Coordinated Egress Verification Campaign Using SSH direct-tcpip Tunneling
Summary Two Vietnamese IP addresses recently conducted a coordinated SSH credential spray against a cloud-hosted honeypot. What makes this campaign notable is not the spray itself, but the post-authentication behavior: rather than deploying payloads or running recon commands, both actors used SSH direct-tcpip channel forwarding to tunnel HTTP requests to an IP geolocation API (ip-who.com/json/). Identical JA4H fingerprints across both source IPs confirm they were running the same tool simultaneously. Both IPs have nearly 500 prior abuse reports on AbuseIPDB, placing this activity in the context of a known, persistent threat. ...