Iran-Linked Botnet Exposed - Infrastructure Leaked Online

The Threat

A recent incident has unveiled a botnet linked to Iranian threat actors. This infrastructure was exposed after an open directory was found on a staging server. Researchers discovered a 15-node relay network along with various malicious tools designed for DDoS attacks and mass SSH deployments. The leak occurred on February 24, 2026, when a server with the IP address 185.221.239[.]162 was flagged during routine scans.

The exposed server contained a treasure trove of information, including 449 files across 59 subdirectories. Among these were deployment scripts, compiled DDoS binaries, and a credential list for targeting victim systems via SSH. This incident provides a rare glimpse into the workings of a live botnet operation.

Who's Behind It

The botnet's infrastructure is linked to a company named Dade Samane Fanava, an Iranian ISP. Analysts from Hunt.io identified the server during a review of Iranian-hosted infrastructure. By analyzing a shared Let’s Encrypt TLS certificate, they uncovered 14 additional IP addresses associated with the same botnet. This suggests a well-coordinated cyber operation, likely aimed at both domestic and international targets.

The presence of Farsi comments in the code and the operational patterns indicate that the actors behind this botnet are likely Iran-based. The dual-use nature of the infrastructure also points to a commercially operated VPN relay service, suggesting a blend of cybercrime and potential state-sponsored activities.

Tactics & Techniques

The botnet utilizes a Python script named ohhhh.py to exploit SSH credentials and launch attacks. This script opens 500 concurrent SSH sessions against targeted machines. Once access is gained, it pulls a bot client from the staging server and compiles it on the victim's machine. This method cleverly avoids detection by not transferring pre-built executables, making it harder for traditional security measures to catch.

Additionally, the bot client registers infected hosts with a beacon that transmits the victim’s IP address and other details back to the command-and-control server. The botnet's architecture also includes a kill switch that allows the operator to wipe all running sessions remotely, showcasing the sophistication of this operation.

Defensive Measures

To counter this threat, organizations should take immediate action. Blocking all identified IP addresses linked to this botnet is crucial. It's also essential to monitor for specific filenames and hashes associated with the malicious scripts. Strengthening SSH access by enforcing key-based authentication, disabling root logins, and limiting concurrent sessions can significantly reduce the risk of similar attacks.

Moreover, teams should remain vigilant for any unexpected gcc compilation activity on their servers. This behavior is a strong indicator of potential exploitation, as the botnet's method of on-host binary building is designed to evade conventional detection mechanisms. By implementing these defensive measures, organizations can better protect themselves against this evolving threat landscape.