#TerraBot: first #DDoS botnet we've seen carrying a working exploit for CVE-2026-0073 (Critical ADB auth bypass, patched May 2026).

Every other ADB botnet needs auth disabled; this one doesn't. Comes with 30+ methods + dual APK/ELF cross-platform worming.

C2: terrabot.qzz[.]io:69
Staging: 140.233.190[.]47 (AS214209)
hash: a532a072687f5bd6f8f4c2fb1ce899a5d3c4264453fe2e7bafc270e83661c893

#threatintel

I’m still completely lost with logic of JA4+ patent licensing and actual incompatibility with the copyleft-license. So it seems to be a patent-based license and really risky to implement if you want to keep your actual software open source.

Did someone explore alternatives to avoid this? and especially other format which are open source friendly?

#ja4 #ja3 #jarm #cti #opensource #patent #cti
#threatintel #cybersecurity

🔗 https://github.com/FoxIO-LLC/ja4/blob/main/License%20FAQ.md

Potassium update: the Mirai fork @synthient reported in March (https://x.com/deobfuscately/status/2033923869782712514) is still active and the operator appears to have taken up Dutch poetry. The new C2 domain is ikhebkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)

Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.

IoCs:

a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e
6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c9
3f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85

C2: ikhebkankerinmijnrechterteelbal[.]st → byte-swapped → 45.153.34[.]245
Dropper: 92.38.186[.]44 (HTTP + netcat :25565)

#mirai #DDoS #threatintel

edit: added byte-swapped C2 value