{
	"id": "482b9137-509b-4f79-bac8-dc624f488782",
	"created_at": "2026-04-10T03:21:54.615869Z",
	"updated_at": "2026-04-10T03:22:19.453527Z",
	"deleted_at": null,
	"sha1_hash": "92b5c8456be92b6f43a41c16423d3e3426f68b35",
	"title": "Understanding the IoT Hacker — A Conversation With Owari/Sora IoT Botnet Author - New Sky Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2493024,
	"plain_text": "Understanding the IoT Hacker — A Conversation With Owari/Sora\r\nIoT Botnet Author - New Sky Security\r\nPublished: 2018-04-13 · Archived: 2026-04-10 03:04:47 UTC\r\nSince the outbreak of Mirai, IoT threat landscape has seen a lot of new threat actors as well as attack methods.\r\nAlthough people often treat IoT malware as just a malicious piece of code, behind IoT malware development there\r\nis human involvement with varying motives.\r\nFor building an effective approach to combat IoT threats, understanding the psychology and motivation behind\r\nthreats can be a useful asset.\r\nNewSky Security has been following an IoT threat actor, known better with his pseudo name “Wicked” in IoT\r\nmalware circles via forum monitoring and honeypot analysis. “Wicked” has been involved in two IoT botnets,\r\nwith one of them still evolving to be more effective. After collecting enough information about the credibility of\r\nthe attacker, we decided to contact him and get an insight into botnets from the attacker’s end. On few conditions\r\nof anonymity, the attacker agreed to give us an interview, sharing information about his botnets.\r\nInterview\r\nNewSky Security: Are you the author of SORA and OWARI IoT botnets? If yes, how can you prove it?\r\nWicked: Yes. I am the author, along with a close friend who I will call Karmaahof. I don’t know if you noticed the\r\ndomain linked in the previous builds. “hxxp://0day.life “ or “hxxp://wicked.rip “ I own both. If you did not notice\r\nhttps://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863\r\nPage 1 of 4\n\nthe domains you can ask around in the community.\r\n(Notes from NewSky Security researchers: We observed the same twitter handle mentioned in C2 servers which\r\nwe used to communicate with the threat actor. So, we believe there is legitimacy in his claims).\r\nNewSky Security: What is the difference between SORA and OWARI botnets?\r\nWicked: OWARI was started around 6 months ago and SORA was more of a recent project. I have lately\r\nabandoned SORA and continued with OWARI. At first, these two botnets both used only default password attacks,\r\nbut as it progressed I added a few exploit scanners into OWARI.\r\nNewSky Security: Few days ago, our honeypots observed OWARI using CVE-2017–17215 Huawei exploit.\r\nOwari did not have exploit before, but now we see it in the latest variants. Have you added it recently ?\r\nWhy did you add it?\r\nWicked: We decided to add the exploit scanner because telnet devices are being abused by everyone in the\r\ncommunity, so the default password attack was not doing well. And, yes, this was only added recently.\r\nCVE-2017–17215 deployed by Owari logged by Halo IoT Exploit Honeypot\r\nNewSky Security: Have you added any more exploits in SORA/OWARI? Are there any forthcoming\r\ndevelopments on your botnets you will like to discuss?\r\nWicked: Yes, OWARI has a few new exploits built into the bot (it’s not finished yet). I am sure your honeypots will\r\npick it up when we start. We are also playing around with a faster password attack method that could be up to 10x\r\nfaster than the old Mirai attack style even on bad devices.\r\nNewSky Security: I once saw Paras Jha’s photo on a SORA server. Why? Do you look up to him as\r\ninspiration?\r\nWicked: Besides me, there are a few others who had access to the servers (I won’t name them just in case). So, it\r\ncan be someone else’s work. I don’t exactly look up to him as an inspiration, I know he was a huge part in\r\npopularizing IoT botnets but there is other people I look up to other than him.\r\nNewSky Security: One of the SORA samples had a link which redirected to an IoT honeypot. As a botnet\r\nauthor, why did you install the honeypot? How does it help you? Do you use it to get more default\r\npasswords? What is your favorite honeypot?\r\nWicked: I installed the Telnet IoT honeypot to help me find ways to kill off existing malware. For example, I can\r\nanalyze the malware to find un-encrypted strings and kill them off. Also, I don’t really have a favorite honeypot as\r\nI only use the same one every time https://github.com/Phype/telnet-iot-honeypot .\r\nNewSky Security: How old are you?\r\nhttps://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863\r\nPage 2 of 4\n\nWicked: I don’t feel comfortable giving an exact age, so I’ll just tell you I am over 18.\r\nNewSky Security: What is your motivation to write SORA and OWARI botnets? If it is money, how are you\r\nearning by them? Do you have a stresser service?\r\nWicked: Money plays a big part in it, but it’s also fun to write these types of things. It’s a project I can work on and\r\nactuality enjoy working on it with my friends. The monetary gain from this does come from web stressers that may\r\nrent out botnet out for a period.\r\nNewSky Security: What is the future of SORA and OWARI botnets? Are you going to improve and add\r\nnew stuff to them? Are you planning to stop these attacks or will we soon see third botnet from you?\r\nWicked: SORA is an abandoned project for now and I will continue to work on OWARI. You will not see a third\r\nproject from me anytime soon as I continue to expand my current ones.\r\nNewSky Security: What is your message for IoT owners who don’t want to get hacked by your botnets?\r\nWhat do you think about IoT cybersecurity?\r\nWicked: I don’t know what to tell people and IoT security is a joke.\r\nConclusion\r\nFew months ago, we mentioned that the default IoT password attack is almost near saturation, i.e. the devices\r\nwhich can be hacked easily via default passwords have already been hacked. Hence the attackers (in this case\r\nWicked ) are forced to take an alternative option of exploits to have a stronger botnet army.\r\nThe IoT attack space is also getting crowded, and as discussed in the interview, attackers are also using techniques\r\nlike Botkiller modules to kill existing malware on the device, and then run a copy of their own. In this case, the\r\nattacker has gone to the extent of deploying a honeypot, which is usually a white hat researcher’s job, to find his\r\ncompetitors and to kill their botnets to run one of his own.\r\nThe attacker also discussed a clear revenue model which is one of the most prevalent ways by which IoT attackers\r\nare making money in 2018, i.e. Stresser as a Service.\r\nInstead of launching a DDoS attack for revenge or showing off, the attackers have been much mature to offer a\r\nstresser service, whose clients are black box users, using the botnet army to DDoS a victim of their choice.\r\nNewSky security’s IoT Halo platform detects Sora, Owari Classic and the evolved CVE-2017–17215 Owari.\r\nAdditionally, our IOT exploit and malware honeypots are tracking and recording attacks of these and more IoT\r\nbotnets to provide effective coverage and intelligence.\r\nAnkit Anubhav, Principal Researcher, NewSky Security (NewSky Security)\r\nhttps://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863\r\nPage 3 of 4\n\nSource: https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863\r\nhttps://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863"
	],
	"report_names": [
		"understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863"
	],
	"threat_actors": [],
	"ts_created_at": 1775791314,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92b5c8456be92b6f43a41c16423d3e3426f68b35.pdf",
		"text": "https://archive.orkl.eu/92b5c8456be92b6f43a41c16423d3e3426f68b35.txt",
		"img": "https://archive.orkl.eu/92b5c8456be92b6f43a41c16423d3e3426f68b35.jpg"
	}
}