← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Katana: a Mirai variant that compiles its own rootkit on Android TV set-top boxes
WHITE PetrP.73 2026-03-20 Modified: 2026-04-19
34
IOCs
MEDIUM VOLUME
The Katana botnet, identified as a variant of the Mirai malware, specifically targets Android TV set-top boxes that are typically low-cost and lack robust security measures like Google Play Protect. Katana exploits ADB (Android Debug Bridge) vulnerabilities, facilitating unauthorized access through residential proxy services. This technique has enabled mass exploitation of Android-based devices without needing sophisticated exploits—operators merely require a subscription for these proxies to gain access to millions of vulnerable devices.
katanaandroid tvmiraiandroidputtychromeaospkimwolfadb portmirai variantprotectservicefirstpandoraasyncratxwormremcoscobalt strikerhadamanthyslockertencentattackstopkillopensslrefreshsyscallarchpandora.2adbrc4threatfox idc2 protocoltable slotthreatfoxparent domainkatana botrootkit loadertinycc compiler1102717apk wrapperadb stagingas215925as51396as202412omegatech ltdas39900sia goodarm7 elfapk deliveryelf deliverysinglebyte xorxor key
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (34)
All CIDR URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
CIDR 91.92.241.0/24 2026-03-20
URL http://65.222.202.53:5880 2026-03-20
URL http://87.121.84.74:13121 2026-03-20
URL http://satyr.wtf:48101 2026-03-20
domain active1.com 2026-03-20
domain goodtec.lv 2026-03-20
domain iloveyourweewee.bz 2026-03-20
domain imsowiwiwiwiwi.com 2026-03-20
domain okiloveyoupleasedonttouchme.net 2026-03-20
domain omegatech.sc 2026-03-20
domain satyr.wtf 2026-03-20
domain thespacemachines.st 2026-03-20
domain verizonbusiness.com 2026-03-20
domain vpsvault.host 2026-03-20
hostname ajshgdhjfgasthjydyufasghjfdafsgudgfhjasgfjh.satyr.wtf 2026-03-20
FileHash-MD5 01e909a65bc736be3c5fa49ca16c4cf8 MD5 of aaaa89488caf328bea8e56fa95cae69124a561ec97594b686c93cfdd24f13e96 2026-03-20
FileHash-MD5 474a5445862638e0dfdf6543a11803f7 MD5 of 6cc3fc0284dfe57881f5ea01dcd3cecb6c667dc8d1147b049c3d6bd661d9c906 2026-03-20
FileHash-MD5 b37b8e308f0d49c7b5f34e87e18a67ef MD5 of 87ec57bd8e639d5f96a17dfb73af5cc63cc528f45d4a3231e70f287e9ad38601 2026-03-20
FileHash-SHA1 143c7fd6a2297d8b0d91d7a12a5db901988ea2b3 SHA1 of 6cc3fc0284dfe57881f5ea01dcd3cecb6c667dc8d1147b049c3d6bd661d9c906 2026-03-20
FileHash-SHA1 6af4ef79c4f733167f67d7d8e6dd77b174feb2fa SHA1 of aaaa89488caf328bea8e56fa95cae69124a561ec97594b686c93cfdd24f13e96 2026-03-20
FileHash-SHA1 fcab81d4763064c1aa561048e67cd9a452db6f41 SHA1 of 87ec57bd8e639d5f96a17dfb73af5cc63cc528f45d4a3231e70f287e9ad38601 2026-03-20
FileHash-SHA256 121f7a1da6b5d74209a64dfaa42f56d5ce7c52181f49fb256f8bdbdf7c00222f 2026-03-20
FileHash-SHA256 16e3ac66f85aa3dc0f49bd6df44ae29e7512fc7e293f8e2c24bc11dcfa249a78 2026-03-20
FileHash-SHA256 2ab6cb64f05f18b482ace03e7f41617f28bfdb8e54da7070bc183a661f104e56 2026-03-20
FileHash-SHA256 6cc3fc0284dfe57881f5ea01dcd3cecb6c667dc8d1147b049c3d6bd661d9c906 2026-03-20
FileHash-SHA256 809d433de87e5435b185ea908ea244cc5a070cbad23bc11c53dd214528d9bbce 2026-03-20
FileHash-SHA256 87ec57bd8e639d5f96a17dfb73af5cc63cc528f45d4a3231e70f287e9ad38601 2026-03-20
FileHash-SHA256 8c9ff5d82f986b9c86ff8d1a26f83a9c41e50a5f0671e2b79e13c663afb1ba20 2026-03-20
FileHash-SHA256 aaaa89488caf328bea8e56fa95cae69124a561ec97594b686c93cfdd24f13e96 2026-03-20
FileHash-SHA256 b24c9255bf3c8dc65f35d61544e1959354b74c46d4e1c99462f2f4292ee62cda 2026-03-20
FileHash-SHA256 cf173c982a341d2b14c6b024807836016a40e22ab0b6596591d98e841c24be62 2026-03-20
FileHash-SHA256 eb875810f18f42781f2958a038713156194842b5b54e9e9f57f782bd3a33b2ab 2026-03-20
domain pfcloud.io 2026-03-20
FileHash-MD5 4a7e92b3c5d8e1f42c5f81a4b7caddee 2026-03-20
References (1)
↗ https://github.com/deepfield/public-research/blob/main/katana/report.md