An Iranian-associated threat actor inadvertently exposed their operational infrastructure by leaving a directory open on a staging server. This oversight provided researchers with an invaluable glimpse into an active botnet operation.
Unveiling the Botnet Infrastructure
The incident came to light on February 24, 2026, when a server at IP 185.221.239[.]162, registered to Dade Samane Fanava Company (PJS), an Iranian ISP, was identified during a routine scan. The server hosted an extensive 15-node relay network, featuring a mass SSH deployment framework, DDoS tools, and a bot client with an active command-and-control (C2) address.
The directory contained 449 files in 59 subdirectories, including deployment scripts and DDoS binaries. A list of credentials was also found, which were used for targeting victim systems via SSH.
Shared Infrastructure and Analysis
Researchers from Hunt.io discovered the exposed server using their AttackCapture™ feature, which indexes open directories globally. By examining a shared Let’s Encrypt TLS certificate associated with the domain *.server21[.]org, they found 14 more IP addresses with the same digital fingerprint. These were hosted on Hetzner Online GmbH in Finland and several Iranian ISPs.
The infrastructure was dual-purposed. A configuration file showed a KCP-based packet tunnel using Paquet, an open-source tool that circumvents Iran’s internet filters. Encrypted traffic was forwarded from the Iranian server to a Hetzner exit node in Finland, indicating a commercial VPN relay service running alongside the attack setup.
Botnet Operations and Defensive Measures
The botnet’s infection strategy centered on a Python script named ohhhh.py, which opened multiple SSH sessions on target machines. Once connected, the bot client source code was compiled on the victim’s machine, evading traditional detection methods. The newly compiled binary, named hex, was unlikely to raise alarms during system checks.
Defensive recommendations include blocking identified IP addresses, monitoring for specific filenames and hashes, and strengthening SSH access controls. Immediate actions such as enforcing key-based authentication and limiting concurrent sessions can mitigate credential-driven attacks.
Security teams should also watch for unexpected gcc compilation activities, as this indicates potential on-host binary construction, a tactic used to bypass standard detection mechanisms.
Stay updated on cybersecurity developments by following us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for instant updates.
