Panchan Miner Delivered via Fake sshd Binary — Three-Year Campaign Still Active
Overview Two days after my honeypot went live, a quieter and more patient actor arrived. While the mdrfckr/Outlaw Group SSH key persistence campaign documented in my previous post continued running in the background, this actor uploaded a malicious binary disguised as the system SSH daemon — a stealth-focused approach targeting hosts they expect to have long-term value. Sandbox analysis and YARA matching confirm this is Panchan — a peer-to-peer Go-compiled cryptominer with documented activity stretching back to at least June 2023 and still being actively deployed as of this writing. ...