ctipilot.ch

c2c / meow

tool · tool:c2c-meow-flooder single-source

Simpler standalone Golang DDoS flooder targeting SSH-exposed Linux hosts, paired with a separate SSH-scanner component; checks for passwordless sudo to self-escalate and persists as a fake systemd service masquerading as 'cpufreqd' / 'CPU Frequency Daemon' (Nozomi Networks Labs, 2026-07-06).

Aliases: c2c, meow, qwiklabs/c2c

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-09Nozomi documents two new Golang IoT/Linux DDoS botnets (Apex2, c2c/meow) built for speed and reuse over sophistication
    active-threatsTwo Golang DDoS botnets, Apex2 and c2c/meow, flood exposed Telnet/SSH Linux and IoT with fake-systemd persistence and passwordless-sudo escalation

Where this entity is cited

  • active-threats1

Source distribution

  • industrialcyber.co1 (50%)
  • nozominetworks.com1 (50%)

Related entities

Entries about c2c / meow (1)

2026-07-09 · view entry permalink →

NOTABLE

Nozomi documents two new Golang IoT/Linux DDoS botnets (Apex2, c2c/meow) built for speed and reuse over sophistication

Nozomi Networks Labs' AI-assisted honeypot triage flagged two Golang-based DDoS botnet samples this spring that stand out from the routine volume of Mirai-derived variants: Apex2 and c2c (distributed under the filename "meow") (Nozomi Networks Labs, 2026-07-06). Apex2 is a direct structural evolution of the earlier Apex botnet: infection begins with Telnet connections and credential brute-forcing, followed by download-and-execute of the Golang payload, which registers with its C2 over a plaintext protocol (host OS/architecture) and ships builds for Linux (arm, arm64, mipsle, ppc64) and Windows (386, amd64). Its named flood commands include cf (an HTTP(S) flood specifically tuned to bypass Cloudflare via randomized User-Agent lists and long keep-alive timeouts), udp/pps, discord/game UDP floods, and three TLS-flood variants (tls, tlsplus, tlsplusbypass). c2c/meow is architecturally simpler — a Golang flooder with no built-in propagation (a separate SSH scanner handles brute-forcing and delivery) that authenticates to a hardcoded C2 over plaintext JSON-over-TCP, checks for passwordless sudo (sudo -n true) to self-escalate, then persists by copying itself to /usr/local/bin/cpufreqd and registering a fake systemd unit masquerading as a "CPU Frequency Daemon" — supporting ten flood-module types (icmp, dnsudp, udp, http, directhttp, fasthttp, betterhttp, tcp, tcphandshake, dnstcp).

Nozomi's stated point for defenders is that neither family is sophisticated — both lean on commodity Golang tooling, weak/default credentials and exposed Telnet/SSH interfaces rather than novel exploitation — and that the lack of sophistication does not reduce the risk at scale, because the build-and-deploy cycle for such botnets is getting faster. ATT&CK mapping: T1110 Brute Force (Telnet/SSH), T1105 Ingress Tool Transfer, T1548.003 Abuse Elevation Control Mechanism: Sudo (c2c's passwordless-sudo self-escalation), T1543.002 Create or Modify System Process: Systemd Service with T1036.005 Masquerading (the fake cpufreqd unit), and T1498 Network Denial of Service for the flood modules.

It checks whether passwordless sudo is available by running sudo -n true and evaluating the return value. If successful, it relaunches itself with increased privileges, copies to /usr/local/bin/cpufreqd, and creates a fake systemd service named "CPU Frequency Daemon"

In both cases, the emphasis is not on sophistication, but on speed, reuse and scalability.

Nozomi Networks Labs 2026-07-06
threat09 Jul 12:33Zsingle-sourceOpen finding ↗