AsconBot
Novel multi-arch DDoS bot via ADB — ASCON-128 AEAD + key-ratchet C2
C2: 168.220.248[.]106:24032 (live)
SHA256: 96f926f634fe67a384d577612157472f7aae9db5c0651730dc9d98360b9e8766
| Website | https://www.nokia.com/ip-networks/deepfield/ |
Deepfield
- 58 Followers
- 18 Following
- 29 Posts
Deepfield, part of Nokia since 2017, delivers advanced network analytics and real-time DDoS protection to secure global networks.
Somebody sat down and wrote a from-scratch QUIC client for a DDoS bot. No WolfSSL, no mbedTLS, nothing off the shelf: TLS 1.3, QUIC v1, HTTP/3, all hand-rolled.
A more complete QUIC stack than some things you installed on purpose.
Then it validates zero certificates.
New ERT report on Vibenet, aka Heilong: https://github.com/deepfield/public-research/blob/main/vibenet/report.md
And @briankrebs tying everything together:
https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/
Report from Qurium: https://www.qurium.org/forensics/finding-popa
New, from our ERT: what happens when you disconnect from that free VPN app, loaded with a residential proxy SDK that talks to the Vo1d/Popa infrastructure.
https://github.com/deepfield/public-research/blob/main/reports/2026-06-18-robovpn-neunative.md
New report: #kbotne, or: Mirai learns WebSocket, naturally calls it /connectlol
Standard RFC 6455 upgrade on port 80, which is novel for a Mirai fork.
Everything around it is less careful: hex-encoded config strings recoverable with xxd, a process killer that mostly recognizes its own binaries, and persistence that writes itself to `/.kbotne/kbotne`. Stealth was not the design goal.
https://github.com/deepfield/public-research/blob/main/kbotne/report.md
New report: #Datasurge, a rogue EDR agent with a DDoS module.
Mirai fork organized around retention, not acquisition. The operator exploits ADB, then lets a scanner/killer module ensure nothing else gets to run. (It's larger than the DDoS engine.)
Entropy heuristic, inotify watcher, directory lockdown, and a C2 toggle so the operator can briefly lower the drawbridge to deploy updates.
The config table cipher is ROT13 followed by single-byte XOR; the PRNG is seeded through a ChaCha-like init routine. Someone had priorities.
https://github.com/deepfield/public-research/blob/main/datasurge/report.md
(building on prior research from GHOST / Breakglass Intelligence)
#TerraBot: first #DDoS botnet we've seen carrying a working exploit for CVE-2026-0073 (Critical ADB auth bypass, patched May 2026).
Every other ADB botnet needs auth disabled; this one doesn't. Comes with 30+ methods + dual APK/ELF cross-platform worming.
C2: terrabot.qzz[.]io:69
Staging: 140.233.190[.]47 (AS214209)
hash: a532a072687f5bd6f8f4c2fb1ce899a5d3c4264453fe2e7bafc270e83661c893
Full technical report on the Potassium botnet, including latest campaign & C2 domains: https://github.com/deepfield/public-research/blob/main/potassium/report.md
