DeepfieldNew report: #kbotne, or: Mirai learns WebSocket, naturally calls it /connectlol
Standard RFC 6455 upgrade on port 80, which is novel for a Mirai fork.
Everything around it is less careful: hex-encoded config strings recoverable with xxd, a process killer that mostly recognizes its own binaries, and persistence that writes itself to `/.kbotne/kbotne`. Stealth was not the design goal.
https://github.com/deepfield/public-research/blob/main/kbotne/report.md
