Sample May 7, 2026
Hilix.x86_64, Mirai-derivative IoT botnet (x86-64 build)
§ Hashes
- SHA256
- ee51b236e57d96521da5fb820242c23996dcc691d3df8830655801b2a516bb72
- SHA1
- f5fead3f45fb40912282f162bf5acc540c31dfbe
- MD5
- 69c8f1c1e05262a84d3997576a8bbedf
- FILE NAME
- x86_64
- REPORTER
- nuclide
Mirai-derivative IoT botnet, x86-64 ELF build. Recovered 2026-05-06 from a Tencent Cloud Beijing victim host (101.34.81.166) compromised via unauthenticated Jupyter Notebook on port 8888.
The same campaign hit Universität Ulm Med Faculty (134.60.110.66, a Cortical Labs CL1 biological computer) two weeks earlier. NuClide intervened on the live reverse shell and preserved the binary as part of the forensic dump.
Indicators
- C2:
172.233.96.208:3053(Akamai/Linode US, separately reported toabuse@akamai.com+abuse@linode.com) - Distribution / wget-pull:
38.87.117.84(Cogent / DATALIX, separately reported toabuse@cogentco.com) - Foothold pattern: open Jupyter
:8888→ kernel exec via WebSocket → socat reverse shell → wget multi-arch payloads from38.87.117.84/bins/Hilix.<arch> - Campaign argv to C2:
huawei,realtek,jupiter(botnet identifies victim class)
Public availability
- MalwareBazaar: bazaar.abuse.ch/sample/ee51b236… (reporter:
nuclide, auto-classifiedMiraifamily by abuse.ch backend) - VirusTotal: virustotal.com/gui/file/ee51b236…
- First public submission: 2026-05-07 (NuClide). Pre-submission lookups confirmed not previously known to VT, MB, AlienVault OTX, or GitHub-indexed code.
Source
Full incident: multi-hilix-jupyter-campaign-2026-05-06. Evidence pack with forensic dump, attacker notebooks, IOCs: evidence/hilix-uirusu-jupyter-campaign-2026-05-06.