OHIIHO

@[email protected]
3 Followers
9 Following
7 Posts
Cybersecurity practice β€” Singapore. Tallinn.
Reports and briefs from the line where digital infrastructures meet their adversaries.
OHIIHO Websitehttps://ohiiho.com
OHIIHO Researchhttps://research.ohiiho.com
OHIIHO2d ago

πŸ†• New report from OHIIHO Research

Watcher-NetAI / skn β€” a Linux SSH botnet observed on two of our honeypot meshes. 10 MB Go scanner with intact DWARF: source tree, module name, capability map, all visible. The loader is hardened; the scanner is not.

β†’ Stage-2 C2 on connexionlost{net,zip} β†’ 194[.]5[.]97[.]46

β†’ Non-root systemd-user persistence (hunting blind spot)

β†’ Ships YARA + 4 Sigma rules + 34 IOCs + KQL queries

Full report (Part 1/2):
https://research.ohiiho.com/reports/2026-05-watcher-netai-skn/

SOC brief (Part 2/2):
https://research.ohiiho.com/reports/2026-05-watcher-netai-skn-brief/

#ThreatIntel #Linux #SSH #Botnet #DetectionEngineering

OHIIHOMay 6

In Feb 2026, @esentire flagged Prometei on Windows.

In April our honeypots caught the same campaign on Linux β€” same C2, same Tor onion. And the Linux ELF pivots BACK to Windows via WinRM SOAP, Redis SLAVEOF, SMBv1/MS17-010-era material.

A 16-char constant lives in BOTH rdpcIip.exe (Win) and zsvc (Linux). Shared toolkit lineage, two OSes.

πŸ“‘ 1/2 the Linux side:
https://research.ohiiho.com/reports/2026-05-prometei-asia-c2-linux-side/

πŸ“‘ 2/2 the Windows arsenal and the back-pivot:
https://research.ohiiho.com/reports/2026-05-prometei-cross-platform-pivot/

#Prometei #ThreatIntel #DFIR

Show threadOHIIHOMay 1

Part 3 β€” defender's playbook: indicators in three confidence
tiers, YARA on the 48-byte prefix, three Sigma rules, hunting
queries, reproducible timeline, plus context on adjacent
campaigns (Multiverze sshd backdoor, updated Diicot/Opera,
Mirai-derived sshscan kits) observed on the same target from
unrelated source IPs.

https://research.ohiiho.com/reports/2026-05-sorry-worm-playbook/

Adjacent campaigns and a defender's playbook [3/3]

Adjacent SSH brute-force campaigns observed alongside Sorry-worm: Multiverze sshd backdoor, Diicot/Opera updated 2026 build, Mirai-derived sshscan kit. Indicators in three confidence tiers, YARA and Sigma rules, hunting queries, a reproducible activity timeline, and defensive recommendations.

OHIIHO Research
Show threadOHIIHOMay 1

Part 2 β€” binary analysis: Go ELF static stripped, AES-CBC +
RSA-2048 hardcoded, TOX/qtox ransom channel with taobao.com
fallback, 48-byte OpenPGP-mimicking prefix on encrypted files,
victim-ID = UNIX nanosecond timestamp.

https://research.ohiiho.com/reports/2026-05-sorry-worm-anatomy/

Inside Sorry-worm: anatomy of a Go ransomware-worm hybrid [2/3]

Binary-level analysis of Sorry-worm: hardcoded RSA-2048 attribution-stable indicator, AES-CBC encryption pipeline, 48-byte fixed prefix on encrypted files, UNIX-nanosecond victim ID, embedded SSH wordlist, and the layered SSH scan that runs concurrently with encryption. The single most important property: encryption and SSH propagation occur concurrently in the same process.

OHIIHO Research
OHIIHOMay 1

We've been tracking a previously undocumented Linux
ransomware-worm hybrid we're calling Sorry-worm.

It encrypts while it scans β€” local AES-CBC encryption running
concurrently with layered SSH target enumeration in the same
binary, in the same process. Caught propagating in the wild
from two unrelated SSH relays within 8h of first public
sandbox submission.

3-part technical report (sample analysis, IOCs, YARA, Sigma,
hunting queries, defensive recommendations):

https://research.ohiiho.com/reports/2026-05-catching-sorry-worm/

#DFIR #ThreatIntel #Linux #Ransomware #Malware #infosec

Catching Sorry-worm in the wild [1/3]

A previously undocumented Linux ransomware-worm hybrid, propagating from compromised SSH relays approximately 8 hours after the sample’s first public sandbox submission. Two independent propagation events from unrelated IPs, separated by ~7 hours, more consistent with autonomous worm-style propagation than a single hands-on session.

OHIIHO Research