A Shodan hit on an Alibaba Cloud Singapore IP leads to a 9.1GB archive that turns out to be an attacker's working directory from inside a compromised Brazilian government server — containing a DirtyPipe exploit, fscan lateral movement results across the GDF internal network, 164 confirmed credential compromises, and 754MB of exfiltrated GitLab source code.
grep -rl "singapore" ./posts
#singapore
2 matches
A Shodan scan for Singapore open directories surfaces a TRUMVPS server that has been quietly hosting the same .NET credential stealer — under the same filename — since 2021. The current build has zero detections.