://62.210.207.229/t (🇫🇷)
http://62.210.207.229/bins/owari.* #opendir
C2 port: 89/tcp (Telnet)

Type: Mirai-like #malware https://t.co/H80SNjpLuF

Exploit source IPs:
209.141.37.17 (🇺🇸)
27.121.223.185 (🇯🇵) pic.twitter.com/mvO7WSwMb6

— Bad Packets Report (@bad_packets) June 1, 2019

New payload targeting Linksys routers detected:
http://205.185.126.154/AB4g5/Extendo.mpsl (🇺🇸)https://t.co/t6qyUxKKnl
C2 port: 1024/tcp (Telnet)
Exploit source IP: 209.141.37.173 (🇺🇸)
Recon scan: ZMap
Target Ports: 8088, 8080/tcp
Mirai-like #malware #opendir pic.twitter.com/UtP1qKoA4F

— Bad Packets Report (@bad_packets) May 25, 2019

A week later, this C2 is still active. The service provider @Scaleway acknowledged our report, yet took no action.

Meanwhile, a new payload called "z3hir" was detected: https://t.co/SL9INIWvDx pic.twitter.com/govU3heKaS

— Bad Packets Report (@bad_packets) May 20, 2019

New #malware payload and C2 detected
Exploit target: Realtek devices (CVE-2014-8361)
Target port: 52869/tcp
Payload: http://62.210.207.229/ntpd (https://t.co/vmMWAs3EmU)#OpenDir: ftp://62.210.207.229/
C2 port: 89/tcp (telnet) pic.twitter.com/PiRA8lRnrq

— Bad Packets Report (@bad_packets) May 13, 2019

Mirai-like botnet C2: 88.218.94.20 (🇺🇸)
Status: Active
Realtek exploit CVE-2014-8361 payload: http://88.218.94.20/ntpd (https://t.co/dsp82tTR1V)
✅ Added to monitoring pic.twitter.com/rIlYd1IAro

— Bad Packets Report (@bad_packets) May 11, 2019