Overview Two days after my honeypot went live, a quieter and more patient actor arrived. While the mdrfckr/Outlaw Group SSH key persistence campaign documented in my previous post continued running in the background, this actor uploaded a malicious binary disguised as the system SSH daemon — a stealth-focused approach targeting hosts they expect to have long-term value. Sandbox analysis and YARA matching confirm this is Panchan — a peer-to-peer Go-compiled cryptominer with documented activity stretching back to at least June 2023 and still being actively deployed as of this writing. ...
Polycom CX600 Default Credentials Observed in SSH Credential Spray
Overview Buried in a day’s worth of SSH credential spray data from my Cowrie honeypot was a finding that stopped me mid-analysis: the username/password combination 345gs5662d34:345gs5662d34 — attempted 30 times in a single observation window. That string is the factory default administrative credential for the Polycom CX600 IP desk phone. This post documents the credential finding, the broader mdrfckr persistence campaign it arrived alongside, and an important observation about what this spray tells us about the attackers’ awareness of their targets — which is essentially zero. ...
Two Threat Actors, One Honeypot, 90 Minutes
Introduction On the evening of March 24, 2026, I deployed a Cowrie SSH honeypot as part of a broader threat intelligence project. Within 90 minutes of going live, the honeypot captured two complete, distinct attack chains from two separate threat actors — arriving 20 minutes apart, with the second actor specifically evicting the first. Actor 1 — Redtail cryptominer — deployed a full multi-architecture mining toolkit at 03:00 UTC, including a clean.sh component that returned 0/62 detections on VirusTotal at time of analysis. ...