The Internet of Stuff and Things

⚠️ SECURITY WARNING — ACTIVE THREAT A fake OpenClaw site is being shared in Discord servers. It installs a Remote Access Trojan (RAT) that gives attackers full control of your machine. Do not visit, download from, or run anything from the sites listed in this post. On 2026-04-26 I identified an active phishing and RAT delivery campaign impersonating OpenClaw — a legitimate AI assistant project. The campaign is being distributed through Discord, directing users to a convincing clone of the official OpenClaw website that silently delivers a ScreenConnect Remote Access Trojan. What Is OpenClaw? OpenClaw ( openclaw.ai ) is a real, legitimate open-source AI assistant project. The attackers chose it as their lure because it is a developer-friendly tool — its target audience is exactly the kind of person who would run a curl | bash installer without a second thought. The Fake Discord "bot" A discord user inpersonating the OpenClaw bot Krill DM users offering help. Unfortuna...

Once again, I gave Claude Code an old PCAP from an issue I troubleshot a while ago, and gave it this prompt: Our SNMP PRTG tool is showing a large number of UDP errors on the syslog servers NIC, we took a traffic capture demo/net-dump-udp-errors.pcap, please analyze and report what could be the issue, add explanation of each command executed to obtain data for the analysis, and recommendations.  (BTW, the fix was a combination of the /etc/sysctl.conf settings and reducing noise from the sources) This is Claude Code with Sonnet 4.6 narrative (I asked it to tell the story): This is the story of that investigation — every command I ran, what the output told me, and where it led. The Setup The capture file was net-dump-udp-errors.pcap (57 MB). The syslog server's IP is 10.20.0.17 listening on UDP port 514. Step 1: Get the lay of the land — capinfos Before doing anything else, I always start with capinfos to understand what I'm dealing with: capinfos net-dump-udp-er...

In a previous post I walked through analyzing a DoublePulsar/EternalBlue capture with Claude Code. This time the target is sample.pcap — a capture of an IoT device downloading what turns out to be a Mirai-variant botnet binary. The same single-prompt workflow, but with a very different payload at the end. The Prompt Analyse the sample.pcap file, extract any IOCs, if there are any files being transmitted please examine them. Report source and destination IP addresses and protocols, file types and content. Analysis Methodology Claude worked through the capture in layers — start wide, then drill down. Step 1 — Protocol Hierarchy tshark -r sample.pcap -q -z io,phs The -z io,phs flag prints a protocol hierarchy tree with frame and byte counts at each layer. Quick way to see what's in a capture without looking at individual frames. Result: pure TCP/HTTP — no DNS, no TLS, no lateral movement protocols. =================================================================== P...

One of the most practical use cases for Claude Code in security work is rapid PCAP triage. In this post I'll walk through a live session where I asked Claude to analyze a DoublePulsar capture, extract IOCs, and summarize the activity — all from a single prompt. The Prompt analyse the /home/demo/7-DoublePulsar.pcap file, extract any IOCs, present a summary of the activity How Claude Approached It Claude Code located the file at /home/igor/demo/7-DoublePulsar.pcap and ran a series of tshark commands to build up a picture of the traffic: IP conversation summary — identified the two hosts and total frame counts Protocol hierarchy — discovered SMB, NBSS, DCE/RPC, LLMNR, and NBNS Frame-by-frame analysis — traced the full attack sequence from port scan to exploitation attempt SMB/445 filter — isolated the exploitation traffic and SMB command sequence MAC and hostname extraction — pulled NetBIOS names and ARP-derived MACs DoublePulsar fingerprint check ...