During routine threat hunting on my Beelzebub honeypot, I caught something interesting: a Rust-based DDoS bot with 0 detections across 60+ AV engines at the time of capture.

TL;DR:

• The malware exploits exposed Docker APIs on port 2375
• Written in Rust using Tokio for async networking, bincode for the custom C2 protocol, and obfstr for string obfuscation
• Same server (196.251.100.116) for malware distribution (port 80) and C2 (port 8080), single point of failure.
• I decoded the C2 protocol and found it surprisingly weak: no encryption, predictable nonce, hardcoded username ("client_user")
• I built a honeypot that impersonates a bot to monitor DDoS attack targets 👀

In the post you'll find:

• Full attack chain of the Docker API exploitation
• Sandbox setup for dynamic analysis (Docker inside an isolated VM)
• Complete C2 protocol decoding
• YARA rule and Snort rule for detection
• All IoCs

The fact that no AV detected it shows that Rust + string obfuscation is making life hard for traditional detection engines.

Questions? AMA!

These aren't theoretical numbers. The attackers left their C2 wide open with a /stats endpoint showing real-time campaign metrics. Yes, really.

I've been monitoring attacks hitting my Beelzebub research honeypots and caught what I'm calling "Operation PCPcat" - a large-scale credential theft campaign targeting Next.js deployments.

TL;DR of the attack chain:

• Exploits CVE-2025-29927 and CVE-2025-66478 for RCE
• Extracts .env files, SSH keys, AWS/Docker/Git credentials
• Installs persistent backdoor infrastructure
• C2 is hilariously exposed: task assignment, exfil pipeline, stats - all publicly accessible

What I documented:

• Full kill chain analysis
• IoCs
• Suricata/YARA detection rules
• Threat actor's Telegram channels

If you're running Next.js in prod: patch immediately and rotate your credentials. Assume compromise if you were vulnerable during this window.

Happy to answer questions or share more technical details.

So my honeypot just caught something interesting: RedTail malware hitting exposed Docker APIs on port 2375/tcp.

For context, RedTail is typically known for exploiting PHP vulnerabilities, PAN-OS, and Ivanti, but not a single vendor mentions Docker in their threat reports.

I did a pretty extensive research dive across:

• Threat intel reports (Akamai, Forescout, Trend Micro, Kaspersky)
• SANS ISC, VirusTotal, Malpedia
• GitHub repos and academic papers
• Various community discussions

What I confirmed:

• C2 IP: 178[.]16[.]55[.]224 (AS214943)
• User-Agent: "libredtail-http" (consistent with RedTail)
• Absolutely zero public documentation of RedTail targeting Docker

Two theories:

1. This is a blind spot in threat intelligence reporting
2. We're seeing a new tactical evolution of RedTail (as of Nov 2025)

Has anyone else seen similar activity?

Through our honeypot (https://github.com/mariocandela/beelzebub), I’ve identified a major evolution of the RondoDox botnet, first reported by FortiGuard Labs in 2024.

The newly discovered RondoDox v2 shows a dramatic leap in sophistication and scale:
🔺 +650% increase in exploit vectors (75+ CVEs observed)
🔺 New C&C infrastructure on compromised residential IPs
🔺 16 architecture variants
🔺 Open attacker signature: bang2013@atomicmail[.]io
🔺 Targets expanded from DVRs and routers to enterprise systems

The full report includes:
- In-depth technical analysis (dropper, ELF binaries, XOR decoding)
- Full IOC list
- YARA and Snort/Suricata detection rules
- Discovery timeline and attribution insights

I've just published my analysis on RondoDox v2, and the numbers speak for themselves: +650% exploit vectors compared to v1 documented by FortiGuard Labs.

Key Findings:
- 15+ exploitation vectors (from 2 CVEs to enterprise-grade attacks)
- C&C on compromised residential IP (multiple AWS EC2)
- 16 architectures supported with XOR obfuscation (key: 0x21)
- Open attribution: [bang2013@atomicmail.io](mailto:bang2013@atomicmail.io)

🚨 What concerns me:
The jump from consumer DVR/routers to enterprise targets demonstrates an aggressive expansion strategy.
We're no longer talking about a "simple" DDoS botnet.

🟢 IOCs and detection rules: YARA, Snort/Suricata and complete IOC list available in the full post.