Investigation 2026-04-03

Rigid, Pooled, Industrial:
The Behavioral Spectrum of SSH Attackers

Across 4,166 observed SSH intrusion and scanner sessions, three tool families cluster into distinct behavioral models - and the model determines whether credential blocking, sequence detection, or structural analysis is the right countermeasure. In this dataset, one family ran the exact same 9 commands across all 135 observed sessions on three continents. Another generated a unique backdoor password for each of the 2,274 sessions where it was captured.

4,166 sessions analyzed
3 tool families
2 observed tiers
35 dota wave variants

The Question

Detection engineering for SSH attacks often assumes a binary: behavior is either random (requiring machine learning) or fixed (requiring static signatures). Across the families in this dataset, that binary proves insufficient.

After capturing 4,166 sessions across three distinct tool families on four honeypot nodes, a more granular pattern emerges. Tool families don't just vary in what they do - they vary in how consistently they do it, and that consistency property determines which detection strategies are effective against the observed variants.

We define this property as behavioral rigidity: the degree to which a tool's command sequence, structure, and payload content are reproducible across independent sessions. Rigidity is not a quality judgment. In the observed cases, highly rigid tools appear operationally efficient - not primitive.

Note: Crystal, Industrial, and Adaptive are NullRoute analytical shorthand for behavioral patterns observed in this dataset. They are not peer-reviewed taxonomy or external standards.

The Spectrum

Tier I - Crystal sequence uniform across all observed sessions

A single command sequence observed in every captured session, with no branching detected in our telemetry. The tools appeared indifferent to what the target returned - execution completed identically regardless. For environments with full ordered command stream visibility, sequence-based detection is high-confidence against the observed variants.

Families observed: MikroTik Multi-Target Scanner (135/135), Solana Credential Scanner (1,757/1,757)

Tier II - Industrial structure rigid per wave, credentials unique per host

A fixed structural scaffold - command count, operation order, payload shape - that is stable within each deployment wave but generates unique credential content for every individual host. Structural detection is effective. Credential-based IOCs generalize poorly across the campaign.

Families observed: Dota mdrfckr worm (2,274 sessions, 35 waves)

Tier III - Adaptive hypothesized extension - not observed in this dataset

True behavioral branching: commands chosen based on what previous commands returned. Consistent with human operators or tightly supervised automation. This tier is a proposed extension of the framework, not an observed class. No fully automated family in our dataset has demonstrated confirmed adaptive behavior. Would require semantic detection rather than structural matching.

Families observed: None - theoretical based on dataset gaps and prior literature on human-operated intrusions.

Tier I in Detail: Crystal Rigidity

Two families in our dataset exhibit what we call Crystal rigidity - within the captured sessions, a single command sequence was observed with no variation and no detected branching.

Family Sessions Unique Sequences Rigidity Sequence Length
MikroTik Multi-Target Scanner 135 1 100% 9 commands
Solana Credential Scanner 1,757 1 100% 1 command

The MikroTik scanner runs its exact 9-command sequence - /ip cloud print, ifconfig, uname -a, CPU inspection, miner checks, Telegram session artifact discovery, locate D877F783D5D3EF8Cs, echo Hi | cat -n - identically across 135 sessions on four nodes spanning Germany, the US, France, and Singapore. The session captured on Node 1 on 2026-03-29 is byte-for-byte identical to the session captured on Node 4 (SG) five days later, from a different IP, on a different continent - three continents total.

The Solana scanner reduces this to the extreme: a single command, /bin/./uname -s -v -n -r -m, reproduced across 1,757 sessions from 31 confirmed source IPs. No branching was observed, no follow-up commands - the tool collects an OS fingerprint and exits, consistent with collection for offline triage, though downstream exfiltration is not directly observable in honeypot telemetry.

Detection implication - Crystal tools: For environments that capture ordered shell commands, a Sigma rule matching the complete sequence - or a distinctive subsequence - should be high-confidence against the observed variants with low false-positive risk. The sequence uniformity that makes these tools operationally efficient also makes them readily fingerprintable while their sequence remains unchanged. HASSH fingerprint, command sequence, and specific probe strings are all effective and complementary anchors.

Tier II in Detail: The Industrial Model

The Dota mdrfckr worm - responsible for the majority of authenticated post-login sessions in our dataset - operates under a fundamentally different model. It is not Crystal rigid, but it is also not random. It is industrialized.

Across 2,274 sessions where the mdrfckr key string was captured in a command input event, Dota's behavior breaks into three distinct layers, each with a different rigidity property. (Sessions where authentication succeeded but no commands were logged are excluded from this analysis; the total authenticated Dota session count in the full dataset exceeds this figure.)

Layer 1 - Immutable Core
100% identical

SSH key injection. Same mdrfckr public key in 2,274/2,274 sessions. Never changes. The persistent access mechanism.

Layer 2 - Wave Structure
stable per wave

Script shape (18, 19, 27, or 28 commands) and operation sequence. Stable within each deployment wave, rotates between waves. 35 distinct structures observed.

Layer 3 - Per-Session Credential
unique per host

Backdoor password generated uniquely for each target. 1,059 distinct passwords across 1,060 sessions in the largest single wave.

Layer 1: The Immutable Core

Every single Dota session begins with the same command - reproduced exactly, across all 2,274 captures, with zero variation: 

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+h...mdrfckr" >> .ssh/authorized_keys && chmod -R go= ~/.ssh && cd /home/pi/.ssh/ && cat /proc/cpuinfo | grep name | wc -l

This is Dota's immutable atom: the mdrfckr SSH public key, planted in every host's authorized_keys to enable persistent re-access without credentials. Detecting this single string is sufficient to identify any Dota session regardless of which wave, which payload variant, or which operator campaign was running at the time of capture.

Layer 2: Wave Structure - 35 Deployment Variants

After the immutable key injection, Dota's script diverges into 35 structurally distinct variants, distinguished primarily by command count and payload type. The largest waves:

Wave Sessions Share Credential Method Payload
L1 310 13.6% none Key only - no payload deployed
L19 1,060 46.6% passwd - user password change Host enumeration (CPU, RAM, disk, OS)
L27 308 13.5% chpasswd - root password change Competition cleanup + Stage 3 payload
L28 162 7.1% passwd - jenkins123 user Host enumeration
L18 201 8.8% chpasswd - root password change Host enumeration

Wave L1 - 310 sessions - deploys only the SSH key and exits immediately. No credential change, no host enumeration, no payload. This is consistent with a first-pass "access plant" that a second stage will return to via the planted key, or with sessions where the tool confirmed access but the host was de-prioritized for full deployment.

Wave L27 - 308 sessions - is the most complete variant. It changes the root password, kills competing processes, checks a re-infection flag (/var/tmp/.systemcache436621), enumerates the host, and then drops a base64-encoded Stage 3 payload: 

# Wave L27, commands 4 and 26 (abridged):
rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh  # competitor eviction
echo > /etc/hosts.deny                                                               # clear access controls
cat /var/tmp/.systemcache436621                                                       # re-infection guard
sleep 15s && cd /var/tmp; echo "IyEvYmluL2Jhc2gKY2QgL3RtcAk..." | base64 -d | bash  # Stage 3 payload

Layer 3: The Credential Carousel

The most operationally significant property of the Industrial model is Layer 3: per-host credential uniqueness. Within Wave L19 - 1,060 sessions - Dota generates a unique backdoor password for each compromised host: 

# Five consecutive Wave L19 sessions - same structure, different credentials:
echo -e "123\n89B1NBbJ8lFH\n89B1NBbJ8lFH"|passwd|bash
echo -e "Under123\n7kJjkCroVfJ6\n7kJjkCroVfJ6"|passwd|bash
echo -e "spider@123456\nCqaFI8ELvtpk\nCqaFI8ELvtpk"|passwd|bash
echo -e "aa\n0R5DIVNLQmdx\n0R5DIVNLQmdx"|passwd|bash
echo -e "1234\nhoF2YCmHLyHW\nhoF2YCmHLyHW"|passwd|bash

The structure is invariant: the tool knows the target's current password (from the credential used to gain initial access), changes it to a freshly generated 12-character random string, and confirms the change. Across 1,060 sessions, we observed 1,059 distinct passwords - one accidental collision in over a thousand deployments.

The Carousel's operational effect: This behavior is not random noise. Generating a unique password per host means that a defender who discovers one backdoor credential - through log analysis, incident response, or threat intelligence sharing - gains access to exactly one compromised host. The credential is already stale on every other host in the fleet.

This is consistent with deliberate compartmentalization at scale, though the telemetry alone cannot distinguish intent from implementation choice - the same effect could follow from several designs. Regardless of origin, the result is that published credential IOCs for Dota (345gs5662d34, etc.) generalize poorly. They represent the credential observed on one specific host at one specific time, not a reusable campaign-level indicator.

Connects to Prior Research

This framework retrospectively explains two findings from earlier NullRoute investigations:

The Dota Erratum (ERR-1): Our earlier investigation reported that Dota does not use a hardcoded password, observing 37 distinct passwords across our dataset. The Industrial model explains why: each session generates a unique credential. 37 observed passwords is the sample size of a per-host generation process - the observed set does not behave like a small reusable list. The data is more consistent with per-session generation than with a bounded campaign-wide static credential pool.

The Two-Stage Kill Chain (INV-1): The L1 wave (key-only, 310 sessions) is consistent with Stage 1 of the Dota kill chain - access plant with no immediate payload. The L27 wave (credential + competition cleanup + Stage 3 payload) is consistent with Stage 2. The two-stage model is supported at the wave level: the same structural split between "plant and return" and "full deployment" is visible in the wave distribution.

Detection Implications

The rigidity tier of a tool family determines which detection strategy is effective:

Strategy Crystal (MikroTik, Solana) Industrial (Dota)
Credential IOC blocking Effective Low-value - poor campaign-level generalization
HASSH fingerprint Effective (subject to stack/version drift) Partially effective (bruteforce phase only)
Exact sequence / anchor match (Sigma) High-confidence for observed variants High-confidence on immutable core
Structural pattern (wave shape) Redundant but valid Effective - wave structure stable within campaign
Semantic / ML analysis Lower priority than sequence matching Lower priority - structure is sufficient
Telemetry prerequisite Ordered full-session command stream Command input events or process_creation with CommandLine

Common misapplication: Threat intelligence platforms frequently publish Dota-associated passwords as IOCs for blocking. Given the per-host credential variability observed in this dataset, these IOCs age poorly as campaign-level indicators - they represent the credential used on one specific host at one specific time. Blocking them is likely low-value against new Dota deployments and may create false confidence in credential-based defenses.

The durable detection anchor for Dota is the immutable Layer 1 atom: the mdrfckr SSH public key string, present in all 2,274 observed sessions regardless of wave, credential, or payload variant.

Detection Rules

Sigma Rule 1 - Dota Immutable Core (Layer 1)

Sigma 
title: SSH Session - Dota mdrfckr SSH Key Injection
id: nr-inv-rigidity-dota-core
status: stable
description: Detects the Dota mdrfckr worm's immutable Layer 1 key injection command.
  Present in 100% of observed Dota sessions regardless of wave or payload variant.
  This is the only detection anchor that is wave-independent and credential-independent.
author: NullRoute Research
date: 2026-04-03
logsource:
  category: network
  product: cowrie
detection:
  selection:
    eventid: cowrie.command.input
    input|contains: mdrfckr
  condition: selection
falsepositives:
  - None expected. This string has no legitimate operational use case.
level: critical

Sigma Rule 2 - Dota Industrial Credential Pattern (Layer 3)

Sigma 
title: SSH Session - Dota Per-Host Credential Generation Pattern
id: nr-inv-rigidity-dota-carousel
status: experimental
description: Detects Dota's per-session credential generation using passwd/chpasswd with
  a 12-character random password. The credential content varies per host; this
  rule matches the structural pattern, not the specific password value.
  Targets real host detection (process_creation), not honeypot logs.
author: NullRoute Research
date: 2026-04-03
logsource:
  category: process_creation
detection:
  sel_passwd:
    CommandLine|contains|all:
      - passwd
      - echo -e
  sel_chpasswd:
    CommandLine|contains|all:
      - chpasswd
      - echo "root:
  condition: sel_passwd or sel_chpasswd
falsepositives:
  - Legitimate automated provisioning scripts using passwd/chpasswd (correlate with mdrfckr key presence)
level: medium

Sigma Rule 3 - Crystal Tool: MikroTik Sequence

Sigma 
title: SSH Session - Crystal-Class Assessment Tool Sequence (MikroTik+Telegram+SMS)
id: nr-inv-rigidity-crystal-mikrotik
status: stable
description: Detects the MikroTik multi-target scanner by correlating three distinctive
  command anchors within a 5-minute window. This is not a full sequence match -
  it is a three-anchor correlation. All three anchors were present in 135/135
  observed sessions. Zero sequence variation recorded in the captured dataset.
author: NullRoute Research
date: 2026-04-03
logsource:
  category: network
  product: cowrie
detection:
  sel_mikrotik:
    eventid: cowrie.command.input
    input: /ip cloud print
  sel_telegram:
    eventid: cowrie.command.input
    input|contains: D877F783D5D3EF8Cs
  sel_beacon:
    eventid: cowrie.command.input
    input: echo Hi | cat -n
  condition: sel_mikrotik and sel_telegram and sel_beacon
  timeframe: 5m
falsepositives:
  - None expected. This combination has no legitimate operational context.
level: high

Dataset Notes

Data was collected on NullRoute's four-node Cowrie SSH honeypot infrastructure between 2026-03-15 and 2026-04-03. Dota sessions were collected on Node 1 (DE, T-Pot, accepts any credential). MikroTik sessions span all four nodes; full command execution occurs only on nodes that accept the tool's credentials. Solana scanner sessions span Nodes 1, 3, and 4.

The 35-wave Dota distribution reflects only sessions where the mdrfckr key string was captured in a command input event. Sessions where authentication succeeded but no commands were logged (e.g., connection drops before command execution) are excluded from the wave analysis. Total authenticated Dota sessions in the full dataset exceed this figure.

Wave L19 per-session uniqueness was verified by comparing the full command tuple (all 19 commands) across the 1,060 sessions in that wave. 1,059 distinct tuples were found; one pair of sessions shared an identical credential. This may reflect a random collision, a generator reuse artifact, or operator behavior - the telemetry alone does not distinguish between these explanations.

References