A fresh Prometei v3/v4 ELF on a Linux honeypot, beaconing to the same C2 IP, Tor onion, and UPlugPlay disguise convention eSentire flagged on the Windows side three months earlier. The JSON-trailer schema yields a parent-peer back-pointer per bot. Postscript: four parallel binary-churn cadences in the same toolkit, including bit-identical zsvc unpacked code across drops.

42 post-auth payload deployments from 13 coordinated IPs on AS51396 over 58 hours. The eviction script that precedes each install maps the contested-infrastructure reality: Diicot self-eviction, XMRig, CNRig, Rete, and Kinsing artifacts competing on the same pools of exposed servers.