Let's dive into the domain of edge devices and botnets through our discovery of a vast cluster of ~70,000 compromised hosts. This story stemmed from a simple error - the repeated use of a self-signed certificate across multiple hosts. In this talk, we will demonstrate how this small SecOps oversight allowed us to unveil a whole network of Operational Relay Boxes and a multi-layered cyber attack infrastructure involving the GobRAT malware and a previously undocumented backdoor, which we named Bulbature. A unique attribute of this infrastructure is the fact that a majority of the C2s possess open directories. Altogether, over 5,000 varied types of files have been analysed, enabling us to effectively place ourselves in the operators’ shoes. This infrastructure is touching corners around the globe and hints at ties to China.