This is part of an ongoing series documenting observations from otpot, an OT-focused honeypot project. If you missed the intro, start there. otpot had been running for less than 24 hours before the first EtherNet/IP probes arrived. Censys and Shodan index everything, and a convincing Allen-Bradley 1756-L61 ControlLogix identity response is apparently interesting enough to attract regular visits. What I didn’t expect was that buried inside each of those requests was something useful: a consistent, scanner-specific value that makes it possible to identify who’s knocking purely from the protocol payload — no IP intelligence required. ...

First, Some Context: What Is a Honeypot and Why Does It Matter? If you’ve spent your career on the OT side — programming PLCs, commissioning HMIs, integrating SCADA systems — cybersecurity might feel like someone else’s department. That’s changing fast, and if you’re reading this, you probably already know it. Here’s the simplest way I can explain a honeypot: it’s a trap. You set up a system that looks exactly like something an attacker would want to find — an exposed PLC, an unprotected SCADA gateway, an industrial device sitting on the internet. But it’s fake. Nothing real is connected to it. When an attacker finds it and starts probing, you’re watching everything they do. ...

Summary Two Vietnamese IP addresses recently conducted a coordinated SSH credential spray against a cloud-hosted honeypot. What makes this campaign notable is not the spray itself, but the post-authentication behavior: rather than deploying payloads or running recon commands, both actors used SSH direct-tcpip channel forwarding to tunnel HTTP requests to an IP geolocation API (ip-who.com/json/). Identical JA4H fingerprints across both source IPs confirm they were running the same tool simultaneously. Both IPs have nearly 500 prior abuse reports on AbuseIPDB, placing this activity in the context of a known, persistent threat. ...

Overview Two days after my honeypot went live, a quieter and more patient actor arrived. While the mdrfckr/Outlaw Group SSH key persistence campaign documented in my previous post continued running in the background, this actor uploaded a malicious binary disguised as the system SSH daemon — a stealth-focused approach targeting hosts they expect to have long-term value. Sandbox analysis and YARA matching confirm this is Panchan — a peer-to-peer Go-compiled cryptominer with documented activity stretching back to at least June 2023 and still being actively deployed as of this writing. ...

On March 26, 2026, my Cowrie SSH honeypot logged an SSH client version string I’d never seen before and couldn’t find documented anywhere: SSH-2.0-BarkScan_1.0. What followed was a few hours of investigation that surfaced a new commercial internet scanner with a legitimate-looking website, an anonymous team, and a globally-flagged malicious IP – and no clean answer on which description was more accurate. This appears to be the first public documentation of the BarkScan_1.0 banner string. GreyNoise subsequently reviewed the IP and escalated it internally as high priority. ...

Overview Buried in a day’s worth of SSH credential spray data from my Cowrie honeypot was a finding that stopped me mid-analysis: the username/password combination 345gs5662d34:345gs5662d34 — attempted 30 times in a single observation window. That string is the factory default administrative credential for the Polycom CX600 IP desk phone. This post documents the credential finding, the broader mdrfckr persistence campaign it arrived alongside, and an important observation about what this spray tells us about the attackers’ awareness of their targets — which is essentially zero. ...

Introduction On the evening of March 24, 2026, I deployed a Cowrie SSH honeypot as part of a broader threat intelligence project. Within 90 minutes of going live, the honeypot captured two complete, distinct attack chains from two separate threat actors — arriving 20 minutes apart, with the second actor specifically evicting the first. Actor 1 — Redtail cryptominer — deployed a full multi-architecture mining toolkit at 03:00 UTC, including a clean.sh component that returned 0/62 detections on VirusTotal at time of analysis. ...