Security researcher Ankit Anubhav observed that their honeypot with default credentials attacked by OWARI bot and attempts to download payload form IP 80[.]211[.]232[.]43. The database contains the login credentials of users who controls the database and the time duration limit for users to utilize the bot for the DDoS attack. Both IPs are offline now, they know their IPs will be flagged soon due to the bad network traffic and to stay under the radar, they often voluntarily change attack IPs.”]
Source: https://gbhackers.com/iot-botnet-owari-weakest-credential/