Skip to content

The 6.98 Second Hand-off: Tracking a Mirai-Family Botnet Across Five Nodes!

When one attacker IP fell silent after an 88-second assault on our honeypot, another picked up the exact same exploit chain; 6.98 seconds later. That near-seamless hand-off was the thread that unraveled the whole operation: 1,450 events, five source IPs, and a single autonomous system quietly running a Mirai-family botnet loader. Here's what the telemetry revealed about how modern IoT botnets shard their scanning and task their nodes.

J
Jonathan Williams
The 6.98 Second Hand-off: Tracking a Mirai-Family Botnet Across Five Nodes!

Coordinated Multi-Source IoT/Router Exploitation Campaign Against CDIC Honeypot Sensor MTS-Web-Server1

Field Value
Report ID CDIC-CTI-2026-0710-01
Date of Report 10 July 2026
Reporting Period 2026-07-08 09:46 UTC — 2026-07-10 12:08 UTC
Data Sources Suricata (EVE: http, alert, fileinfo, anomaly), Dionaea, Honeytrap
Event Volume 1,450 events across 5 attacker source IPs
Threat Type Automated IoT/SOHO router exploitation — Mirai-family botnet propagation (assessed)
Prepared By CDIC Threat Intelligence — Incident Response & CTI Analysis

1. Executive Summary

Between 8 and 10 July 2026, CDIC honeypot sensor recorded 1,450 events originating from five source IP addresses, all announced by a single autonomous system — AS197170 (TechTies Inc., Netherlands); a small hosting network whose address space is heavily represented in public abuse-reporting datasets. Three of the five source addresses carried a pre-existing “known attacker” reputation tag at time of collection.

The activity is assessed as automated, coordinated exploitation of consumer IoT and SOHO router vulnerabilities, consistent in tooling and targeting with Mirai-family botnet propagation (moderate confidence). Attackers issued high-volume HTTP exploitation traffic against alternate web ports 81, 8080, 8081, and 8088, triggering Suricata signatures for four distinct device-class exploits: D-Link HNAP1 buffer overflow (CVE-2022-37055), Linksys E-Series remote command execution (TheMoon-style tmUnblock.cgi abuse), Comtrend VR-3033 command injection (CVE-2020-10173), and ZTE cable modem RCE (CVE-2014-2321).

The strongest coordination indicator observed is a hand-off event on 8 July at 23:33 UTC: source 85.11.167.203 delivered a 199-event burst against port 81 in 88 seconds, ceasing at 23:33:48; source 45.153.34.252 initiated identical port-81 exploitation 6.98 seconds later. Combined with shared ASN, identical exploit sets, and complementary port allocation across sources, this indicates centrally tasked infrastructure rather than independent opportunistic scanners.

No honeypot compromise occurred and no credentials were harvested (the activity was exploit-based, not credential-based). 180 Suricata fileinfo events confirm HTTP file/body transfer attempts consistent with first-stage payload delivery within exploit requests. Recommended actions: block AS197170 prefixes at the perimeter, deploy/verify the listed ET signatures in production IDS, and feed the five source IPs plus associated context into the CDIC MISP instance as a linked event cluster.


2. Key Findings

  • Single-operator infrastructure: all five source IPs resolve to AS197170 (TechTies Inc., NL, Eygelshoven). The 45.153.34.0/24 range contributed three of the five sources; sibling addresses in this prefix have thousands of AbuseIPDB reports at 100% abuse confidence.
  • Coordinated tasking: a 6.98-second gap between the final event of 85.11.167.203 and the first event of 45.153.34.252, both targeting port 81 with the same exploit set, indicates automated hand-off between nodes.
  • Port specialization: each node was assigned a primary port lane — 81, 8080, 8081, or 8088 — with two nodes rotating across two lanes each. This is characteristic of distributed scanning frameworks that shard target/port space across worker nodes.
  • Burst-and-return cadence: the 45.153.34.0/24 nodes operated in discrete bursts of 80–280 events separated by roughly 11–24 hour dwell periods, returning to the same target — behavior typical of botnet loader/scanner rotation rather than one-shot mass scanning.
  • Multi-vendor IoT exploit chain: four exploit families spanning D-Link, Linksys, Comtrend, and ZTE devices were fired indiscriminately at generic web ports — a spray pattern used by Mirai-family loaders to maximize infection yield across heterogeneous edge devices.
  • Payload delivery attempts observed: 180 fileinfo events across all five sources confirm HTTP bodies/files transferred during exploitation attempts, consistent with embedded downloader commands (e.g., wget/curl shell one-liners typical of Mirai loaders).

3. Sensor and Collection Context

All telemetry originates from CDIC sensors, Internal container addresses 192.168.96.2 and 172.25.0.2 appear as NAT-translated destinations in a subset of events and refer to the same sensor. Contributing honeypot/IDS components for this event set:

Component Role in This Dataset
Suricata 1,131 events — HTTP transaction logging (700), protocol anomaly detection (204), file transfer extraction (183), and 44 exploit/stream alerts including all CVE-tagged detections.
Dionaea 274 connection events, exclusively on port 81 — capturing the raw TCP sessions behind the port-81 exploitation lane.
Honeytrap 45 connection events, primarily port 8088 — dynamic capture of the non-standard port lane used by 45.153.34.231.

4. Attack Narrative and Timeline

4.1 Phase 1 — Initial probing and 8080 lane (8 July, 09:46–17:01 UTC)

45.156.87.213 opened the campaign with a 7-hour, 230-event engagement against port 8080, delivered in three bursts (09:46, 16:xx, 17:01). This node fired the widest exploit set of any source — all four exploit families — and generated 46 fileinfo events, indicating repeated payload-bearing requests. A single Honeytrap event on ephemeral port 40372 suggests an incidental secondary probe. Concurrently, 45.153.34.231 began a 115-event burst at 11:00 UTC split across ports 8080 and 8088.

4.2 Phase 2 — Port 81 hand-off (8 July, 23:32–23:34 UTC)

85.11.167.203 executed the most aggressive action of the campaign: 199 events in 88 seconds (roughly 2.3 events/second) against port 81, blending Dionaea-captured TCP sessions with Suricata HTTP transactions and Linksys/D-Link exploit alerts. The burst terminated at 23:33:48 UTC. At 23:33:55 UTC — 6.98 seconds later45.153.34.252 commenced sustained port-81 exploitation with an identical signature profile, ultimately logging 415 events across three return visits through 10 July 08:04 UTC. The near-seamless transition between two distinct source addresses on the same port lane with the same exploit set is assessed as automated tasking hand-off within a common command infrastructure.

4.3 Phase 3 — Sustained rotation (9–10 July)

45.153.34.231 returned at 10:xx UTC on 9 July (172 events) and again at 12:08 UTC on 10 July (109 events), maintaining the 8080/8088 lanes. 45.153.34.195 joined on 9 July at 17:43 UTC, working ports 81 and 8080 across two bursts (86 and 123 events) ending 10 July 04:46 UTC. 45.153.34.252 delivered its largest burst (197 events, port 81/8081) at 20:xx UTC on 9 July. Activity was ongoing at collection cut-off (10 July 12:08 UTC); the campaign should be considered active.


5. Exploitation Analysis

Suricata alerting resolved four exploit families, all targeting consumer/SOHO edge devices. All were fired against generic alternate web ports rather than vendor-default management ports, confirming an indiscriminate spray methodology.

Signature / Exploit CVE Alerts Target Device Class
ET EXPLOIT Linksys E-Series Device RCE Attempt (tmUnblock.cgi ttcp_ip command injection — TheMoon worm lineage) 18 Linksys E-Series routers
ET WEB_SPECIFIC_APPS D-Link HNAP1 GetDeviceSettings Buffer Overflow Attempt CVE-2022-37055 12 D-Link GO-RT-AC750 / HNAP1 routers
ET EXPLOIT Possible Authenticated Command Injection Inbound — Comtrend VR-3033 CVE-2020-10173 3 Comtrend VR-3033 gateways
ET EXPLOIT ZTE Cable Modem RCE Attempt (web_shell_cmd.gch) CVE-2014-2321 2 ZTE F460/F660 cable modems
SURICATA STREAM anomalies (invalid timestamp / spurious retransmission) 9 Scanner TCP-stack artifacts

The exploit portfolio is notable for its age spread — CVE-2014-2321 through CVE-2022-37055 — which is a hallmark of Mirai-derivative loader kits that accumulate exploit modules over successive forks rather than curating current-generation vulnerabilities. The Linksys tmUnblock.cgi technique in particular has been continuously recycled from TheMoon (2014) through modern Mirai/Moobot variants. The 204 Suricata anomaly events and stream irregularities (invalid timestamps, spurious retransmissions) further indicate a lightweight custom TCP scanner rather than a full OS network stack — again consistent with Mirai-family propagation modules.


6. Attribution Assessment

Assessment: this activity represents a single coordinated campaign operated from abuse-tolerant hosting, functioning as propagation/loader infrastructure for a Mirai-family IoT botnet (moderate confidence). Confidence is bounded because full HTTP payloads (URIs, user-agents, downloader commands) were not present in this export; recovery of the loader URL or binary would permit family-level attribution (e.g., Moobot, Condi, Gafgyt derivative).

Supporting evidence:

  • Single ASN of origin (AS197170) across all five sources, with three sources in one /24 (45.153.34.0/24).
  • Sub-7-second port-81 tasking hand-off between 85.11.167.203 and 45.153.34.252.
  • Identical exploit signature sets across sources, with complementary (non-overlapping) port-lane assignments.
  • Multi-vendor IoT exploit spray at wire speed (up to 2.3 events/sec) with TCP-stack anomalies indicating custom scanning tooling.
  • Pre-existing “known attacker” reputation on 45.153.34.195, 45.153.34.231, and 85.11.167.203; heavy public abuse reporting across the wider 45.153.34.0/24 prefix.

Alternative hypotheses considered: (1) independent opportunistic scanners coincidentally sharing an abuse-friendly host — rejected due to the hand-off timing and complementary port sharding; (2) commercial/security research scanning — rejected due to active exploitation payloads, reputation history, and absence of identifying scanner conventions.


7. MITRE ATT&CK Mapping

Tactic Technique Observed Behavior
Reconnaissance T1595.002 — Active Scanning: Vulnerability Scanning High-rate probing of ports 81/8080/8081/8088 with exploit-laden requests across five distributed nodes.
Resource Development T1583.003 / T1584.005 — Acquire Infrastructure: VPS; Compromise Infrastructure: Botnet Attack nodes staged in abuse-tolerant NL hosting (AS197170); campaign purpose is botnet expansion.
Initial Access T1190 — Exploit Public-Facing Application HNAP1 buffer overflow (CVE-2022-37055), Comtrend command injection (CVE-2020-10173), ZTE web_shell_cmd.gch RCE (CVE-2014-2321), Linksys tmUnblock.cgi RCE.
Execution T1059.004 — Command and Scripting Interpreter: Unix Shell Exploits carry embedded shell command injection; 180 fileinfo events evidence payload-bearing HTTP bodies (attempted stage-1 downloader delivery).
Command and Control T1105 — Ingress Tool Transfer (attempted) File transfer attempts within exploit traffic consistent with malware retrieval one-liners; no successful retrieval on sensor.

8. Indicators of Compromise

8.1 Network Indicators

Indicator Type Ports Targeted Events Reputation / Notes
45.153.34.195 IPv4 81, 8080 209 Known attacker (feed-tagged)
45.153.34.231 IPv4 8080, 8088 397 Known attacker (feed-tagged)
45.153.34.252 IPv4 81, 8081 415 Port-81 hand-off recipient
45.156.87.213 IPv4 8080 230 Campaign initiator; widest exploit set
85.11.167.203 IPv4 81 199 Known attacker; 88-second burst node
45.153.34.0/24 CIDR Prefix-level block candidate (AS197170)
AS197170 ASN TechTies Inc., NL — abuse-tolerant hosting

8.2 Detection Content (Suricata / ET)

  • ET WEB_SPECIFIC_APPS D-Link HNAP1 GetDeviceSettings Buffer Overflow Attempt (CVE-2022-37055)
  • ET EXPLOIT Linksys E-Series Device RCE Attempt
  • ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)
  • ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)

9. Defensive Recommendations

  • Perimeter blocking: deny 45.153.34.0/24 and the four individual non-prefix IPs at edge firewalls; evaluate ASN-level blocking of AS197170 for environments with no legitimate NL hosting dependencies.
  • IDS coverage validation: confirm the four ET signatures above are enabled and alerting in production Suricata deployments; the CVE-2022-37055 rule fired most consistently and is the highest-value canary for this campaign.
  • Attack surface review: audit internet-facing assets for services on ports 81, 8080, 8081, and 8088; these lanes are being actively swept. No consumer router management interface should be internet-exposed.
  • MISP ingestion: publish the five source IPs, the /24 prefix, ASN context, CVE tags, and the hand-off relationship as a single linked MISP event (suggested tags: tlp:amber, mirai-family, iot-botnet, AS197170) to preserve the coordination context for future pivots.
  • Continued monitoring: the campaign was active at collection cut-off. Recommend a 14-day watch on AS197170-sourced traffic across all CDIC sensors and a follow-up pull for full Suricata HTTP records (URI, user-agent, request body) to recover the loader URL and enable family-level attribution.
  • Threat hunting pivot: HASSH/JA3 and payload-hash pivots are not possible from this export; if PCAP retention on MTS-Web-Server1 covers 8–10 July, extract the port-81 sessions from the 23:32–23:34 UTC window (85.11.167.203) as the highest-density sample.

Appendix A — Per-Source Event Statistics

Source IP Events HTTP Txns File Transfers Anomalies Active Window (UTC)
45.156.87.213 230 93 46 75 07-08 09:46 → 17:01
45.153.34.231 397 160 80 99 07-08 10:59 → 07-10 12:08
85.11.167.203 199 90 13 0 07-08 23:32 → 23:33 (88s)
45.153.34.252 415 203 25 0 07-08 23:33 → 07-10 08:04
45.153.34.195 209 154 19 30 07-09 17:43 → 07-10 04:46