Hackers have left a live Twitter/X credential‑stuffing botnet effectively unlocked, exposing its full command‑and‑control stack, worker fleet, and root passwords to anyone who knows where to look.
The C2 runs on a Windows Server 2019 instance hosted by Hetzner in Falkenstein, Germany, with RDP, SMB, and WinRM all exposed alongside the Flask panel, indicating a largely unhardened build.
The application is a single‑page dashboard built with Python Flask, Socket.IO, and Chart.js, streaming live statistics from an active credential‑stuffing pipeline against Twitter/X login endpoints.
GHOST researchers found an exposed Flask-based control panel at 144[.]76[.]57[.]92:5000, branded “Twitter Checker Master Panel – FULL FIX v2.3,” with no authentication of any kind. There is no login route, no API key checks, and no session handling; every page and API call is accessible directly over HTTP on port 5000.
GHOST captured the full 98 KB panel source, confirming the absence of any authentication controls and the hard‑coded API layout that drives the operation.
Full C2 and worker exposure
Every operational function is mapped to unauthenticated REST endpoints, including server management, campaign control, configuration, and data exfiltration.
A single call to /api/servers returns the IP address, root SSH password, health status, and install state for each worker node in plaintext, effectively publishing the attacker’s own infrastructure credentials.
Bulk endpoints allow any visitor to start, stop, or restart checks across all workers, upload new combo lists, download hit results, push new proxy lists, or wipe result files, giving outsiders full control over the botnet.
Behind the C2, 18 Linux worker servers sit in the 31[.]58[.]245[.]0/24 network, all owned by Komuta Savunma Yuksek Teknoloji Limited Şirketi in Ankara, Turkey, and reachable via root SSH on port 22.
Server labels use the Turkish word “Sunucu” with numbering from Sunucu 8 to Sunucu 25, suggesting a previous generation of at least seven decommissioned nodes.
During a 12‑minute observation window on April 10, 2026, GHOST watched the panel test 722,763 Twitter/X credential pairs in real time and add 18 new compromised accounts to its hit list.
Lifetime counters showed 4,862,580 total accounts checked, with 138 successful takeovers, translating to an overall hit rate of roughly 0.0028 percent small in percentage terms but meaningful when driven at millions of attempts per day.
The telemetry also exposes how much 2FA blocks this activity: 4,163,790 of the tested accounts (about 85.6 percent) returned a two‑factor challenge and were immediately discarded by the tool.
Only 211,662 accounts had valid passwords without 2FA, and just 138 of those were fully compromised, highlighting that the botnet is limited to basic password‑only takeovers rather than more advanced bypass techniques.
Turkish operator and password pattern
Attribution indicators strongly point to a Turkish‑speaking operator anchored in local infrastructure.
The entire web UI is in Turkish, using labels such as “Sunucu Ekle” (Add Server), “Toplu Baslat” (Bulk Start), and “Canli Istatistikler” (Live Statistics) to drive worker, file, and health management.
All 18 workers run on a relatively new /24 block registered to Komuta Savunma, whose RIPE entry dates to December 2024 and also hosts a mix of benign Turkish businesses, consistent with a small regional hosting provider rather than dedicated bulletproof hosting.
Root passwords follow an identical pattern: a 12‑character lowercase hexadecimal string immediately followed by “kmt.!,” likely a mnemonic for Komuta plus a static complexity suffix.
This uniform scheme suggests an automated build pipeline controlled by a single actor or tight team that provisions servers in waves, as seen in the three deployment bursts between December 25, 2025 and January 31, 2026, followed by a coordinated tool rollout in late February.
Despite operating at scale and advertising its own infrastructure, the botnet remains invisible across major public threat feeds: VirusTotal lists zero detections for the C2 and worker IPs, and there is no recorded coverage on ThreatFox, URLhaus, or AbuseIPDB at the time of reporting.
That blind spot, combined with a repurposed Hetzner server still carrying an expired Let’s Encrypt certificate for impact[.]gradientconnectedai[.]com, underlines how commodity credential‑stuffing can quietly persist on general‑purpose cloud hosts.
For defenders, the operation reinforces three core points: enable 2FA on Twitter/X wherever possible, since this campaign treats it as a hard stop; enforce strong rate limiting and anomaly detection on authentication endpoints to throttle high‑volume checking from shared IP blocks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
