Outlaw

Overview Buried in a day’s worth of SSH credential spray data from my Cowrie honeypot was a finding that stopped me mid-analysis: the username/password combination 345gs5662d34:345gs5662d34 — attempted 30 times in a single observation window. That string is the factory default administrative credential for the Polycom CX600 IP desk phone. This post documents the credential finding, the broader mdrfckr persistence campaign it arrived alongside, and an important observation about what this spray tells us about the attackers’ awareness of their targets — which is essentially zero. ...

Introduction On the evening of March 24, 2026, I deployed a Cowrie SSH honeypot as part of a broader threat intelligence project. Within 90 minutes of going live, the honeypot captured two complete, distinct attack chains from two separate threat actors — arriving 20 minutes apart, with the second actor specifically evicting the first. Actor 1 — Redtail cryptominer — deployed a full multi-architecture mining toolkit at 03:00 UTC, including a clean.sh component that returned 0/62 detections on VirusTotal at time of analysis. ...