Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/CyberSecurity News/CredBot Botnet Exposed: Full Worker Access and Root Passwords Left Unprotected
CyberSecurity News

CredBot Botnet Exposed: Full Worker Access and Root Passwords Left Unprotected

Key Takeaways A credential stuffing botnet, named “Twitter Checker Master Panel – FULL FIX v2.3” and targeting Twitter/X accounts, was discovered operating completely exposed to the...

Emy Elsamnoudy
Emy Elsamnoudy
April 14, 2026 4 Min Read
28 0

Key Takeaways

  • A credential stuffing botnet, named “Twitter Checker Master Panel – FULL FIX v2.3” and targeting Twitter/X accounts, was discovered operating completely exposed to the public internet.
  • The botnet’s command-and-control (C2) panel lacked any authentication, allowing anyone to access real-time attack data, control operations, and retrieve root SSH passwords for all 18 worker servers.
  • The operation had compromised 138 Twitter/X accounts lacking two-factor authentication (2FA) and was actively attempting to compromise more.
  • Analysts recommend blocking the identified IP addresses, resetting compromised accounts, and users are strongly advised to enable 2FA and practice unique passwords.

A sophisticated credential stuffing botnet, specifically engineered to breach Twitter/X accounts, was recently found to be entirely exposed online, offering unrestricted access to its operations. This critical security lapse meant anyone could access the botnet’s control panel, worker server credentials, and live attack data without requiring any form of authentication, according to a detailed report from Breakglass Intelligence.

Table Of Content

  • Key Takeaways
  • Botnet Infrastructure and Operation
  • Discovery and Activity
  • Geographic and Linguistic Indicators
  • The Critical Role of Two-Factor Authentication
  • The Exposed API: A Botnet Anyone Could Control
  • What You Should Do

The system, identified as “Twitter Checker Master Panel – FULL FIX v2.3,” inadvertently exposed root SSH passwords for all 18 of its worker servers. These credentials were readily available to anyone who could identify the correct IP address and port, enabling full compromise of the botnet’s infrastructure.

Botnet Infrastructure and Operation

The command-and-control (C2) panel for the botnet was hosted on a Windows Server 2019 machine by Hetzner Online GmbH in Falkenstein, Germany, at IP address 144[.]76[.]57[.]92 on port 5000. Built using Python Flask with Socket.IO for real-time log streaming, the panel conspicuously lacked any form of authentication. This omission meant no login page, no API keys, and no session checks were in place to secure access.

Consequently, any individual accessing the server could view comprehensive operational data, including live attack statistics, detailed information on worker servers, lists of active credentials, and a continuous log of successfully compromised accounts. Furthermore, other services like RDP, SMB, and WinRM were also exposed on the same server, amplifying the risk.

Discovery and Activity

Analysts at Breakglass Intelligence uncovered this unprotected panel on April 10, 2026, during routine scans. During a brief 12-minute observation period, the botnet was seen attempting 722,763 credential checks, resulting in 18 new account compromises.

Lifetime operational data observed during this session revealed that the botnet had already tested over 4.8 million accounts, leading to 138 confirmed compromises. Crucially, all these compromised accounts lacked two-factor authentication (2FA).

At the time of the report’s publication, neither the C2 server nor any of the worker server IP addresses registered any detections on major threat intelligence platforms, including VirusTotal (0/94), ThreatFox, URLhaus, or AbuseIPDB.

Geographic and Linguistic Indicators

All 18 worker servers were located within a single IP block (31[.]58[.]245[.]0/24) belonging to Komuta Savunma Yuksek Teknoloji Limited Sirketi, a hosting provider situated in Ankara, Turkey. Several indicators, such as server names containing the Turkish word “Sunucu,” a control panel entirely in Turkish, and root passwords ending with “kmt” (an abbreviation for Komuta), strongly suggest that the botnet’s operator is Turkish-speaking.

The botnet’s initial deployment commenced on December 25, 2025, with five servers coming online. This timing aligns with a common tactic by threat actors to launch operations during holiday periods when security teams are typically less active, potentially leading to slower response times.

The Critical Role of Two-Factor Authentication

The botnet’s internal data provided compelling evidence regarding the effectiveness of two-factor authentication. Out of 4,862,580 accounts targeted, 85.6% triggered a 2FA challenge, effectively thwarting the botnet’s attempts. The operation lacked any mechanism to bypass 2FA, simply flagging these accounts and moving on to target the 14.1% of accounts that relied solely on passwords. This data unequivocally demonstrates that enabling 2FA significantly mitigates the risk of this type of credential stuffing attack.

The Exposed API: A Botnet Anyone Could Control

Beyond the operational exposure, the most alarming aspect of this discovery was the complete absence of authentication on the botnet’s Flask panel API endpoints. This meant that anyone discovering the C2 server could gain full control over the botnet.

A simple GET request to the /api/servers endpoint would return every worker server’s IP address, its root SSH password, installation status, and health metrics, all in plain text. The operator’s decision to forgo any access controls, presuming that port 5000 on that specific IP address would remain undiscovered, proved to be a critical oversight.

The accessible API endpoints extended beyond mere data retrieval. Unauthorized parties could initiate or halt the entire botnet, upload their own lists of credentials, download the results of attacks, push new configurations to all 18 worker machines, and even reinstall the checking software. The /api/bulk/download endpoint, in particular, presented a severe vulnerability, allowing a third party to surreptitiously exfiltrate all compromised Twitter/X accounts without the original operator’s knowledge.

What You Should Do

  • For Twitter/X Users: Immediately enable two-factor authentication (2FA) on your Twitter/X account if you haven’t already. This measure has proven highly effective against such attacks. Also, ensure you use unique, strong passwords for all online services to prevent credential stuffing.
  • For Twitter/X Platform: Block the identified IP addresses (144[.]76[.]57[.]92 and the 31[.]58[.]245[.]0/24 block) and force-reset the passwords for all 138 compromised accounts.
  • For Hosting Providers (Hetzner Online GmbH and Komuta Savunma Yuksek Teknoloji Limited Sirketi): Urgently process abuse reports related to the infrastructure identified in this botnet operation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

CISA Warns of Fortinet SQL Injection Vulnerability Actively Exploited in Attacks

Next Post

PlugX USB Worm Spreads Globally via DLL Sideloading

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us