Attack Observation: Catching 'titanjr' a Day Old
Time and Date of Activity: Primary window: 2026-07-11 16:52 UTC through 2026-07-12 06:11 UTC (the web exploitation from .64 and the SSH loader session from .230). Related activity from the same /24 continued on 2026-07-14 with the .243 Mirai Telnet sweep. This observation is a cluster rather than a single host. Four IPs in one /24 (94.154.43.0/24) worked in concert to stand up a fresh Mirai-variant IoT botnet, which I am calling titanjr after its payload naming. Unlike the RedTail loader I wrote up previously, which uploaded its binaries over SFTP, this operation split the work across the block: 94.154.43.64 ran the web-facing exploitation, 94.154.43.230 handled SSH and pulled the payload set, 94.154.43.192 served the payloads from an open directory, and 94.154.43.243 ran a Mirai Telnet sweep two days later. What earns this the final observation is that the payloads were actually captured (real hashes, not the empty stubs I see on most sessions) and the campaign was brand new: every sample was first seen on VirusTotal on 2026-07-11, one day before my sensor caught them. ...