Jérôme Meyer

@[email protected]
190 Followers
164 Following
38 Posts

Security research at Nokia Deepfield (he/they).

EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

Homepagehttps://med.ac/about
Signaljmeyer.01
Work accounthttps://infosec.exchange/@deepfield
Jérôme Meyer2d ago
Deepfield2d ago

#TerraBot: first #DDoS botnet we've seen carrying a working exploit for CVE-2026-0073 (Critical ADB auth bypass, patched May 2026).

Every other ADB botnet needs auth disabled; this one doesn't. Comes with 30+ methods + dual APK/ELF cross-platform worming.

C2: terrabot.qzz[.]io:69
Staging: 140.233.190[.]47 (AS214209)
hash: a532a072687f5bd6f8f4c2fb1ce899a5d3c4264453fe2e7bafc270e83661c893

#threatintel

Jérôme MeyerMay 20
Show threadDeepfieldMay 20

Full technical report on the Potassium botnet, including latest campaign & C2 domains: https://github.com/deepfield/public-research/blob/main/potassium/report.md

#threatintel #DDoS

public-research/potassium/report.md at main · deepfield/public-research

DDoS botnet research and indicators of compromise from Nokia Deepfield ERT - deepfield/public-research

GitHub
Jérôme MeyerMay 8
Alexandre DulaunoyMay 7

I’m still completely lost with logic of JA4+ patent licensing and actual incompatibility with the copyleft-license. So it seems to be a patent-based license and really risky to implement if you want to keep your actual software open source.

Did someone explore alternatives to avoid this? and especially other format which are open source friendly?

#ja4 #ja3 #jarm #cti #opensource #patent #cti
#threatintel #cybersecurity

🔗 https://github.com/FoxIO-LLC/ja4/blob/main/License%20FAQ.md

Jérôme MeyerMay 1
DeepfieldMay 1

Potassium update: the Mirai fork @synthient reported in March (https://x.com/deobfuscately/status/2033923869782712514) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

IoCs:

a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

C2: ikhebkankerinmijnrechterteelbal[.]st → byte-swapped → 45.153.34[.]245
Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

#mirai #DDoS #threatintel

edit: added byte-swapped C2 value

Ben (@deobfuscately) on X

Potassium Botnet Installer: http://169[.]40[.]135[.]69/1000mgofpotassiumaday/arm7 C2: potassium[.]vitacocoyougolocobecauseyouaresodamndeliciocobarampam[.]st #ioc #hunting #mirai

X (formerly Twitter)
Jérôme MeyerApr 12

New report from our ERT: #Maskify.

The operator built what a Series A deck would call "decentralized edge infrastructure": ENS for service discovery, IPFS for binary distribution, a custom P2P mesh network, QUIC transport.

In practice it is a DDoS botnet running on Android TV boxes that did not opt in.

https://github.com/deepfield/public-research/blob/main/maskify/report.md

#threatintel #ddos

public-research/maskify/report.md at main · deepfield/public-research

DDoS botnet research and indicators of compromise from Nokia Deepfield ERT - deepfield/public-research

GitHub
Jérôme MeyerApr 8

When a botnet operator names their payload after your team, you check the diff.

libcyn.so → deepfield.so
Custom cipher → wolfSSL TLS 1.3 (same stack as earlier Kimwolf)

C2 domains, floods, targets: all unchanged.

9a28696774d9ef6754540633daeef668767df5efa1804138abd35e1a6b31523e

#drifter #threatintel #ddos

Jérôme MeyerApr 3

The backstory of #Kimwolf, from our initial sightings early last year to how @synthient discovered the vuln that made that botnet possible.

https://www.wsj.com/tech/kimwolf-hack-residential-proxy-networks-a712ab59?st=3eNTjx

Jérôme MeyerMar 31
John SiracusaMar 31

Happy Trans Day of Visibility! 🏳️‍⚧️ The mere act of existing and being visible shouldn’t be as fraught as it is today. Let’s keep fighting to set things right.

https://en.wikipedia.org/wiki/International_Transgender_Day_of_Visibility

International Transgender Day of Visibility - Wikipedia

Jérôme MeyerMar 28

New, from our @deepfield ERT: found a new botnet dressing its C2 traffic as camera management.

#Drifter names its domains after Hikvision products, blending with surveillance traffic on the same VLAN as the Android TV boxes it infects. DNS queries go through an Australian resolver, which somewhat undermines the cover if your bot is in São Paulo.

71 KB binary, already linked to attacks exceeding 2 Tbps from 80k sources. At least six operators are now competing for the same devices.

https://github.com/deepfield/public-research/blob/main/drifter/report.md

#threatintel #ddos

public-research/drifter/report.md at main · deepfield/public-research

DDoS botnet research and indicators of compromise from Nokia Deepfield ERT - deepfield/public-research

GitHub
Jérôme MeyerMar 28
GÉANTMar 23

The final keynote highlight from the GÉANT #SecurityDays 2026 this April.

Alexandre Dulaunoy, Head of CIRCL, Luxembourg's national CSIRT — on how 15 years of open-source security development has shown that sharing code, knowledge and intelligence builds networks of trust between defenders.

If you haven't got your ticket yet, this week is your last chance. Secure your place before 27 March 👉 https://events.geant.org/event/1989/registrations/