Detection Brief #3 2026-03-29

The Solana Scanner:
31-IP Go Botnet Fingerprinting Crypto Infrastructure

A coordinated Go-compiled SSH scanner - 25 source IPs, six source-IP subnet blocks, a credential list dominated by Solana-ecosystem accounts - generated 1,757 sessions across three honeypot nodes on three continents in a single 17-hour initial window. Every successful login ran one command: uname -s -v -n -r -m. Then it left.

1,757 total sessions
31 source IPs
6 subnet blocks
0.6s avg session

How We Found It

It started with a P1 alert on Node 3: a single IP, 524 sessions, escalation from SILENT to TESTER. The credential that broke through: sol/123.

Pulling the HASSH fingerprint - 16443846184eafde36765c9bab2f4397, client string SSH-2.0-Go - and running it across all three nodes revealed the full scope. This was not one scanner. It was a coordinated fleet.

A second P1 alert arrived minutes later: 92.118.39.x, same credential family. That IP belongs to the same 92.118.39.0/24 block that contributes five nodes to the botnet. The alerts were the botnet revealing itself one subnet at a time.

Infrastructure

The Go HASSH fingerprint (16443846184eafde36765c9bab2f4397) confirmed 31 source IPs running the same compiled Go binary across all observation dates. The following six /24 subnet blocks contain the HASSH-confirmed IPs in groups - a pattern characteristic of bulk-purchased VPS infrastructure. Note: the geographic pool analysis (below) includes additional IPs identified by credential and behavioral pattern that are not all HASSH-confirmed; those populations should not be summed.

92.118.39.0/24
.x · .x · .x · .x · .x 5 IPs - largest block
80.94.92.0/24
.x · .x · .x · .x 4 IPs
64.89.163.0/24
.x · .x 2 IPs
2.57.122.0/24
.x · .x 2 IPs
185.247.137.0/24
.x · .x 2 IPs
193.32.162.0/24
.x 1 IP - first seen 2026-04-02

Nine IPs hit multiple nodes simultaneously - reaching DE + FR or DE + US within the same scan window. The entire campaign started at 00:00 UTC on 2026-03-29 and ran continuously through the observation window, with bursts reaching 539 sessions/hour during peak activity.

The Credential List

40 successful logins across 1,757 sessions. Of those 40, 23 used Solana-ecosystem usernames - 57.5% of all successful authentications:

solana/solana
12×
solv/solv
sol/123
sol/sol · solana/solana123
ubuntu/ubuntu
oracle/oracle123
weblogic · nagios · proxy · tomcat · admin

On credential targeting: solana, sol, and solv are not standard Linux system account names. Their concentration in this credential list is consistent with a set curated for environments associated with Solana-named infrastructure - but does not establish whether the list originated from a breach corpus, was derived from open-source documentation, or was hand-crafted by the operator.

solv is a Solana validator management tool (solv.epics.dev), providing one plausible explanation for its inclusion. Validator nodes run on Linux and are targets for key material theft. However, the specific operator intent cannot be confirmed from the credential list alone.

Behavior After Login

Across the successful sessions in the analyzed dataset, every post-auth interaction was limited to exactly one command: 

uname -s -v -n -r -m

This outputs kernel name, version, hostname, release, and machine architecture in a single parseable line. Median session duration from auth success to disconnect: approximately 0.6 seconds. The tool connects, authenticates, fires the command, captures output, disconnects. No downloads, no persistence, no lateral movement. This is pure Stage 1 reconnaissance - the output is collected centrally for offline triage.

A minority of sessions used the path-obfuscated variant /bin/./uname -s -v -n -r -m, which is functionally identical but evades naive string-match detection rules watching for the literal command name uname.

On post-login behavior: The observed post-auth activity is limited to a single host fingerprint command (uname) followed by immediate disconnect. This is consistent with lightweight environment validation - the scanner collects the fingerprint and exits. What, if any, downstream action follows from that data is not visible from this telemetry. A triage interpretation is plausible but cannot be confirmed from the observed session alone.

Cross-Node Correlation

Node Sessions Unique IPs Successful Logins
Node 1 - DE (Frankfurt) ~1,000 15 4 - AuthRandom accepted solana/solana, sol/sol
Node 2 - US (New York) ~156 6 0 - UserDB, no matching accounts
Node 3 - FR (Paris) ~600 initial + ongoing 14 140 total - AuthRandomNoRoot (through 2026-04-02); UserDB from 2026-04-03
Node 4 - SG (Singapore) added 2026-04-01 ~700 6 62 - UserDB, sol/1q2w3e and complex creds accepted

Node 2 (UserDB, four fixed accounts) remains the only node with zero successful logins. This is consistent with the scanner's credential list not matching those specific fixed accounts - it does not confirm that no generic Linux system accounts are present in the broader credential list. On Node 1 (AuthRandom) and Node 3 (AuthRandomNoRoot), Solana-themed credentials were accepted at the expected statistical rate.

On 2026-03-30, cross-node correlation identified 3 IPs hitting both Node 1 and Node 3 within the same observation window - the same command (/bin/./uname -s -v -n -r -m), different credential pairs per node. One IP (92.118.39.x) exhibited systematic credential rotation on Node 3: alternating between validator/validator and sol/sol across 8 sessions over 6 hours, then switching to solv/123456. The rotation pattern is consistent with a distributed credential list being partitioned across worker threads.

IP Node 1 - DE Node 3 - FR Interval
2.57.122.x solana/solana - 01:21 UTC solv/123456 - 12:30 UTC 11h 9m
92.118.39.x solana/solana - 01:42 UTC validator/validator - 01:46 UTC 4m
80.94.92.x sol/sol - 19:46 UTC sol/123 - 17:52 UTC 1h 54m (reversed order)

On credential partitioning: The same IP using different credentials on different nodes is consistent with a worker pool pulling from a shared credential queue. Each worker exhausts one credential pair before moving to the next, which is why 92.118.39.x hits Node 3 four minutes after Node 1 - it's the same worker, still scanning the same IP range with the next credential in its queue.

Update - 2026-04-01: Geographic Pool Structure

Addition of Node 4 (SG, Singapore) on 2026-03-28 - three days before this update - provided a fourth vantage point. The scanner found Node 4 within days of deployment. Correlating all four nodes reveals a structural pattern not visible from three nodes: the botnet's IPs are geographically specialized, not uniform.

Of the 11 IPs in this botnet observed across all four nodes, three clusters emerge with distinct geographic targeting behavior:

Pool IPs Nodes hit Sessions Notes
SG-exclusive 87.106.53.x
161.132.45.x
160.187.229.x		 Node 4 only 247 · 247 · 182 Found Node 4 within days of deployment; no prior cross-node activity
FR-exclusive 158.94.209.x
66.181.171.x
179.61.185.x
187.33.145.x		 Node 3 only 381 · 194 · 144 · 61 High-volume, FR-focused; not seen on DE, US, or SG
Cross-node 181.41.194.x
92.118.39.x		 DE + FR + SG 115+115+129
56+168+56		 92.118.39.x uses /bin/./uname evasion; 181.41.194.x hits DE+SG at near-identical count

Geographic specialization in a scanning botnet: The SG-exclusive and FR-exclusive pools suggest worker assignment by IP range or ASN geography - different machines in the botnet are tasked with different regions of the internet. The cross-node pool (scanning DE+FR+SG simultaneously) likely represents a separate campaign tier: higher-value workers covering broader IP ranges, with the path-obfuscated /bin/./uname variant used only by this tier, suggesting elevated operational consistent with (though not conclusively indicating) more cautious tooling in the cross-node tier. The near-equal session counts from 181.41.194.x across three continents (115/115/129) are consistent with structured scan assignment, though the small sample does not rule out coincidence.

Update - 2026-04-03: Campaign Continues

Five days after initial documentation, the scanner is still running. Node 3 (FR) accumulated 140 total Solana credential successes through April 3 - up from 40+ in the initial observation window. Activity by date on Node 3: 

2026-03-26: 20   2026-03-29: 17   2026-04-01: 10
2026-03-27:  8   2026-03-30: 14   2026-04-02: 34  ← spike
2026-03-28: 19                    2026-04-03: 18

The April 2 spike - 34 Solana logins in a single day, more than double any prior day - is consistent with a credential list refresh, increased worker allocation, or scheduled scan-cycle overlap - the cause is not determinable from session counts alone. Three new IPs in the 80.94.92.0/24 block appeared on April 2, and a previously unseen subnet (193.32.162.0/24) entered the rotation the same day, bringing the total Go HASSH IP count to 31 (from 25 at initial report).

Node 3 switched from AuthRandomNoRoot to UserDB authentication on 2026-04-03. Solana-themed credentials (solana, sol, validator, etc.) are not in the Node 3 userdb, so successful logins from this scanner will no longer be recorded there. Campaign activity continues to be monitored via the remaining nodes.

This is not a one-time scan. A scanner that runs continuously for 6+ days, adds infrastructure mid-campaign, and spikes activity on a specific day is operating on a recurring schedule - consistent with scanning a large, structured target set in recurring passes. The April 2 spike may correspond to a new subnet assignment or the scanner looping back to previously scanned ranges with a refreshed credential list.

Detection Rules

Sigma Rule 1 - HASSH Fingerprint

Sigma 
title: SSH Client HASSH - Go Solana Credential Scanner
id: nr-b003-hassh-go-tester
status: stable
description: >
  Detects the Go-compiled SSH scanner associated with the Solana credential
  spraying botnet (HASSH 16443846184eafde36765c9bab2f4397, SSH-2.0-Go).
  Observed across 3 continents, 31+ IPs, active campaign since 2026-03-26.
author: NullRoute Research
date: 2026-03-29
logsource:
  category: network
  product: cowrie
detection:
  selection:
    eventid: cowrie.client.kex
    hassh: 16443846184eafde36765c9bab2f4397
  condition: selection
falsepositives:
  - Other Go SSH tools with identical KEX negotiation order (possible but unlikely)
level: medium

Sigma Rule 2 - Solana Credential Authentication Attempt

Sigma 
title: SSH Login Attempt - Solana Ecosystem Credentials
id: nr-b003-solana-creds
status: stable
description: >
  Detects SSH authentication attempts using Solana-ecosystem usernames.
  High specificity - these account names have no standard Linux system use.
  Indicates targeting of Solana validator nodes, exchange infrastructure,
  or DeFi platform backend systems.
author: NullRoute Research
date: 2026-03-29
logsource:
  category: network
  product: cowrie
detection:
  selection:
    eventid:
      - cowrie.login.success
      - cowrie.login.failed
    username|contains:
      - solana
      - solv
      - sol
      - validator
      - raydium
      - phantom
      - jupiter
  condition: selection
falsepositives:
  - Legitimate Solana infrastructure with SSH accounts named after the ecosystem (low)
  - Any infrastructure using sol/solana/validator as legitimate service account prefixes
level: medium

Sigma Rule 3 - Single-Command OS Fingerprint Session

Sigma 
title: SSH Session - Stage 1 Recon uname Fingerprint (Direct + Obfuscated)
id: nr-b003-uname-fingerprint
status: stable
description: >
  Detects the characteristic single-command OS fingerprint pattern used by
  the Go Solana scanner. Covers both direct invocation and the /bin/./uname
  obfuscation variant used to evade naive string matching.
  This pattern alone is insufficient for high-confidence detection; combine with HASSH (Rule 1) and credential context for higher specificity.
author: NullRoute Research
date: 2026-03-29
logsource:
  category: network
  product: cowrie
detection:
  sel_direct:
    eventid: cowrie.command.input
    input: 'uname -s -v -n -r -m'
  sel_obfuscated:
    eventid: cowrie.command.input
    input: '/bin/./uname -s -v -n -r -m'
  condition: sel_direct or sel_obfuscated
falsepositives:
  - System administrators running identical uname flags (very low - the -s -v -n -r -m combination is non-standard)
level: low

Dataset Notes

Original data collected 2026-03-29 through 2026-03-30 across NullRoute's three-node Cowrie infrastructure: Node 1 (DE, Frankfurt - AuthRandom), Node 2 (US, New York - UserDB, healthcare persona), Node 3 (FR, Paris - AuthRandomNoRoot, AI/crypto persona). The botnet was first observed live on 2026-03-29 00:00 UTC and remained active through the following day. Cross-node IP correlation was added on 2026-03-30 after the NullRoute analysis framework identified 3 IPs appearing independently on two sensor nodes. HASSH correlation was used to identify all 25+ IPs as running the same compiled binary regardless of login success.

Geographic pool structure (2026-04-01 update) derived from Node 4 (SG, Singapore - UserDB, ops persona), deployed 2026-03-28 and added to correlation on 2026-04-01. Node 4 session data covers 2026-03-28 through 2026-04-01.

Campaign continuation data (2026-04-03 update) from Node 3 (FR) full log corpus, covering 2026-03-26 through 2026-04-03. Go HASSH count updated to 31 IPs across 6 subnets. Node 3 switched to UserDB authentication on 2026-04-03; future Solana credential successes on that node will be zero by design.

One IP in the dataset (192.168.160.x) is a Docker-internal network address and represents a data artifact, not an external attacker. It is excluded from the infrastructure analysis above.

References

Related research: Blockchain Validator Hunter - same HASSH fingerprint, same ASN 47890, overlapping target ecosystem