A threat actor with ties to Iran has had their entire working infrastructure exposed after carelessly leaving an open directory on their own staging server. This has given researchers a rare look at a live botnet operation. The leak showed a 15-node relay network, a mass SSH deployment framework, DDoS tools that were compiled on victim machines, and a bot client with a hardcoded command-and-control (C2) address that is still being worked on.
On February 24, 2026, a server at IP 185.221.239[. ]162, which was hosted on infrastructure owned by Dade Samane Fanava Company (PJS), an Iranian ISP, was flagged during routine scanning.
There were 449 files on the server, spread out over 59 subdirectories. These included a tunnel configuration file, Python-based deployment scripts, compiled DDoS binaries, C-language denial-of-service source files, and a list of credentials used to target victim systems via SSH. Open directory file manager in AttackCapture (Source – Hunt.io) Hunt.io analysts found the exposed server while they were using their AttackCapture™ feature to look through Iranian-hosted infrastructure.
This feature indexes open directories on the internet. A second script, yse.py, acted as a kill switch. It let the operator wipe all running sessions from a distance by running pkill -9 screen on every infected host. Defenders should block all known IP addresses connected to this operation and keep an eye out for the specific filenames and SHA-256 hashes that are connected to ohhhh.py, yse.py, and the cnc binary.
By requiring key-based authentication, turning off root login, and limiting concurrent sessions, hardening SSH access goes against the credential-driven method that this actor used. Teams should also keep an eye out for unexpected gcc compilation activity on servers. This is because building binaries on the same host is a strong sign that standard binary-level detections may not catch this type of threat.
