Detection Engineering Brief March 2026

Panchan P2P Botnet - Live Behavioral Capture

During routine analysis of SSH honeypot telemetry, we captured a live deployment of the Panchan P2P botnet. The binary was uploaded via SFTP, executed with a curated target list, and contained a multi-component architecture including spreader, dual cryptominer, P2P command-and-control, and anti-competition logic.

Key Takeaways

What we observed:

→ Panchan deployment via authenticated SFTP upload rather than in-session remote fetch
→ Single-command execution model minimizes interaction footprint
→ A 51-IP command-line target list indicates preselected downstream targets
→ Static binary artifacts suggest a multi-component design (spreader, miner, P2P, killer-related functionality)
→ This deployment path can evade detections narrowly focused on remote-fetch utilities such as wget/curl

Observation Context

Parameter	Value
Sensor	Cowrie SSH honeypot (T-Pot), Germany
Observation date	2026-03-23 09:48–09:52 UTC
Source IP	Compromised host in Argentina (AbuseIPDB: 100%, 57 reports)
Credential used	root / linux
Session duration	221.9 seconds
Classification	SCANNER → reclassified as PROPAGATOR based on SFTP upload + execution pattern

Kill Chain (Observed)

The full attack sequence was captured across Cowrie event types:

Phase 1 - Access
  [cowrie.login.success]    root / linux (3 failed attempts, then success)

Phase 2 - Staging
  [cowrie.session.file_upload]  SFTP upload: "sshd" → hidden directory
  Filename: .5646804864006804813/sshd
  Method: SFTP (not wget, not curl, not scp)
  SHA256: 94f2e4d8d4436874785cd14e6e6d403507b8750852f7f2040352069a75da4c00

Phase 3 - Execution
  [cowrie.command.input]  Single command:
  chmod +x ./.5646804864006804813/sshd; nohup ./.5646804864006804813/sshd [51 IPs] &

Phase 4 - Propagation (attempted)
  Binary receives 51 target IPs as command-line arguments.
  Outbound activity consistent with SSH propagation was observed
  but blocked by nftables firewall controls.

Key behavioral signal: The interactive shell portion of the deployment - SFTP upload and a single typed command - appears to complete in under 4 seconds. The remaining ~218 seconds of session duration is consistent with the launched binary continuing execution, potentially including blocked outbound propagation attempts, but that activity was not directly instrumented in this capture.

ATT&CK Mapping

Tactic	Technique	ID	Observed
Initial Access	Remote Services: SSH	T1021.004	SSH brute-force (3 failed + 1 success)
Execution	Unix Shell	T1059.004	chmod + nohup execution
Defense Evasion	Masquerading	T1036.005	Binary named `sshd`
Credential Access	Brute Force	T1110.001	SSH brute-force of the exposed service (3 failed attempts before success); additional spreading via main.sshtry inferred from symbols
Lateral Movement	Remote Services: SSH	T1021.004	SFTP upload + preselected-target execution
Command and Control	Peer-to-Peer	T1090.003	`main.p2p`, peer exchange protocol (from symbols)
Impact	Resource Hijacking	T1496	XMRig + NBMiner dual config (from symbols)

Potential capabilities inferred from binary symbols (not behaviorally observed): The binary contains module-path strings suggesting a systemd startup manager (main.startupmanager, potentially T1543.002) and a rootkit module (rootkit.go, potentially T1014). These remain unverified; module names do not confirm active functionality.

Binary Attribution

Attribute	Value
Family	Panchan (P2P cryptomining botnet)
Language	Go (compiled, stripped, 29MB ELF x86-64)
Upload method	SFTP
VT detection	45/76 malicious - trojan.multiverze/genericrxss (snapshot at analysis time)
VT first seen	2026-03-15 (VT metadata snapshot)
Attribution confidence	HIGH - Go module path embedded

Attribution is based on source code module paths compiled into the binary by the Go build system:

panchansminingisland/main.go
panchansminingisland/spreader.go
panchansminingisland/miner.go
panchansminingisland/p2p.go
panchansminingisland/killer.go
panchansminingisland/protector.go
panchansminingisland/rootkit.go
panchansminingisland/updater.go
panchansminingisland/utils.go

Prior research. Panchan was first documented by Akamai Security Research (June 2022) as a Go-based P2P botnet targeting Linux servers via SSH. Updated analysis by Nozomi Networks (2024) documented sshd replacement behavior.

What is new in this observation:

→ Module named rootkit.go not found in the two prior-art sources reviewed (Akamai 2022, Nozomi 2024); functionality entirely unverified from this capture
→ SFTP upload to randomized numeric hidden directory - live behavioral capture
→ 51-IP target list passed as command-line arguments - not documented in prior sources reviewed
→ Dual-miner configuration (XMRig + NBMiner) with JSON-structured pool credentials
→ Observed active in March 2026 within NullRoute telemetry; VT metadata shows 10+ honeypot submissions since 2026-03-15
→ Static artifacts suggest multi-component design (spreader, miner, P2P, killer, protector)

Architecture (Reconstructed from Go Symbols)

┌─────────────────────────────────────────────────┐ │ PANCHAN BINARY │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ spreader │ │ miner │ │ p2p │ │ │ │ │ │ │ │ │ │ │ │ sshtry() │ │ xmrig │ │ peer │ │ │ │ sftp │ │ nbminer │ │ exchange │ │ │ │ upload │ │ dual-cfg │ │ │ │ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ │ │ │ │ │ ┌────┴─────┐ ┌────┴─────┐ ┌────┴─────┐ │ │ │ killer │ │protector │ │ updater │ │ │ │ │ │ │ │ │ │ │ │ killxmrig│ │ antikill │ │ auto- │ │ │ │ killnb │ │ anti- │ │ update │ │ │ │ killdup │ │ taskman │ │ via p2p │ │ │ │ kill_port│ │ startup │ │ │ │ │ └──────────┘ └──────────┘ └──────────┘ │ │ │ │ ┌──────────┐ ┌──────────┐ │ │ │ rootkit │ │ utils │ │ │ │ │ │ │ │ │ │ (module │ │ randomIP │ │ │ │ name │ │ generate │ │ │ │ only) │ │ _seed │ │ │ └──────────┘ └──────────┘ │ └─────────────────────────────────────────────────┘

Module functions extracted via Go symbol analysis (strings). Architecture reflects code structure, not runtime behavior. Components marked "from symbols" were not directly observed executing during this capture.

Propagation Model: Panchan vs Dota

For context, NullRoute's first investigation documented the Dota SSH worm as the dominant SSH threat (98% of classified sessions). Panchan represents a fundamentally different operational approach.

Dimension	Dota SSH Worm	Panchan
Language	Shell scripts	Go (compiled)
Size	~50KB (tar.gz)	29MB (ELF)
Delivery	wget from C2 URL	SFTP upload (self-carry)
Scanning	Blind 192.168.x.x (private ranges)	Preselected 51-IP list passed as arguments (coverage unverified)
C2 model	Implicit (hardcoded URL)	P2P peer exchange
Persistence	SSH key injection (mdrfckr)	startupmanager (from symbols)
Competition	Kills rivals (kthreadadd)	Kills xmrig + nbminer + port-based kill
Mining	dota3.tar.gz (presumed miner)	XMRig + NBMiner (dual, config-driven)
Update	None observed	P2P auto-updater
Common ground	Both rely on opportunistic SSH credential access, automated execution, and resource hijacking for cryptomining

These observations suggest two distinct operational approaches to SSH-based propagation. Dota optimizes for volume and simplicity; Panchan optimizes for efficiency and resilience. Further data is required to confirm whether these represent stable evolutionary strategies or situational variation.

Confidence Assessment

Area	Confidence	Basis
Family identification (Panchan)	HIGH	Go module path `panchansminingisland` embedded in binary
Deployment behavior	HIGH	Full SFTP upload + execution captured in Cowrie logs
Binary architecture	MEDIUM	Reconstructed from Go symbols; not all components observed executing
Propagation model	MEDIUM	51 target IPs observed as arguments; outbound blocked by firewall
Rootkit capability	LOW	Module name only (`rootkit.go`); no observed rootkit behavior
PAM credential handling	LOW	Library references (`libpam.so.0`) in binary; not observed in session

Indicators of Compromise

File Indicators

Type	Value	Description
SHA256	`94f2e4d8d4436874785cd14e6e6d403507b8750852f7f2040352069a75da4c00`	Panchan binary (ELF, Go, 29MB)
Filename	`sshd`	Disguised as SSH daemon
Path pattern	`./.[0-9]{16,19}/sshd`	Randomized numeric hidden directory
Go module	`panchansminingisland`	Source code module identifier

Behavioral Indicators

Indicator	Detection Logic
SFTP upload to hidden numeric dir	`cowrie.session.file_upload` + filename matches `./.[0-9]+/`
Single-command execution with IP list	`chmod +x` + `nohup` + multiple IP addresses as arguments
Binary disguised as system service	Uploaded filename = `sshd` but SHA256 ≠ legitimate OpenSSH

Detection Rules (Sigma)

Note: These rules are designed for SSH honeypot environments (Cowrie, Kippo). They detect behavioral patterns observed in real attacker sessions. Rules marked experimental are based on limited observations and may require tuning.

Rule 1: Panchan SFTP Deployment

title: Panchan Botnet - SFTP Upload to Hidden Numeric Directory
id: nr-2026-001
status: experimental
description: |
  Detects SFTP file uploads where the target filename is 'sshd'
  placed in a hidden directory with a long numeric name,
  characteristic of Panchan P2P botnet deployment.
references:
  - https://nullroute.live/research/panchan-p2p-botnet
  - https://www.akamai.com/blog/security-research/new-p2p-botnet-panchan
author: NullRoute Research
date: 2026/03/24
tags:
  - attack.lateral_movement
  - attack.t1021.004
  - attack.defense_evasion
  - attack.t1036.005
logsource:
  product: cowrie
  service: ssh
detection:
  selection_upload:
    eventid: 'cowrie.session.file_upload'
  selection_filename:
    filename|endswith: '/sshd'
  filter_hidden_numeric_dir:
    filename|re: '^\.\d{10,}/sshd$'
  condition: selection_upload and selection_filename and filter_hidden_numeric_dir
falsepositives:
  - Legitimate SFTP uploads to numeric hidden directories (unlikely in honeypot)
level: high

Rule 2: SSH Propagator with Target List

title: SSH Worm Propagator - Single Command with Multiple Target IPs
id: nr-2026-002
status: experimental
description: |
  Detects execution of a binary via chmod+nohup with multiple IP
  addresses passed as command-line arguments, characteristic of
  SSH worm propagation with pre-collected target lists.
references:
  - https://nullroute.live/research/panchan-p2p-botnet
author: NullRoute Research
date: 2026/03/24
tags:
  - attack.execution
  - attack.t1059.004
  - attack.lateral_movement
  - attack.t1021.004
logsource:
  product: cowrie
  service: ssh
detection:
  selection_exec:
    eventid: 'cowrie.command.input'
  filter_exec_pattern:
    input|contains|all:
      - 'chmod +x'
      - 'nohup'
  filter_multi_ip:
    input|re: '(\b\d{1,3}(\.\d{1,3}){3}\b.*){5,}'
  condition: selection_exec and filter_exec_pattern and filter_multi_ip
falsepositives:
  - Legitimate batch SSH operations with IP lists (rare on honeypots)
level: high

Note: Rule 3 below is a generic Linux botnet dropper pattern observed in adjacent activity; it is not Panchan-specific.

Rule 3: IoT Shell Dropper Multi-Fallback

title: IoT Botnet Dropper - Multi-Method Download Fallback Chain
id: nr-2026-003
status: experimental
description: |
  Detects the characteristic fallback pattern of IoT botnet droppers
  that attempt multiple download methods in rapid succession:
  wget, nohup wget, busybox wget, busybox wget -O.
  Often preceded by tool availability checks (wget, tftp, ifconfig).
references:
  - https://nullroute.live/research/panchan-p2p-botnet
author: NullRoute Research
date: 2026/03/24
tags:
  - attack.execution
  - attack.t1059.004
  - attack.command_and_control
  - attack.t1105
logsource:
  product: cowrie
  service: ssh
detection:
  selection:
    eventid: 'cowrie.command.input'
  filter_busybox_wget:
    input|contains: 'busybox wget'
  filter_fallback_dirs:
    input|contains|all:
      - 'cd /tmp'
      - '||cd '
  condition: selection and (filter_busybox_wget or filter_fallback_dirs)
falsepositives:
  - Legitimate busybox usage on embedded systems
level: high

Detection Concept (not a deployable Sigma rule): Authenticated Session with Zero Commands

title: Credential Validator - Authenticated Session with Zero Commands
id: nr-2026-004
status: unsupported
description: |
  Detects SSH sessions where authentication succeeds but no commands
  are executed and the session remains open for an extended period.
  Consistent with credential validation networks and access brokers.

  NOTE: This detection requires session-level correlation that is not
  implementable as a standalone Sigma rule. Provided as a detection
  concept for custom SIEM implementation.
references:
  - https://nullroute.live/research/panchan-p2p-botnet
author: NullRoute Research
date: 2026/03/24
tags:
  - attack.credential_access
  - attack.t1110.001
  - attack.resource_development
  - attack.t1589.001
logsource:
  product: cowrie
  service: ssh
detection:
  # CONCEPT: requires correlation engine
  # login_success WHERE session has 0 command events
  # AND session_duration >= 120 seconds
  selection_login:
    eventid: 'cowrie.login.success'
  condition: selection_login
  # Additional logic must be implemented in SIEM correlation layer
falsepositives:
  - Legitimate SSH sessions interrupted before command entry
  - Port scanners completing SSH handshake
level: medium

Rule 5: Panchan Binary - Go Module Identifier

title: Panchan Botnet - Binary Contains Module Identifier
id: nr-2026-005
status: experimental
description: |
  Detects Panchan botnet binaries by the presence of the Go module
  path "panchansminingisland" in captured file content. This identifier
  is compiled into the binary by the Go module system.
references:
  - https://nullroute.live/research/panchan-p2p-botnet
  - https://www.akamai.com/blog/security-research/new-p2p-botnet-panchan
author: NullRoute Research
date: 2026/03/24
tags:
  - attack.execution
  - attack.impact
  - attack.t1496
logsource:
  category: file_analysis
detection:
  selection:
    strings|contains: 'panchansminingisland'
  condition: selection
falsepositives:
  - Unknown Go binaries containing similar module paths (low probability)
level: critical

Rule 6: SFTP Upload Followed by Immediate Execution

title: SSH Malware Deployment - Upload Followed by Immediate Execution
id: nr-2026-006
status: experimental
description: |
  Detects a pattern where an SFTP file upload is immediately followed
  by a chmod+execute command within the same session. This is the
  primary behavioral signature of SFTP-based malware deployment
  including Panchan and similar operator-delivered payloads.
  NOTE: The timeframe/followed_by semantics are backend-dependent
  and not universally supported across Sigma implementations.
references:
  - https://nullroute.live/research/panchan-p2p-botnet
author: NullRoute Research
date: 2026/03/24
tags:
  - attack.execution
  - attack.t1059.004
  - attack.lateral_movement
  - attack.t1021.004
logsource:
  product: cowrie
  service: ssh
detection:
  upload:
    eventid: 'cowrie.session.file_upload'
  exec:
    eventid: 'cowrie.command.input'
    input|contains: 'chmod +x'
  timeframe: 60s
  condition: upload | followed_by exec
falsepositives:
  - Legitimate SFTP deployments followed by execution (unlikely in honeypot)
level: high

Detection Context

These rules are designed for and tested against SSH honeypot environments:

Most applicable to:

→ SSH honeypots (Cowrie, Kippo, custom)
→ Linux servers with SSH audit logging
→ Environments monitoring SFTP subsystem activity

Less applicable to:

→ Windows environments
→ Network-only telemetry without command-level visibility
→ Environments without SFTP logging enabled

Occurrence Context

This specific Panchan deployment was observed once across a single sensor within a 38-hour analysis window. No repeated instances of this exact behavioral pattern were detected during the observation period. However, VirusTotal data shows 10+ independent honeypot submissions of the same binary since 2026-03-15, confirming an active campaign across multiple sensors.

Update 2026-04-03: No additional Panchan deployments were observed across any NullRoute node (DE, US, FR, SG) through April 3. The single-capture profile contrasts sharply with the Solana scanner and Dota worm, which hit all nodes repeatedly. This is consistent with Panchan's curated-target model: it is not spraying randomly - it arrived because the source IP already had our address.

Methodology

Sensor: Single Cowrie SSH honeypot on T-Pot 24.04, Germany.

Analysis pipeline: Automated session classification (session_analyzer.py) → manual behavioral review → binary extraction from Cowrie download archive → static analysis (strings, Go symbol extraction) → VirusTotal and AbuseIPDB enrichment.

Limitations.

→ Single vantage point (one honeypot, one country)
→ Binary analysis limited to static strings (no dynamic/sandbox execution)
→ P2P protocol not captured (outbound blocked by nftables)
→ Mining pool addresses not extracted (likely loaded at runtime via P2P config)
→ Rootkit module functionality unverified (name only)

Binary attribution confirmed via VirusTotal (45/76 detections). Prior research: Akamai Security Research (2022), Nozomi Networks (2024). Analysis assisted by Claude (Anthropic) and ChatGPT (OpenAI) as complementary review tools.

This is the second publication from NullRoute.
The first investigation documented the SSH monoculture:
98% of SSH Intrusions Come from One Worm.

Panchan is part of the remaining 2%.