Security research at Nokia Deepfield (he/they).
EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.
| Homepage | https://med.ac/about |
| Signal | jmeyer.01 |
| Work account | https://infosec.exchange/@deepfield |
New report from our ERT: #Maskify.
The operator built what a Series A deck would call "decentralized edge infrastructure": ENS for service discovery, IPFS for binary distribution, a custom P2P mesh network, QUIC transport.
In practice it is a DDoS botnet running on Android TV boxes that did not opt in.
https://github.com/deepfield/public-research/blob/main/maskify/report.md
When a botnet operator names their payload after your team, you check the diff.
libcyn.so → deepfield.so
Custom cipher → wolfSSL TLS 1.3 (same stack as earlier Kimwolf)
C2 domains, floods, targets: all unchanged.
9a28696774d9ef6754540633daeef668767df5efa1804138abd35e1a6b31523e
The backstory of #Kimwolf, from our initial sightings early last year to how @synthient discovered the vuln that made that botnet possible.
https://www.wsj.com/tech/kimwolf-hack-residential-proxy-networks-a712ab59?st=3eNTjx
Happy Trans Day of Visibility! 🏳️⚧️ The mere act of existing and being visible shouldn’t be as fraught as it is today. Let’s keep fighting to set things right.
https://en.wikipedia.org/wiki/International_Transgender_Day_of_Visibility
New, from our @deepfield ERT: found a new botnet dressing its C2 traffic as camera management.
#Drifter names its domains after Hikvision products, blending with surveillance traffic on the same VLAN as the Android TV boxes it infects. DNS queries go through an Australian resolver, which somewhat undermines the cover if your bot is in São Paulo.
71 KB binary, already linked to attacks exceeding 2 Tbps from 80k sources. At least six operators are now competing for the same devices.
https://github.com/deepfield/public-research/blob/main/drifter/report.md
The final keynote highlight from the GÉANT #SecurityDays 2026 this April.
Alexandre Dulaunoy, Head of CIRCL, Luxembourg's national CSIRT — on how 15 years of open-source security development has shown that sharing code, knowledge and intelligence builds networks of trust between defenders.
If you haven't got your ticket yet, this week is your last chance. Secure your place before 27 March 👉 https://events.geant.org/event/1989/registrations/
RE: https://infosec.exchange/@deepfield/116284754769568339
The operator built triple-layer crypto, fast-flux DNS across 30+ ASes, biweekly C2 rotation — then shipped an unstripped debug build on port 8090, a couple of ports over from production. 300+ symbols, project name, internal module names, all right there in readelf.
Anyway here's the full writeup.
https://github.com/deepfield/public-research/blob/main/jackskid/report.md
New, from our ERT: #CECbot, an Android TV botnet and the first malware we're aware of that exploits HDMI-CEC.
It puts the TV to sleep so you don't notice the box behind it is running DDoS and residential proxy traffic. Curve25519/ChaCha20 crypto, 9 persistence layers, and... LAN mapping.
Successor to a Mirai fork, shares not much but the C2 server.
https://github.com/deepfield/public-research/blob/main/cecbot/report.md
John Siracusa
GÉANT
daniel:// stenberg://
