home.social

#mirai — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #mirai, aggregated by home.social.

  1. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  2. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  3. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  4. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  5. Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

    Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

    Pulse ID: 6a0f8f36422c8adb515a9804
    Pulse Link: otx.alienvault.com/pulse/6a0f8
    Pulse Author: AlienVault
    Created: 2026-05-21 23:03:18

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

  6. 📰 Mirai Variant 'xlabs_v1' Builds DDoS Botnet by Hijacking IoT Devices with Exposed ADB Ports

    🚨 New Mirai-based botnet 'xlabs_v1' hijacks IoT devices & Android TVs via exposed ADB ports (TCP/5555). The botnet is used for DDoS-for-hire services, targeting Minecraft servers. #Mirai #Botnet #DDoS #IoTSecurity

    🔗 cyber.netsecops.io

  7. Mirai-Based xlabs_v1 Botnet Exploits ADB for IoT Hijacking

    Meet xlabs_v1, a powerful botnet derived from Mirai that's hijacking IoT devices by exploiting exposed Android Debug Bridge (ADB) services on TCP port 5555. This sneaky malware infects devices like Android TV boxes and smart TVs, and can even measure a device's bandwidth to sell it on the black market.

    osintsights.com/mirai-based-xl

    #IotBotnet #Mirai #AdbExploitation #EmergingThreats #IotHijacking

  8. Found an odd Telnet like connection in a Mirai malware execution. Follow these steps to see for yourself:
    telnet 45.149.186.18 8080
    Enter: newsrv

    🔥 nivela.duckdns[.]org:8080
    🔥 45.149.186.18:8080
    🔥 b8d37e1ba85e8cebd9802b31747a1689

    #Mirai #OWARI

  9. Found an odd Telnet like connection in a Mirai malware execution. Follow these steps to see for yourself:
    telnet 45.149.186.18 8080
    Enter: newsrv

    🔥 nivela.duckdns[.]org:8080
    🔥 45.149.186.18:8080
    🔥 b8d37e1ba85e8cebd9802b31747a1689

    #Mirai #OWARI

  10. Found an odd Telnet like connection in a Mirai malware execution. Follow these steps to see for yourself:
    telnet 45.149.186.18 8080
    Enter: newsrv

    🔥 nivela.duckdns[.]org:8080
    🔥 45.149.186.18:8080
    🔥 b8d37e1ba85e8cebd9802b31747a1689

    #Mirai #OWARI

  11. Found an odd Telnet like connection in a Mirai malware execution. Follow these steps to see for yourself:
    telnet 45.149.186.18 8080
    Enter: newsrv

    🔥 nivela.duckdns[.]org:8080
    🔥 45.149.186.18:8080
    🔥 b8d37e1ba85e8cebd9802b31747a1689

    #Mirai #OWARI

  12. Found an odd Telnet like connection in a Mirai malware execution. Follow these steps to see for yourself:
    telnet 45.149.186.18 8080
    Enter: newsrv

    🔥 nivela.duckdns[.]org:8080
    🔥 45.149.186.18:8080
    🔥 b8d37e1ba85e8cebd9802b31747a1689

    #Mirai #OWARI

  13. Potassium update: the Mirai fork @synthient reported in March (x.com/deobfuscately/status/203) is still active and the operator appears to have taken up Dutch poetry. The new C2 domathreatintelkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

    Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

    IoCs:

    a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
    6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
    3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

    C2: ikhebkankerinmijnrechterteelbal[.]st → 34.245.45[.]153
    Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

    #mirai #DDoS #threatintel

  14. Potassium update: the Mirai fork @synthient reported in March (x.com/deobfuscately/status/203) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

    Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

    IoCs:

    a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
    6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
    3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

    C2: ikhebkankerinmijnrechterteelbal[.]st → byte-swapped → 45.153.34[.]245
    Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

    #mirai #DDoS #threatintel

    edit: added byte-swapped C2 value

  15. Potassium update: the Mirai fork @synthient reported in March (x.com/deobfuscately/status/203) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

    Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

    IoCs:

    a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
    6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
    3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

    C2: ikhebkankerinmijnrechterteelbal[.]st → byte-swapped → 45.153.34[.]245
    Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

    #mirai #DDoS #threatintel

    edit: added byte-swapped C2 value

  16. Potassium update: the Mirai fork @synthient reported in March (x.com/deobfuscately/status/203) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

    Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

    IoCs:

    a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
    6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
    3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

    C2: ikhebkankerinmijnrechterteelbal[.]st → byte-swapped → 45.153.34[.]245
    Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

    #mirai #DDoS #threatintel

    edit: added byte-swapped C2 value

  17. Potassium update: the Mirai fork @synthient reported in March (x.com/deobfuscately/status/203) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

    Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

    IoCs:

    a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
    6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
    3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

    C2: ikhebkankerinmijnrechterteelbal[.]st → byte-swapped → 45.153.34[.]245
    Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

    #mirai #DDoS #threatintel

    edit: added byte-swapped C2 value

  18. DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet

    An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.

    Pulse ID: 69f25f09e5c3a33611f7cb16
    Pulse Link: otx.alienvault.com/pulse/69f25
    Pulse Author: AlienVault
    Created: 2026-04-29 19:42:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Android #ChaCha20 #CryptoJacking #CyberSecurity #DDoS #DoS #Encryption #InfoSec #IoT #Minecraft #Mirai #OTX #OpenThreatExchange #RAT #TCP #TheNetherlands #bot #botnet #AlienVault