Iranian Server Misconfiguration Exposes Censorship-Bypass Relay and SSH Botnet Operation
Researchers at Hunt.io uncovered a misconfigured open directory on an Iranian server, revealing a live censorship-bypass relay and SSH-based botnet infrastructure operated by a single actor. The discovery highlights how low-sophistication threat actors can repurpose techniques associated with Iranian advanced persistent threat (APT) groups for financial or personal gain.
The exposed server, hosted by Iranian ISP Dade Samane Fanava Company (PJS) at 185.221.239[.]162, contained 449 files across 59 subdirectories, including a .bash_history file, MHDDOS installer, C-based flood tools, and botnet components. A shared Let’s Encrypt TLS certificate for *.server21[.]org linked the server to 14 additional IPs, split between Hetzner (Finland) and Iranian ISPs, forming a purpose-built relay network.
The operation combined censorship circumvention with DDoS capabilities. A config-client.yaml file revealed a KCP-based Paqet tunnel, commonly used in Persian-language communities to bypass Iranian filtering, forwarding traffic to a Hetzner node (65.109.187[.]102). While appearing as a VPN relay, the server also hosted MHDDOS and custom SYN/UDP flood tools, targeting a FiveM GTA server (5.42.223[.]60:30120) and a web host (194.147.222[.]151:80/443).
The bash history allowed researchers to reconstruct the operation’s phases:
- Initial deployment of Paqet, GRE forwarders, and 3x-ui for censorship bypass.
- DDoS tooling, including compilation of syn.c and flood.c.
- Botnet build-out, with scripts (ohhhh.py, yse.py) automating SSH-based infections.
The ohhhh.py script opened 500 concurrent SSH sessions, uploaded and compiled cnc.c on victims, and launched it in detached screen sessions for persistence. The yse.py script acted as a kill switch, terminating processes across infected hosts. While the cnc.c source was not recovered, strings in the binary revealed a flood-focused botnet ("BOT CLIENT v1.0") with reconnection logic and attack commands.
Attribution signals point to an Iran-based operator:
- Hosting on Iranian ISPs and ArvanCloud DNS for server21[.]org.
- Use of Paqet "kharej" configurations, tailored for Iranian censorship.
- Farsi inline comments in scripts.
However, the opportunistic targeting of a game server and generic web infrastructure, along with basic tooling, suggests a profit- or personally motivated actor rather than a state-aligned group.
Indicators of compromise include the 15 IPs tied to the server21[.]org certificate, with key nodes at 185.221.239[.]162 (open directory) and 65.109.187[.]102 (Hetzner relay). Defenders are advised to monitor for unusual gcc usage, anomalous screen sessions, and high-concurrency SSH activity from these IPs.
Source: https://gbhackers.com/iran-linked-botnet/
Hetzner Finland Oy cybersecurity rating report: https://www.rankiteo.com/company/hetzner-finland-oy
داده سامانه فن آوا cybersecurity rating report: https://www.rankiteo.com/company/fanavaidc
"id": "HETFAN1773908769",
"linkid": "hetzner-finland-oy, fanavaidc",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'Iran',
'name': 'Dade Samane Fanava Company (PJS)',
'type': 'ISP'},
{'industry': 'Telecommunications',
'location': 'Finland',
'name': 'Hetzner',
'type': 'ISP'},
{'industry': 'Gaming',
'name': 'FiveM GTA server',
'type': 'Game Server'},
{'industry': 'Technology',
'name': 'Unnamed web host',
'type': 'Web Hosting'}],
'attack_vector': 'Misconfigured open directory',
'data_breach': {'file_types_exposed': ['.bash_history',
'MHDDOS installer',
'C-based flood tools',
'Botnet components']},
'description': 'Researchers at Hunt.io uncovered a misconfigured open '
'directory on an Iranian server, revealing a live '
'censorship-bypass relay and SSH-based botnet infrastructure '
'operated by a single actor. The discovery highlights how '
'low-sophistication threat actors can repurpose techniques '
'associated with Iranian advanced persistent threat (APT) '
'groups for financial or personal gain.',
'impact': {'operational_impact': 'DDoS attacks on targeted servers',
'systems_affected': ['Censorship-bypass relay',
'SSH botnet infrastructure']},
'investigation_status': 'Completed',
'lessons_learned': 'Low-sophistication threat actors can repurpose techniques '
'associated with APT groups for financial or personal '
'gain. Misconfigured servers can expose critical '
'infrastructure and operations.',
'motivation': ['Financial gain', 'Personal gain'],
'post_incident_analysis': {'corrective_actions': 'Implement proper server '
'configuration and access '
'controls to prevent '
'exposure of sensitive files '
'and infrastructure details',
'root_causes': 'Server misconfiguration exposing '
'open directory and operational '
'files'},
'recommendations': 'Monitor for unusual gcc usage, anomalous screen sessions, '
'and high-concurrency SSH activity from IOCs. Implement '
'proper server configuration and access controls.',
'references': [{'source': 'Hunt.io'}],
'response': {'enhanced_monitoring': 'Monitor for unusual gcc usage, anomalous '
'screen sessions, and high-concurrency '
'SSH activity from IOCs'},
'threat_actor': 'Iran-based operator (likely profit- or personally motivated)',
'title': 'Iranian Server Misconfiguration Exposes Censorship-Bypass Relay and '
'SSH Botnet Operation',
'type': ['Botnet', 'DDoS', 'Censorship Bypass'],
'vulnerability_exploited': 'Server misconfiguration'}