Cowrie

Overview On April 2, 2026, my Cowrie SSH honeypot logged an unusual pattern — two source IPs attempting to use the honeypot as a proxy to reach ip-who.com, a service that returns the caller’s external IP address in JSON format. This is not attack behavior. This is operational security behavior — a compromised node checking what IP address it appears to be using. Investigation revealed both IPs are compromised MikroTik routers on Vietnamese residential ISP infrastructure. A third IP from the same session window — a Dutch scanner with 116,618 AbuseIPDB reports — attempted to tunnel to Cloudflare’s TURN server infrastructure, suggesting a separate actor testing WebRTC-based connectivity through the honeypot. ...

Overview Two days after my honeypot went live, a quieter and more patient actor arrived. While the mdrfckr/Outlaw Group SSH key persistence campaign documented in my previous post continued running in the background, this actor uploaded a malicious binary disguised as the system SSH daemon — a stealth-focused approach targeting hosts they expect to have long-term value. Sandbox analysis and YARA matching confirm this is Panchan — a peer-to-peer Go-compiled cryptominer with documented activity stretching back to at least June 2023 and still being actively deployed as of this writing. ...

Overview Buried in a day’s worth of SSH credential spray data from my Cowrie honeypot was a finding that stopped me mid-analysis: the username/password combination 345gs5662d34:345gs5662d34 — attempted 30 times in a single observation window. That string is the factory default administrative credential for the Polycom CX600 IP desk phone. This post documents the credential finding, the broader mdrfckr persistence campaign it arrived alongside, and an important observation about what this spray tells us about the attackers’ awareness of their targets — which is essentially zero. ...

Introduction On the evening of March 24, 2026, I deployed a Cowrie SSH honeypot as part of a broader threat intelligence project. Within 90 minutes of going live, the honeypot captured two complete, distinct attack chains from two separate threat actors — arriving 20 minutes apart, with the second actor specifically evicting the first. Actor 1 — Redtail cryptominer — deployed a full multi-architecture mining toolkit at 03:00 UTC, including a clean.sh component that returned 0/62 detections on VirusTotal at time of analysis. ...