<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Iot on Joshua's Notebook</title><link>https://burnett.sh/tags/iot/</link><description>Recent content in Iot on Joshua's Notebook</description><generator>Hugo</generator><language>en</language><lastBuildDate>Thu, 16 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://burnett.sh/tags/iot/index.xml" rel="self" type="application/rss+xml"/><item><title>Attack Observation: Catching 'titanjr' a Day Old</title><link>https://burnett.sh/posts/attack-observation020260717/</link><pubDate>Thu, 16 Jul 2026 00:00:00 +0000</pubDate><guid>https://burnett.sh/posts/attack-observation020260717/</guid><description>&lt;p&gt;&lt;strong&gt;Time and Date of Activity:&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Primary window: 2026-07-11 16:52 UTC through 2026-07-12 06:11 UTC (the web exploitation from .64 and the SSH loader session from .230). Related activity from the same /24 continued on 2026-07-14 with the .243 Mirai Telnet sweep.&lt;/p&gt;
&lt;p&gt;This observation is a cluster rather than a single host. Four IPs in one /24 (94.154.43.0/24) worked in concert to stand up a fresh Mirai-variant IoT botnet, which I am calling &lt;strong&gt;titanjr&lt;/strong&gt; after its payload naming. Unlike the RedTail loader I wrote up previously, which uploaded its binaries over SFTP, this operation split the work across the block: 94.154.43.64 ran the web-facing exploitation, 94.154.43.230 handled SSH and pulled the payload set, 94.154.43.192 served the payloads from an open directory, and 94.154.43.243 ran a Mirai Telnet sweep two days later. What earns this the final observation is that the payloads were actually captured (real hashes, not the empty stubs I see on most sessions) and the campaign was brand new: every sample was first seen on VirusTotal on 2026-07-11, one day before my sensor caught them.&lt;/p&gt;</description></item></channel></rss>