Isaac.

Cowrie SSH honeypot deployed on a cloud VPS, exposed on port 22 with hardened firewall rules and passive OS fingerprinting via p0f. Paired with a fake phpMyAdmin web honeypot behind a reverse proxy. Logs forwarded to Splunk Cloud for correlation and triage. Real-time alerting on high-confidence events.

Identified and tracked the Outlaw/mdrfckr botnet campaign through honeypot telemetry. Extracted C2 infrastructure indicators, submitted IOCs to ThreatFox, and filed abuse reports with relevant CERTs and hosting providers. Produced a formal threat intelligence report documenting TTPs.

Static analysis of UPX-packed RedTail samples (XMRig-based). Used Detect-It-Easy and string extraction to identify ANTIVM evasion logic. Submitted a novel SSH public key IOC — the first documented record of its kind on ThreatFox at time of submission.

Captured exploitation attempts from a Mirai LZRD variant via honeypot. Extracted behavioural indicators, mapped activity to known Mirai campaign patterns, and submitted IOCs to ThreatFox.

Dual-node authoritative DNS deployment using Technitium on cloud servers. Cloudflare Workers and D1 for edge logic. Self-hosted notification relay for infrastructure alerting. WireGuard-based VPN with obfuscation layer for secure remote access.