Security research at Nokia Deepfield (he/they).
EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.
| Homepage | https://med.ac/about |
| Signal | jmeyer.01 |
| Work account | https://infosec.exchange/@deepfield |
Happy Trans Day of Visibility! 🏳️⚧️ The mere act of existing and being visible shouldn’t be as fraught as it is today. Let’s keep fighting to set things right.
https://en.wikipedia.org/wiki/International_Transgender_Day_of_Visibility
New, from our @deepfield ERT: found a new botnet dressing its C2 traffic as camera management.
#Drifter names its domains after Hikvision products, blending with surveillance traffic on the same VLAN as the Android TV boxes it infects. DNS queries go through an Australian resolver, which somewhat undermines the cover if your bot is in São Paulo.
71 KB binary, already linked to attacks exceeding 2 Tbps from 80k sources. At least six operators are now competing for the same devices.
https://github.com/deepfield/public-research/blob/main/drifter/report.md
The final keynote highlight from the GÉANT #SecurityDays 2026 this April.
Alexandre Dulaunoy, Head of CIRCL, Luxembourg's national CSIRT — on how 15 years of open-source security development has shown that sharing code, knowledge and intelligence builds networks of trust between defenders.
If you haven't got your ticket yet, this week is your last chance. Secure your place before 27 March 👉 https://events.geant.org/event/1989/registrations/
RE: https://infosec.exchange/@deepfield/116284754769568339
The operator built triple-layer crypto, fast-flux DNS across 30+ ASes, biweekly C2 rotation — then shipped an unstripped debug build on port 8090, a couple of ports over from production. 300+ symbols, project name, internal module names, all right there in readelf.
Anyway here's the full writeup.
https://github.com/deepfield/public-research/blob/main/jackskid/report.md
New, from our ERT: #CECbot, an Android TV botnet and the first malware we're aware of that exploits HDMI-CEC.
It puts the TV to sleep so you don't notice the box behind it is running DDoS and residential proxy traffic. Curve25519/ChaCha20 crypto, 9 persistence layers, and... LAN mapping.
Successor to a Mirai fork, shares not much but the C2 server.
https://github.com/deepfield/public-research/blob/main/cecbot/report.md
Yesterday, the U.S. Department of Justice announced a coordinated international operation to disrupt four of the world's largest IoT DDoS botnets — Aisuru, Kimwolf, Jackskid, and Mossad — responsible for record-breaking attacks reaching approximately 30 Tbps.
Together, these botnets had hijacked over three million devices worldwide and launched hundreds of thousands of DDoS attacks against victims across the globe.
This was a massive collaborative effort involving law enforcement agencies in the U.S., Canada, and Europe, alongside many private-sector partners. We're proud that Nokia was among the companies that contributed — our Deepfield Emergency Response Team helped map botnet infrastructure and supported the takedown efforts.
Full DOJ press release: https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
One custom RC4 seed led us to four botnets, five C2 channels, and a developer who shipped their Windows username and Cursor IDE logs with their malware.
Equal parts cryptography, thread-pulling, and easter eggs.
https://github.com/deepfield/public-research/blob/main/reports/2026-03-20-aisuru-ecosystem.md
#threatintel #Aisuru #kimwolf #jackskid #mossadproxy #cecilio
John Siracusa
GÉANT
daniel:// stenberg://
Deepfield