The Multi-Target Scanner:
MikroTik Recon Meets Telegram Session Hunting

A 9-command SSH script that simultaneously probes for MikroTik RouterOS identifiers, enumerates SMS gateways, checks for active cryptominers, and hunts Telegram Desktop session files for session-artifact discovery - captured across four honeypot nodes on four continents. As of 2026-04-03: 135 HASSH-confirmed connections from 41 unique source IPs, active since at least 2026-03-15.

What We Captured

On 2026-03-29, our behavioral genome flagged a cluster of sessions with an unusual property: the command sequence was identical across every session, spanning four different source IPs, and did not match any known worm or miner family. We labeled it resource_assessment and set out to understand what it actually was.

The same HASSH fingerprint - f45fb203c31069bb280067b71ed92ccb - appeared on all three of our geographically distributed nodes within the same 16-hour window, including two nodes where authentication failed and the session disconnected without running any commands. The full 9-command execution only occurred on Node 1 (DE), where any credential is accepted. On Nodes 2 (US) and 3 (FR), the tool probed, failed authentication, and moved on immediately - consistent with an automated scanner that deprioritizes bruteforcing in favor of volume.

134 of 135 total sessions use HASSH f45fb203c31069bb280067b71ed92ccb (SSH-2.0-libssh2_1.11.1), confirming a single compiled binary across virtually all source IPs. One session - 5.187.97.x (NL) on Node 4 - shows a closely related HASSH 44ac1859818d6cacfb48ec9cb230b3f0 with libssh2_1.11.0, identical 9-command playbook, and a slightly different KEX algorithm order (curve25519 preferred over ecdh-nistp). Consistent with two compiled builds of the same tool from marginally different build environments - HASSH alone does not confirm shared operator. The distributed IPs - CN, KR, NL, VN, UA, RU, SE - are consistent with a compromised botnet running the scanner rather than VPN rotation.

The Script

The complete command sequence, captured verbatim from Cowrie session logs:

/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
ls -la ~/.local/share/TelegramDesktop/tdata \
    /home/*/.local/share/TelegramDesktop/tdata \
    /dev/ttyGSM* /dev/ttyUSB-mod* \
    /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* \
    /usr/bin/qmuxd /var/qmux_connect_socket \
    /etc/config/simman /dev/modem* /var/config/sms/*
locate D877F783D5D3EF8Cs
echo Hi | cat -n

Every session ran these commands in this exact order. No branching, no adaptation to the target environment, no retries on failed commands. /ip cloud print failed immediately on every Linux honeypot (RouterOS syntax on a Linux shell) and execution continued regardless. This is a one-shot assessment probe, not an interactive intruder.

Command-by-Command Analysis

Prior Art and What's New

This script is not novel in its entirety. Two prior reports document the MikroTik + SMS gateway reconnaissance sequence:

• malwaremily (Medium, 2024) - documents /ip cloud print → OS recon → miner check → GSM path enumeration as a botnet hunting for MikroTik routers and SMS infrastructure, with no Telegram component.
• Exylum Technical (Feb 2024) - independently captures the same sequence, specifically notes the echo Hi | cat -n completion beacon as a tool signature, lists the same GSM paths.

Infrastructure Analysis

The HASSH f45fb203c31069bb280067b71ed92ccb is produced by SSH-2.0-libssh2_1.11.1. Unlike Paramiko-based Python scanners or Go-native SSH clients, libssh2 is a C library, indicating a compiled binary rather than a scripted tool. The specific HASSH for libssh2 1.11.1 (released mid-2024) does not appear in public HASSH databases - suggesting either a recently compiled tool that keeps its dependency current, or a tool that deliberately uses the latest version to avoid fingerprinting against older HASSH databases.

Five of eight IPs are Chinese. The Vietnamese, Ukrainian, and Dutch IPs are likely VPS nodes or compromised hosts running the same binary. No IP hit more than one node geography, consistent with a distributed target list being partitioned across botnet nodes rather than worked sequentially by a single scanner.

Update - 2026-04-03

Full cross-node data collection through 2026-04-03 reveals a campaign significantly larger than the initial capture suggested. Total HASSH-confirmed connections: 135 sessions from 41 unique source IPs across all four nodes. The tool has been active since at least 2026-03-15, two weeks before the original brief was written - earliest capture is from Node 1 (DE) T-Pot data.

The most notable new pattern is parallel multi-session bursting: several source IPs open 10–13 simultaneous or near-simultaneous connections within a 3–7 minute window. Representative examples:

Geographic distribution of the 41 unique IPs: predominantly CN (≈50%), with KR, NL, VN, UA, RU, SE, and US each contributing smaller clusters. Korean and Chinese IPs dominate the high-volume burst clusters. The most recent capture - 129.159.149.x on Node 2 (US) at 2026-04-03T17:02 UTC - third-party enrichment associated this range with cloud infrastructure (method-dependent; treat as indicative), suggesting cloud VPS nodes are also part of the execution fleet alongside consumer broadband and ISP-assigned addresses.

Threat Model

The operator running this tool is not an SSH worm. Worms propagate; this tool assesses. The 9-command sequence collects structured data about each target and transmits it (via the SSH channel's response capture or a C2 listener) for offline triage. Based on observed command structure, we assess the inferred workflow as:

1. Credential acquisition phase - mass SSH bruteforce using libssh2_1.11.1, credential list not observed in our captures (Node 1 accepts all).
2. Assessment phase - the 9-command script runs automatically post-login, collecting: device type, hardware specs, running processes, Telegram session-artifact presence, SMS gateway indicators.
3. Triage phase (inferred) - results aggregated offline. Targets where Telegram tdata paths resolve would be candidates for follow-up exfiltration. Targets with GSM modems would be candidates for SMS pivot. High-CPU targets for miner deployment. We did not observe this downstream phase directly.

The operator is likely monetizing across multiple markets simultaneously - Telegram session sales, SMS OTP interception, cryptomining - though we can only observe the assessment phase. Downstream monetization is inferred from the target surface covered, not from observed exfiltration or follow-up sessions.

Detection Rules

Sigma Rule 1 - HASSH Fingerprint

title: SSH Client HASSH - Multi-Target Assessment Tool (libssh2 variants)
id: nr-b002-hassh-multitarget
status: experimental
description: Detects HASSH fingerprints associated with the multi-target MikroTik+Telegram+SMS
  assessment scanner. Two variants observed: libssh2_1.11.1 (primary, 8 sessions) and
  libssh2_1.11.0 (secondary, 1 session) - same tool family, marginally different build environments.
author: NullRoute Research
date: 2026-03-29
modified: 2026-04-03
logsource:
  category: network
  product: cowrie
detection:
  selection:
    eventid: cowrie.client.kex
    hassh|contains:
      - f45fb203c31069bb280067b71ed92ccb  # libssh2_1.11.1 - primary variant
      - 44ac1859818d6cacfb48ec9cb230b3f0  # libssh2_1.11.0 - secondary variant
  condition: selection
falsepositives:
  - Other tools using libssh2_1.11.x with this exact KEX algorithm order (low probability)
level: medium

Sigma Rule 2 - Telegram Session Hunting via locate

title: Linux SSH - Telegram Desktop Session File Enumeration via locate
id: nr-b002-telegram-locate
status: stable
description: Detects use of `locate` to search for the Telegram Desktop session blob
  D877F783D5D3EF8Cs, indicating a Telegram session-artifact discovery attempt.
author: NullRoute Research
date: 2026-03-29
logsource:
  category: process_creation
detection:
  selection:
    Image|endswith:
      - /locate
      - /mlocate
    CommandLine|contains: D877F783D5D3EF8Cs
  condition: selection
falsepositives:
  - None expected. This specific search string has no legitimate use case.
level: high

Sigma Rule 3 - Cross-Platform Assessment Script Sequence

title: SSH Session - MikroTik+Telegram+SMS Multi-Surface Assessment Script
id: nr-b002-multisurface-script
status: stable
description: Detects the 9-command assessment script that combines MikroTik platform
  detection, miner competition check, Telegram session-artifact discovery, and SMS gateway
  enumeration in a single SSH session. The `echo Hi | cat -n` completion beacon
  is the reliable session-level indicator.
author: NullRoute Research
date: 2026-03-29
logsource:
  category: network
  product: cowrie
detection:
  sel_mikrotik:
    eventid: cowrie.command.input
    input: /ip cloud print
  sel_telegram:
    eventid: cowrie.command.input
    input|contains: D877F783D5D3EF8Cs
  sel_beacon:
    eventid: cowrie.command.input
    input: echo Hi | cat -n
  condition: sel_mikrotik and sel_telegram and sel_beacon
  timeframe: 5m
falsepositives:
  - None expected. This specific combination has no legitimate operational context.
level: high

Sigma Rule 4 - SMS Gateway Infrastructure Probe

title: SSH Session - GSM Modem and SMS Gateway Enumeration
id: nr-b002-sms-gateway-probe
status: stable
description: Detects enumeration of GSM modem and SMS gateway paths, indicating an
  attacker hunting for SMS infrastructure for OTP interception or SMS fraud.
author: NullRoute Research
date: 2026-03-29
logsource:
  category: process_creation
detection:
  selection:
    CommandLine|contains|all:
      - ttyGSM
      - qmuxd
      - simman
  condition: selection
falsepositives:
  - Legitimate GSM gateway administration (narrow path enumeration without ttyGSM+qmuxd+simman combo)
level: high

Dataset Notes

Data was collected on NullRoute's four-node Cowrie SSH honeypot infrastructure: Node 1 (DE, AuthRandom - accepts any credential), Node 2 (US, UserDB - healthcare persona), Node 3 (FR, AuthRandom no-root - AI/ML persona), Node 4 (SG, UserDB - ops persona, operational since 2026-03-28). Full command sequences are available from nodes where authentication succeeds. Node 4 was hit within its first 72 hours of operation, confirming the scanner's broad internet coverage and fast re-scan cadence.

Credential used on Node 1: root/root - the simplest possible credential, consistent with high-volume bruteforce that tries common pairs before dictionary entries. The short duration on auth-failure nodes (22–72s) indicates the tool does not retry credentials after initial rejection.

Raw session IDs from this investigation: 8bf1a61094cf (UA), 65d27bf32ef0, d8d33eae24cc (CN, two sessions), cd5765ddbf73 (NL).

References

• malwaremily - Honeypot Logs: A Botnet's Search for MikroTik Routers (Medium, 2024) - prior report documenting the same MikroTik recon sequence without Telegram component
• Exylum Technical - MikroTik Reconnaissance Attacks (Feb 2024) - independently documents echo Hi | cat -n completion beacon
• SANS ISC - Fingerprinting SSH Identification Strings - libssh2 scanner prevalence data
• Picus Security - PupkinStealer: .NET Infostealer Using Telegram for Data Theft - Telegram tdata theft context
• Telegram Desktop source code - confirms D877F783D5D3EF8C as a session blob directory name in the tdata structure
• Ghiette et al. - Fingerprinting Tooling used for SSH Compromisation Attempts (RAID 2019) - HASSH methodology

Related research: Behavioral Rigidity Spectrum - classifies this scanner as Tier I Crystal Rigidity