Research
Threat Intelligence
Behavioral investigations from live multi-node honeypot sensors. Post-compromise analysis - what attackers do after they're in.
Investigation March 2026 · Ongoing
98% of SSH Intrusions Come from One Worm
fingerprint: dota mdrfckr dataset: 1,021+ sessions spread: 605 IPs · 69 countries nodes: DE · US · FR
Erratum Corrected Credential Model - 345gs5662d34 is a probe, not a hardcoded password Mar 29 Update Six More Days, Two Nodes - 666 sessions, 4 behavioral profiles, DE + FR Mar 30 New Two Bot Pools, Coordinated Timing - IP-segregated pools, ~50s synchronization gap Mar 31 Atlas RF-001 - MDRFCKR Behavioral Dossier · interactive stage reconstruction Apr 1 New One Family, Three Execution Programs - HASSH splits dota into three distinct programs Apr 8
Detection Brief March 30, 2026 · Updated April 2
Blockchain Validator Hunter
fingerprint: SSH-2.0-Go · HASSH 16443846... targets: Firedancer · Jito MEV · Raydium · Solana infra: AS47890 UNMANAGED LTD · RO nodes: DE · FR
Detection Brief March 2026 · Updated April 3
Panchan P2P Botnet - Live Behavioral Capture
delivery: SFTP self-upload · single command binary: Go · 29MB · panchansminingisland payload: XMRig + NBMiner · P2P C2 nodes: DE
Detection Brief March 29, 2026 · Updated April 3
The Solana Scanner - 31-IP Go Botnet Fingerprinting Crypto Infrastructure
fingerprint: SSH-2.0-Go · HASSH 16443846... credential focus: solana · sol · solv · validator behavior: uname fingerprint only · Stage 1 recon nodes: DE · FR · SG
Detection Brief March 29, 2026 · Updated April 3
The Multi-Target Scanner: MikroTik Recon Meets Telegram Session Hunting
fingerprint: libssh2_1.11.1 · HASSH f45fb203 targets: RouterOS · Telegram tdata · SMS gateways · XMR miners scale: 135 sessions · 41 IPs · active since Mar 15 nodes: DE · US · FR · SG
Investigation April 3, 2026
Rigid, Pooled, Industrial: The Behavioral Spectrum of SSH Attackers
dataset: 4,166 sessions · 3 families · 2 observed tiers finding: Credential Carousel - 1,059 unique passwords across 1,060 Dota sessions implication: Dota credential IOCs generalize poorly - detect the immutable core instead nodes: DE · US · FR · SG
Investigation April 2026
What Failed Commands Reveal: Failed-Intent Analysis Across 81,000 SSH Sessions
dataset: 81,341 sessions · 2,457 with failures · 4 nodes finding: lockr -ia .ssh - 2,277 sessions expected a tool that was never there implication: Failed commands reveal implicit Stage 1-to-Stage 2 tool dependencies nodes: DE · US · FR · SG
Open Dataset April 6, 2026

NullRoute Behavioral Atlas v0.1

152,728 post-authentication SSH sessions from 4 live honeypot nodes. Behavioral atoms, genome family classifications, complexity scores. No IPs, no credentials. CC BY 4.0.

sessions: 152,728 atoms: 47,384 families: 11 nodes: DE · US · FR · SG
In Pipeline
Cross-Persona Asymmetry - Same Worm, Different Targets
Collecting
RF-001 · MDRFCKR · BEHAVIORAL ATLAS