We Turned 54 Attackers Into Targets: Inside a Honeypot Counter-Intelligence Operation

On March 13, a server sitting quietly on DigitalOcean at 68.183.52.163 caught something interesting. A request came in from 192.159.99.113 with a misspelled User-Agent -- "Mozila/5.0" -- carrying an IoT camera exploit and a uid=1 cookie. That request pointed our autonomous OSINT agent, GHOST, toward a live Mirai command-and-control server at 83.142.209.47 that was actively distributing malware to fourteen CPU architectures. The dropper was still serving HTTP 200 at the time of analysis.

That was one of 579 events from 54 unique attackers. GHOST investigated every single one of them.

TL;DR

We ran a honeypot with six service emulators (HTTP, MySQL, PostgreSQL, Telnet, FTP, SMTP) and captured 579 events from 54 unique IPs. Our autonomous AI agent GHOST -- armed with Shodan, ThreatFox, WHOIS, DNS, and direct probing -- turned every attacker into an investigation subject. The highlights: a confirmed Mirai C2 with a live multi-architecture dropper, a Russian database exfil operator with ClickHouse pre-positioned on the same host, a freshly registered shell company leaking MySQL client metadata, an Azure VM hunting webshells across 103 paths, and an attacker running catastrophically exposed XAMPP infrastructure while brute-forcing our PostgreSQL. Multiple attackers were more vulnerable than the honeypot they were attacking.

The Mirai C2: Live Dropper, 14 Architectures, Zero Subtlety

The centerpiece finding is 83.142.209.47, hosted on DEMENIN B.V. (AS205759) -- a Ukraine-allocated block running through Dutch infrastructure. ThreatFox had already flagged it as botnet_cc/Mirai with 100% confidence, reported on 2026-03-03. But we wanted to see what it was serving.

At http://83.142.209.47/x, GHOST pulled down a 1.3KB shell script (x.sh) that functions as a multi-architecture dropper. The script detects the host CPU and downloads the corresponding ELF binary for one of fourteen architectures: x86_64, i686, ARM v5/v6/v7, aarch64, MIPS big-endian and little-endian, MIPS64 big-endian and little-endian, PPC64 big-endian and little-endian, s390x, and RISC-V. That is comprehensive coverage -- from consumer routers to enterprise mainframes.

The binary names are designed to masquerade as legitimate Linux kernel threads:

• ethd0, kworker0, mdsync1, kswapd1
• ip6addrd, kintegrity0, biosd0, devfreqd0
• kpsmoused0, ttmswapd, vredisd0, kvmirqd

Each one looks like something ps aux would show on a healthy system. The dropper tries nine writable directories starting with /dev/shm and hides the binary as a dotfile. If you are only looking for suspicious process names in your IoT fleet, you will not find these.

The delivery vector was a SOSTREMAX DVR/camera RCE exploit arriving from 192.159.99.113, funneled through the C2 at 83.142.209.47. That C2 server itself runs Apache 2.4.6 on CentOS -- an end-of-life configuration carrying over 100 known CVEs. The operator built a botnet recruitment pipeline on infrastructure that would fail its own scan.

Meowcore Softworks: A Shell Company With Shell Access

Three IPs from the 64.89.163.0/24 subnet -- .91, .154, and .168 -- hit our MySQL emulator in a coordinated pattern, all authenticating as root. Shodan tags them as "scanner." The block is registered to Meowcore Softworks LLC, a company incorporated on 2026-01-14 -- less than two months before this scan.

The parent entity, "Netiface America Inc," lists its address as 124 City Road, London EC1V 2NX. If you work in threat intelligence, you have seen this address before. It is a virtual office used as a registration front by dozens of entities linked to cybercrime infrastructure. The company exists on paper to give scanning infrastructure a veneer of legitimacy.

Their OPSEC failure was in the MySQL handshake. The connection metadata leaked _client_name=libmariadb, _pid=110027, and _server_host=68.183.52.163. They told our honeypot exactly what client library they were using, the process ID on their scanning host, and confirmed our honeypot's IP in their own session variables. Meanwhile, .168 has RDP exposed on port 3389 -- likely their control plane, accessible to anyone who cares to look.

The Four-Second Database Thief

93.177.117.179 connected to our MySQL emulator, authenticated as root with no password, ran SHOW DATABASES, enumerated table sizes, and disconnected. The entire session took four seconds. This is automated exfiltration reconnaissance -- mapping what is worth stealing before coming back for the data.

GHOST traced the IP to Baykov Ilya Sergeevich at Ugreshskaya st 2c147, Moscow 115088, through RIPE WHOIS. The host runs on fortis.host / ib.systems infrastructure. The subnet was created on 2026-02-13 -- brand new allocation.

Here is the part that matters: the same host runs ClickHouse on port 9000. ClickHouse is a columnar database engine optimized for ingesting massive volumes of structured data at high speed. It is the perfect exfiltration destination. The operator has their collection infrastructure co-located on the same machine that does the reconnaissance. Connect, enumerate, disconnect, come back later with an INSERT statement.

The mnt-ref field in the WHOIS record points to MNT-DGTL, which links to the DGTLS-MNT bulletproof hosting cluster -- the same infrastructure we documented in our BrowserWare ClickFix investigation. This is not an isolated actor. This is infrastructure reuse across campaigns.

Azure VM Hunting Webshells on WordPress

4.204.200.32, a Microsoft Azure virtual machine, fired 309 HTTP requests at our honeypot targeting 103 unique webshell paths. This is not exploitation -- it is post-exploitation reconnaissance. The scanner is hunting for WordPress installations that have already been compromised by someone else, looking to piggyback on existing access.

The shell families targeted: ALFA, WSO, r57, c99, b374k, DomainX, plus WordPress-specific paths. One path stood out: /.well-known/wp-login.php -- abusing the Let's Encrypt ACME challenge directory as a webshell hiding spot. That is a clever choice. Most administrators never look inside .well-known after certificate issuance.

The XAMPP Catastrophe: Attacking Us While Fully Exposed

149.129.223.200, an Alibaba Cloud instance in Jakarta, was brute-forcing our PostgreSQL emulator with postgres:admin credentials. GHOST did what GHOST does -- it investigated the attacker.

What it found was a Windows Server 2016 box running XAMPP with phpMyAdmin 4.9.0.1 exposed to the internet. The phpMyAdmin configuration uses auth_type:config with root access -- meaning anyone can connect to the database without authentication. RDP is open on port 3389. PHP 7.3.7 is end-of-life. Shodan reports over 130 known CVEs on this host. The hostname is IZ0NUGQO0X8Y59Z, which has the hallmark of an auto-generated cloud instance name that was never properly configured.

This machine is more vulnerable than anything it could hope to compromise. It is simultaneously an attacker and a victim, and it probably does not know it is either.

The .env Hunter Who Needs a Patch

78.153.140.148, registered to HOSTGLOBAL.PLUS and operated by Aleksei Efimov, was crawling our HTTP emulator looking for exposed .env files -- the kind that contain database credentials, API keys, and cloud secrets. It is a common and effective technique. Thousands of production applications accidentally expose .env files through misconfigured web roots.

GHOST scanned the attacker back and found it vulnerable to CVE-2024-6387, also known as regreSSHion -- a critical unauthenticated remote code execution vulnerability in OpenSSH. The machine hunting for your secrets has a front door that anyone can walk through.

Everything Else

The remaining traffic painted a familiar picture of internet background radiation:

• Apache Path Traversal (CVE-2021-41773): 94.72.124.104 (Contabo) and 20.77.134.145 (Azure) sent double-encoded directory traversal payloads attempting to read /etc/passwd through Apache's path normalization bug.
• Telnet IoT Scanners: 177.21.27.233 (Brazil) and 119.237.27.185 (Hong Kong) each produced 20 events with rapid credential cycling -- standard botnet recruitment behavior.
• Git Credential Thief: 45.144.212.97 requested /.git/credentials -- looking for repositories where developers accidentally committed authentication tokens.
• Bulletproof K8s Scanner: 94.102.49.155 (IP Volume, Seychelles) runs a Kubernetes cluster with Istio service mesh, mass-scanning MySQL port 3306. Enterprise-grade scanning infrastructure operated from a jurisdiction that does not respond to abuse reports.
• Shadowserver (benign): 64.62.156.152 conducted legitimate SMTP probing as part of their internet security research mission. Not every scanner is hostile.

What GHOST Proved

Every finding in this report was produced by GHOST, our autonomous OSINT agent, without human direction after the initial honeypot deployment. It processed 579 events, investigated 54 source IPs across Shodan, ThreatFox, WHOIS, DNS, and direct service probing, and produced attribution-grade intelligence on multiple threat actors.

The core insight is not any single finding. It is that offensive infrastructure is almost universally poorly defended. The Mirai C2 runs on an EOL Apache server with 100+ CVEs. The XAMPP attacker is more exposed than its targets. The .env hunter is vulnerable to unauthenticated RCE. The Meowcore scanners leak their own metadata in every handshake. When you investigate attackers with the same rigor they use against you, the asymmetry inverts.

Recommendations

1. Block the confirmed Mirai C2 at 83.142.209.47 and the delivery relay at 192.159.99.113 at your network perimeter immediately.
2. Hunt for kernel thread masquerading in your IoT fleet. Search for process names like ethd0, kworker0, mdsync1, kswapd1 running from /dev/shm or as dotfiles.
3. Monitor MySQL authentication logs for connections from 64.89.163.0/24 (Meowcore) and 93.177.117.179 (Russian exfil operator).
4. Audit .env and .git exposure on every web-facing application. These are not theoretical attack vectors -- they are being actively scanned at scale.
5. Block the DGTLS-MNT subnet if your organization has no business relationship with fortis.host or ib.systems. This infrastructure appears across multiple campaigns.
6. Patch CVE-2021-41773 if you are still running Apache 2.4.49 or 2.4.50. Three years later, attackers are still scanning for it because it still works.
7. Audit your own attack surface with the same tools attackers use. If GHOST can find ClickHouse on your exfil server and RDP on your scanner's control plane, so can everyone else.
8. Deploy honeypots in your own environment. A single node running six service emulators produced actionable intelligence on active threat infrastructure in under 48 hours.

---

This investigation was conducted autonomously by GHOST, Breakglass Intelligence's AI-powered OSINT agent. All IOCs were live at the time of analysis. For the full technical report with complete IOC tables, MITRE ATT&CK mappings, and raw event data, contact intel@breakglass.tech.