@jmeyer@infosec.exchange

Jérôme Meyer

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

Jérôme Meyer

@jmeyer@infosec.exchange

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

@jmeyer@infosec.exchange · Mar 28, 2026

New, from our @deepfield@infosec.exchange ERT: found a new botnet dressing its C2 traffic as camera management.

#Drifter names its domains after Hikvision products, blending with surveillance traffic on the same VLAN as the Android TV boxes it infects. DNS queries go through an Australian resolver, which somewhat undermines the cover if your bot is in São Paulo.

71 KB binary, already linked to attacks exceeding 2 Tbps from 80k sources. At least six operators are now competing for the same devices.

https://github.com/deepfield/public-research/blob/main/drifter/report.md

#threatintel #ddos

View on infosec.exchange

infosec.exchange

Deepfield (@deepfield@infosec.exchange) - Infosec Exchange

8

0

6

0

Jérôme Meyer

@jmeyer@infosec.exchange

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

Jérôme Meyer

@jmeyer@infosec.exchange

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

@jmeyer@infosec.exchange · Mar 24, 2026

RE: @deepfield@infosec.exchange

The operator built triple-layer crypto, fast-flux DNS across 30+ ASes, biweekly C2 rotation — then shipped an unstripped debug build on port 8090, a couple of ports over from production. 300+ symbols, project name, internal module names, all right there in readelf.

Anyway here's the full writeup.

https://github.com/deepfield/public-research/blob/main/jackskid/report.md

#threatintel #ddos

View on infosec.exchange

infosec.exchange

Deepfield: "Most Mirai forks are disposable. #Jackskid was bu…" - Infosec Exchange

20

0

14

0

Jérôme Meyer

@jmeyer@infosec.exchange

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

Jérôme Meyer

@jmeyer@infosec.exchange

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

@jmeyer@infosec.exchange · Mar 21, 2026

New, from our ERT: #CECbot, an Android TV botnet and the first malware we're aware of that exploits HDMI-CEC.

It puts the TV to sleep so you don't notice the box behind it is running DDoS and residential proxy traffic. Curve25519/ChaCha20 crypto, 9 persistence layers, and... LAN mapping.

Successor to a Mirai fork, shares not much but the C2 server.

https://github.com/deepfield/public-research/blob/main/cecbot/report.md

#threatintel #DDoS

View on infosec.exchange

infosec.exchange

Infosec Exchange

10

0

13

0

In reply to

Jérôme Meyer

@jmeyer@infosec.exchange

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

Jérôme Meyer

@jmeyer@infosec.exchange

Security research at Nokia Deepfield (he/they). EN/FR posts | Fan of Crocker’s Rules, art, and the Oxford comma.

infosec.exchange

@jmeyer@infosec.exchange · Mar 04, 2025

@shadowserver @deepfield Thanks for the additional analysis, this is great. This lines up pretty well with what we’re seeing for bot counts (the deviation on Taiwan may be related to a slightly different device signature, looking into that now). Current count is approx 41k bots seen in attacks so far.

View full thread on infosec.exchange

2

0

1

0

Jérôme Meyer

Posts

Deepfield (@deepfield@infosec.exchange) - Infosec Exchange

Deepfield: "Most Mirai forks are disposable. #Jackskid was bu…" - Infosec Exchange

Infosec Exchange