Iranian Botnet Exposed via Open Directory: 15-Node Relay Network and Active C2

An Iranian threat actor's operational infrastructure was exposed through an open directory, revealing a 15-node relay network spanning Finland and Iran, an SSH-based botnet framework, and an active command and control server. The exposed bash history documented the full operation, including tunnel deployment, DDoS tooling development, and botnet creation. The actor used on-host compilation to evade detection and leveraged a Python script for mass SSH deployment. The botnet client, compiled and renamed 'hex' on infected hosts, showed automatic reconnection capabilities. This operation appears to be financially or personally motivated rather than state-directed, with infrastructure dual-purposed for censorship bypass and attack operations.

Pulse ID: 69b96e4d10d70197a0dd1dcb
Pulse Link: https://otx.alienvault.com/pulse/69b96e4d10d70197a0dd1dcb
Pulse Author: AlienVault
Created: 2026-03-17 15:07:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #Finland #InfoSec #Iran #OTX #OpenThreatExchange #Python #RAT #SSH #bot #botnet #AlienVault