Severity
High
Analysis Summary
A threat actor with ties to Iran inadvertently exposed their entire working infrastructure after leaving an open directory on a staging server, giving researchers a rare insight into a live botnet operation. The leak, discovered on February 24, 2026, involved a server at IP 185.221.239[.]162, hosted by Dade Samane Fanava Company (PJS), an Iranian ISP. The exposed directory contained 449 files across 59 subdirectories, including tunnel configuration files, Python-based deployment scripts, compiled DDoS binaries, C-language denial-of-service source code, and a credential list for SSH-based attacks.
The researcher identified the server using their AttackCapture™ tool, which indexes open directories globally, revealing the operator’s working session and botnet buildout steps through a recovered bash history file. Inline comments in Farsi and Arabic-script typing errors confirmed the actor’s Iranian origin.
Pivoting on a shared Let’s Encrypt TLS certificate for the wildcard domain *.server21[.]org, researchers uncovered 14 additional IPs connected to the infrastructure, split between Hetzner Online in Finland and Iranian ISPs including Dade Samane Fanava and Sindad Network Technology PJSC. DNS routing was handled by the Iranian CDN provider ArvanCloud, and the dual-purpose infrastructure included a configuration file for a KCP-based Paqet tunnel, forwarding encrypted traffic from Iran to Finland. The presence of 3x-ui, a web-based proxy panel with user management and traffic quotas, indicated the operation may have also functioned as a commercially operated VPN relay service alongside its malicious activities.
The botnet’s infection method relied heavily on SSH-driven mass deployment. A Python script, ohhhh.py, read credentials in host:port|username|password format and launched 500 concurrent SSH sessions against target systems. Once a session was active, the bot client source file cnc.c was transferred, compiled on the victim host using gcc -pthread, and launched in a detached screen session.
On-host compilation bypassed pre-built binary detection, and the compiled binary was renamed “hex” to evade alerting. The bot client, labeled BOT CLIENT v1.0, registered each infected host with its IP, hostname, and process ID under “UnknownBOT ONLINE,” and maintained persistent reconnection logic to the C2 server even if the staging host went offline.
Additional operational capabilities included DDoS tool development and deployment, with targets such as a FiveM GTA server and HTTP/HTTPS-facing hosts using custom C tools (syn.c, flood.c, au.c) and MHDDOS clones compiled on the staging server. A secondary Python script, yse.py, acted as a kill switch to terminate all running sessions remotely. Mitigation strategies include blocking all associated IP addresses, monitoring for specific filenames and SHA-256 hashes of ohhhh.py, yse.py, and cnc.c, hardening SSH access by enforcing key-based authentication, disabling root login, and restricting concurrent sessions. Teams should also flag unexpected gcc compilation activity as it indicates on-host binary builds, which can bypass standard hash-based detection mechanisms.
Impact
- Denial of Service
- Gain Access
Indicators of Compromise
Domain Name
- server21.org
- finland5.server21.org
- down.celltoocall.com
IP
- 185.221.239.162
- 65.109.214.203
- 65.109.209.147
- 65.109.187.102
- 194.147.222.183
- 212.74.39.128
Remediation
- Block all identified IP addresses linked to the exposed servers and relay nodes.
- Monitor DNS requests and network traffic for connections to *.server21[.]org and associated domains.
- Watch for the presence of the following scripts and binaries: ohhhh.py, yse.py, and cnc.c (compiled binary renamed as hex).
- Track SHA-256 hashes of these files to detect compromise on endpoints.
- Enforce key-based authentication for all SSH accounts.
- Disable root login over SSH.
- Restrict the number of concurrent SSH sessions to reduce mass deployment risk.
- Rotate and remove weak or default credentials from all servers.
- Monitor for unexpected gcc compilation activity, especially from scripts or unusual directories.
- Flag detached screen sessions or unknown processes performing compilation tasks.
- Inspect network traffic for KCP-based tunnels (Paqet) or unusual encrypted traffic routing through foreign exit nodes.
- Detect and block unauthorized VPN/proxy panel usage like 3x-ui on servers.
- Isolate compromised hosts immediately to prevent further botnet propagation.
- Implement kill-switch logic if available (similar to yse.py) to terminate malicious processes across infected hosts.
- Review and clean affected systems, ensuring binaries and scripts are fully removed.