Erratum #1 March 2026

Dota SSH Worm: Corrected Credential Model

Correction to Investigation #1: 98% of SSH Intrusions Come from One Worm. We incorrectly reported 345gs5662d34 as the credential Dota sets and reuses on infected hosts.

re-analyzed: 243 worm sessions payloads decoded: 241 unique passwords: 165 sensor: Cowrie (Germany)

Three corrections

"Dota sets the password to 345gs5662d34 on infected hosts"

→

Dota sets a unique 12-character random password per infected host. We observed 165 distinct values consistent with per-host random password generation across the decoded payload set.

"345gs5662d34 is the worm's access credential"

→

345gs5662d34 appears to function as a hardcoded post-infection verification probe - consistent with a check performed after persistence steps, not an initial access credential.

"Dota Credential Lifecycle - proven"

→

Our original wording overstated confidence. The available evidence supported correlation, not the specific credential-setting mechanism we claimed.

Root cause of the error

Our SSH sensor runs in AuthRandom mode, which accepts arbitrary credentials after a small number of failures. A post-infection verification login using 345gs5662d34 was therefore recorded as a successful session - which we misread as evidence that the worm had set and reused that password.

In plain terms: the worm tried a fixed password to test whether its persistence had worked. Our honeypot accepted that test password. We interpreted the acceptance as real credential reuse.

What we got wrong

This erratum corrects a factual error in our original analysis: we incorrectly reported 345gs5662d34 as the credential Dota sets and later reuses on infected hosts.

In the original investigation we observed IPs that first appeared as TESTER sessions (using 345gs5662d34) and later returned as WORM sessions. We inferred that Dota used 345gs5662d34 as its infection credential. We relied on session-level correlation before completing payload-level re-analysis. That was a mistake.

Re-analysis of 241 decoded base64 payloads showed the earlier claim was incorrect. Dota never uses 345gs5662d34 for initial infection. Initial access is standard weak-password brute-force. The unique random password is set during the infection sequence. 345gs5662d34 appears only in a separate post-infection session.

Does this affect the 98% headline? No. The correction applies specifically to the credential mechanism, not to the behavioral clustering or session attribution on which the broader finding rests. We re-reviewed all claims that depended on credential semantics; this is the only one that required correction.

The evidence

Observation	Count	Interpretation
WORM sessions using `345gs5662d34` to log in	0 / 243	Never used for initial access
WORM sessions using standard wordlist credentials	243 / 243	All initial access via brute-force
Unique passwords set by `passwd` command	165	One unique password per infected host
TESTER sessions using `345gs5662d34`	55 / 377	Post-infection verification probe

The honeypot effect. Because our sensor uses AuthRandom (accepts any credential after enough attempts), both the unique random password and 345gs5662d34 appear to succeed. On a real infected host, 345gs5662d34 would fail - only the mdrfckr SSH key and the unique password would work.

Corrected kill chain

Reconstructed from 241 decoded base64 payloads across 243 WORM sessions:

Phase 1 - Brute Force

· Standard wordlist: 123456, password, 1234, 12345678, ...

· No use of 345gs5662d34 - that credential plays no role here

↓

Phase 2 - Infection (deterministic sequence)

1.chattr -ia .ssh - remove immutable flag observed in payload

2.rm -rf .ssh && mkdir .ssh - clean slate observed in payload

3.SSH key injection: mdrfckr RSA key → authorized_keys observed in payload

4.passwd → unique 12-char random password (165 distinct values observed) observed in payload

5.echo "user oldpass" > /tmp/up.txt - save original credential for propagation observed in payload

6.rm -rf .X13-unix .X17-unix .X19-unix - delete rival variants observed in payload

7.mkdir .X291-unix && tar xf dota3.tar.gz - deploy current variant observed in payload

8.kthreadadd -t 150 -p 22 /tmp/up.txt 192.168 - propagate internally, 150 threads observed in payload

9.sleep 8m → second wave on 172.16 observed in payload

10.sleep 20m → initall (full restart) observed in payload

↓

Phase 3 - Verification (separate inbound session, seconds later)

·A new SSH session arrives from the same source IP using 345gs5662d34 as the password observed in session

·On real hosts: password fails, mdrfckr key succeeds - confirms key injection worked inferred from payload + sequence

·On honeypot (AuthRandom): password appears to succeed - this created our false inference measurement artifact

Dual-credential system

Dota maintains two independent access mechanisms on each infected host. We misread the verification probe as a third mechanism:

SSH Key (persistent)

mdrfckr RSA

Hardcoded across all infections. Survives password changes. Primary persistent access channel.

Password (defensive)

12-char unique random

Generated per host. Immediately locks out competing worms that use shared wordlists. Not used for return access.

345gs5662d34 is neither of these. It is a hardcoded probe credential - the same value sent from all infected hosts in the verification phase. Its purpose appears to be confirming that the SSH key injection succeeded on the new host.

Credential recycling in propagation

Step 5 of the infection sequence saves the victim's original credential to /tmp/up.txt. This is then fed directly into the propagation scanner (kthreadadd). If one host was running demo/demo123!, all 192.168.x.x nodes get scanned with that same credential - a targeted reuse of known-working credentials rather than a full wordlist spray.

Variant housekeeping

The infection sequence explicitly deletes earlier variants:

Deleted: .X13-unix → .X17-unix → .X19-unix
Deployed: .X291-unix (current)

The directory names suggest an ongoing variant numbering scheme. X291 is the current dominant variant, but prior variants were still present on enough hosts that active cleanup remains part of the infection routine.

What this erratum does not change

This correction is narrow. The following findings from the original paper are unaffected:

→ Dota dominates the classified sessions in the original dataset (~98%)
→ Observed worm behavior is highly consistent across sessions
→ The mdrfckr RSA key is a core behavioral marker and persistence mechanism
→ The infection sequence (cleanup → persist → propagate) is confirmed by payload analysis
→ Credential recycling via /tmp/up.txt into internal propagation is confirmed

Methodology

Of the 1,021 sessions in the original paper, 243 were attributed to the Dota worm cluster and contained sufficient telemetry for payload-level re-analysis. "Worm session" here means sessions behaviorally attributed to the Dota cluster using the same family markers as the original paper. We successfully decoded 241 of 243 embedded payloads; 2 were truncated or incomplete in capture.

243

worm sessions re-analyzed

241

base64 payloads decoded

165

distinct password values in payloads

377

tester sessions cross-referenced

271

unique source IPs

~48h

observation window

Single sensor · Node 1, Germany · Cowrie SSH honeypot with AuthRandom

Limitations

The credential mechanics described here - unique random password, mdrfckr key injection, 345gs5662d34 verification probe - are derived from deterministic command sequences consistent across all 243 sessions. We have high confidence in the mechanism as observed on this sensor.

What we cannot confirm from this sensor alone: whether the verification probe always co-occurs with mdrfckr key injection, whether credential behavior differs across variants (.X13 through .X291), and whether the unique random password is ever reused for return access on real infrastructure. The honeypot accepts arbitrary credentials; we cannot observe what actually succeeds on real hosts.

Updated defender guidance

Host-level

→ Treat unauthorized authorized_keys entries containing mdrfckr-associated material as the strongest host-level signal
→ Audit recent passwd command executions alongside SSH persistence artifacts
→ Look for /tmp/up.txt, .X291-unix/, and kthreadadd processes

Network-level

→ SSH authentication attempts using 345gs5662d34 are a high-value behavioral indicator associated with post-compromise Dota activity - treat as evidence of a compromised host in your network running the verification phase
→ Do not treat 345gs5662d34 as the initial infection credential - blocking it will not address the actual brute-force access path, which uses standard weak passwords

What to stop assuming

→ Seeing 345gs5662d34 in logs does not mean an attacker set that password on a system
→ Successful authentication with 345gs5662d34 on a honeypot is a measurement artifact, not evidence of credential reuse

Broader lesson. This correction illustrates a common honeypot research risk: authentication modes that simplify data collection can distort attacker intent if "successful login" is interpreted too literally. A honeypot that accepts any credential is useful for capturing commands and payloads - but login success semantics require careful interpretation, particularly when distinguishing access credentials from post-infection probes.

← Original investigation

Update Brief - six more days, two nodes (March 23-29, 2026)

Two Bot Pools - coordinated timing, IP overlap (March 24-31, 2026)

Failed-Intent Analysis - what failed commands reveal across 81,000 sessions

← All investigations