Red Asgard ties the Hetzner host at 195.201.104.53 to more than BeaverTail FTP exfiltration, showing it also exposed six Express.js services on non-standard ports. Port 21 ran FileZilla Server 1.12.1 with TLS session resumption enforced and held seventy victim folders under team-numbered prefixes. Two Express services mapped to OtterCookie command-and-control, including one live node broadcasting macOS victim state and a silent predecessor still listening. Port 80 repeatedly leaked a Windows development path from a Linux deployment, indicating shared operational infrastructure across campaigns and malware families.