| Website | https://www.nokia.com/ip-networks/deepfield/ |
And @briankrebs tying everything together:
https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/
Report from Qurium: https://www.qurium.org/forensics/finding-popa
New, from our ERT: what happens when you disconnect from that free VPN app, loaded with a residential proxy SDK that talks to the Vo1d/Popa infrastructure.
https://github.com/deepfield/public-research/blob/main/reports/2026-06-18-robovpn-neunative.md
New report: #kbotne, or: Mirai learns WebSocket, naturally calls it /connectlol
Standard RFC 6455 upgrade on port 80, which is novel for a Mirai fork.
Everything around it is less careful: hex-encoded config strings recoverable with xxd, a process killer that mostly recognizes its own binaries, and persistence that writes itself to `/.kbotne/kbotne`. Stealth was not the design goal.
https://github.com/deepfield/public-research/blob/main/kbotne/report.md
New report: #Datasurge, a rogue EDR agent with a DDoS module.
Mirai fork organized around retention, not acquisition. The operator exploits ADB, then lets a scanner/killer module ensure nothing else gets to run. (It's larger than the DDoS engine.)
Entropy heuristic, inotify watcher, directory lockdown, and a C2 toggle so the operator can briefly lower the drawbridge to deploy updates.
The config table cipher is ROT13 followed by single-byte XOR; the PRNG is seeded through a ChaCha-like init routine. Someone had priorities.
https://github.com/deepfield/public-research/blob/main/datasurge/report.md
(building on prior research from GHOST / Breakglass Intelligence)
#TerraBot: first #DDoS botnet we've seen carrying a working exploit for CVE-2026-0073 (Critical ADB auth bypass, patched May 2026).
Every other ADB botnet needs auth disabled; this one doesn't. Comes with 30+ methods + dual APK/ELF cross-platform worming.
C2: terrabot.qzz[.]io:69
Staging: 140.233.190[.]47 (AS214209)
hash: a532a072687f5bd6f8f4c2fb1ce899a5d3c4264453fe2e7bafc270e83661c893
Full technical report on the Potassium botnet, including latest campaign & C2 domains: https://github.com/deepfield/public-research/blob/main/potassium/report.md
Potassium update: the Mirai fork @synthient reported in March (https://x.com/deobfuscately/status/2033923869782712514) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)
Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.
IoCs:
a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85
C2: ikhebkankerinmijnrechterteelbal[.]st → byte-swapped → 45.153.34[.]245
Dropper: 92.38.186[.]44 (HTTP + netcat :25565)
edit: added byte-swapped C2 value
RE: https://infosec.exchange/@jmeyer/116393381297187934
Latest report from our ERT on another proxy/ADB-based botnet: #Maskify
https://github.com/deepfield/public-research/blob/main/maskify/report.md
