Potassium update: the Mirai fork @synthient reported in March (https://x.com/deobfuscately/status/2033923869782712514) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

IoCs:

a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

C2: ikhebkankerinmijnrechterteelbal[.]st → 34.245.45[.]153
Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

#mirai #DDoS #threatintel

RE: https://infosec.exchange/@jmeyer/116393381297187934

Latest report from our ERT on another proxy/ADB-based botnet: #Maskify

https://github.com/deepfield/public-research/blob/main/maskify/report.md

Most Mirai forks are disposable. #Jackskid was built not to be.

Joint research with Comcast Threat Research Labs — we tracked this botnet across 80+ samples and 13 build generations as it evolved from a bare-bones prototype into a dual-vector Android TV/IoT platform with triple-layer encryption and DNS-over-HTTPS C2.

Report and IoCs: https://github.com/deepfield/public-research/blob/main/jackskid/report.md

#threatintel #ddos

RE: https://infosec.exchange/@jmeyer/116259050557048999

ICYMI: a story about pulling one thread linking multiple botnets — four of which were targeted by coordinated law enforcement actions this week, and an adjacent one for which our team publishes the C2 decryption scheme.

#aisuru #kimwolf #mossad #jackskid #cecilio

Yesterday, the U.S. Department of Justice announced a coordinated international operation to disrupt four of the world's largest IoT DDoS botnets — Aisuru, Kimwolf, Jackskid, and Mossad — responsible for record-breaking attacks reaching approximately 30 Tbps.

Together, these botnets had hijacked over three million devices worldwide and launched hundreds of thousands of DDoS attacks against victims across the globe.

This was a massive collaborative effort involving law enforcement agencies in the U.S., Canada, and Europe, alongside many private-sector partners. We're proud that Nokia was among the companies that contributed — our Deepfield Emergency Response Team helped map botnet infrastructure and supported the takedown efforts.

Full DOJ press release: https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks

#operationpoweroff

Excellent work by @nicter_jp documenting a Xiongmai DVR campaign deploying residential proxy SDKs: https://blog.nicter.jp/2026/03/iot_proxyware/

We pulled the payloads and decompiled the chain.

The downloader is Mirai with all DDoS stripped out — repurposed as a vehicle for proxy monetization. It delivers two proxy SDKs: IPRoyal Pawns and PacketSDK, part of the IPIDEA network Google disrupted in January.

NICTER's IOC timeline tells the rest: PacketSDK v1.0.2 (original domains) → v1.0.6 (scrambled replacements) → v1.0.8.4 (single fallback) → not deployed. Every dispatch path is now NXDOMAIN.

A concrete view of Google's takedown continuing to have impact.

https://github.com/deepfield/public-research/blob/main/reports/2026-03-19-xiongmai-packetsdk-ipidea.md

#Mirai #IPIDEA #threatintel

Why bother with n-day exploits when a residential proxy subscription gives you unauthenticated root shell on tens of millions of Android TV devices?

Our new ERT report on the #Katana botnet documents 30K+ bots, an on-device compiled kernel rootkit, and almost certainly more engineering effort in persistence than the devices received in firmware support.

https://github.com/deepfield/public-research/blob/main/katana/report.md

#DDoS #threatintel

New deployment: @hetzner is strengthening #DDoS protection across its European data center infrastructure with Deepfield Defender; a great choice by one of Europe's leading hosting providers.

https://hetzner.com/pressroom/nokia-network-security/

We reached a point with #DDoS attacks are now affecting shared infrastructure — well beyond the intended targets.

Read on to learn about why networks need to address outbound DDoS traffic, and to build defenses as part of the network.

https://www.nokia.com/blog/the-internet-commons-under-siege-why-33-tbps-ddos-attacks-are-everyones-problem/