An SSH-delivered Linux kit observed on two honeypot sensors drops a non-root systemd-user persistence unit, then runs a 10 MB Go scanner with intact DWARF: source tree, module name skn, capability map (scanner, SOCKS5, password-change cascade with VyOS fallback, embedded HTTP listener) all visible. The loader is hardened; the scanner is not. Stage-2 C2 on connexionlost.{net,zip} → 194.5.97.46.

Single-page SOC-facing summary of the Watcher-NetAI / skn cluster - top IOCs, four triage-priority hunts, links to the YARA / Sigma / IOC bundles, controlled-sharing contact. Full analysis in the main report.

A fresh Prometei v3/v4 ELF on a Linux honeypot, beaconing to the same C2 IP, Tor onion, and UPlugPlay disguise convention eSentire flagged on the Windows side three months earlier. The JSON-trailer schema yields a parent-peer back-pointer per bot. Postscript: four parallel binary-churn cadences in the same toolkit, including bit-identical zsvc unpacked code across drops.