Sevpirath--usa--nswtch--base--nsp--eshop--ziper... -

is the handler. Not a person—a daemon. Named after a forgotten build of a network switch emulator, NSwTcH listens on port 443 with a TLS certificate that says it belongs to a defunct medical billing clearinghouse in Ohio. No one checks expired certs from 2019. NSwTcH accepts only one command: a specific 128-byte payload that begins with 0x7E 0x45 0x50 . After that, it opens a raw tunnel to BASE .

The location: . Not just any node. The Federal eXchange Core, a hardened relay that handles cross-agency authentication for everything from NOAA weather feeds to Treasury settlement logs. A backdoor here is a skeleton key to the republic’s digital basement. SEVPIRATH--USA--NSwTcH--BASE--NSP--eShop--Ziper...

A sysadmin named Mara notices something odd. The eShop’s /images/ziper.php has a last-modified date of 2021, but its inode change timestamp updates every night at 03:14. She runs lsof on the web server. Nothing. She checks network connections. Nothing. She reboots the box. The daemon under BASE survives—it’s not in RAM, it’s in the SSD’s hidden sectors, loaded by a UEFI bootkit that re-instantiates NSwTcH before the kernel even starts. is the handler

For seventy-two hours, the logs show nothing. Then, from a compromised router in Tulsa, a single packet arrives at the Virginia relay. 0x7E 0x45 0x50 . No one checks expired certs from 2019