MDRFCKR
aka. Dota
·
.X291-unix
·
dota-worm
·
First obs. 2026-02
·
3 / 4 nodes
·
DE · US · FR
SSH Self-Propagating Worm · Miner-Deploying
SSH KEY PERSISTENCE ESTABLISHED IN <1S.
2.9S PAUSE
SURVEYS HOST. 18–26 COMMANDS.
CLEANS RIVALS. SPREADS.
RECONSTRUCTED SESSION · RF-001 · MDRFCKR / DOTA · sensor-de
> session: rf-001-mdrfckr · 2026-03-14 03:47:21 UTC
> source: 185.220.xxx.xxx:54892 → sensor-de:22 · 24 commands · 23.4s total
> indexed: DE / US / FR cross-node match confirmed
01 /// ACCESS / PERSIST · T+0.0s · UNDER 1 SECOND
INTER-STAGE SILENCE
0.0
seconds
no commands observed · median inter-stage idle
02 /// RECON / SURVEY · T+2.9s · VARIABLE DURATION
03 /// DEPLOY / DOMINATE · terminal
✓RECONSTRUCTION COMPLETE · representative stage order displayed · competitor cleanup observed · payload deployed
COVERAGE
1,021
Sessions
8-day window
605
Source IPs
69 countries
141
IP Pairs
stage-1 / stage-2 source linkage
3 / 4
Nodes
DE · US · FR
TRADECRAFT
Entrywordlist-based SSH brute force
PersistSSH key injection · authorized_keys · <1s · SSH key comment: "mdrfckr"
Recon18–26 commands · hardware survey · 10 session variants observed
Payload.X291-unix (85% of deploy sessions) · likely cryptominer · 37 credential variants
Cleanupcompetitor cleanup commonly precedes payload deployment · dota* + .X13/.X17/.X19
Spreadobserved post-deploy propagation behavior
EVIDENCE
Stage 01 - Access / Persist - cross-node fingerprint
rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAA[...]mdrfckr" >> .ssh/authorized_keys && chmod -R go= ~/.ssh
Observed verbatim · DE / US / FR · SSH key comment "mdrfckr" stable across all variants
Stage 03 - Competitor Cleanup - commonly precedes payload deployment
rm -rf /var/tmp/dota3* /var/tmp/dota2* /tmp/.X19-unix /tmp/.X13-unix /tmp/.X17-unix /tmp/.X15-unix
Competitor artifact removal · 85% of deploy sessions · rival processes and artifacts eliminated before own payload execution
METHOD
SourceSSH honeypot telemetry · 4 nodes · 8-day observation window · 2026-03
SessionsCowrie session records · command sequences normalized and clustered by behavioral fingerprint
IP Pairs141 source IPs with confirmed stage-1 and stage-2 activity within observation window · cross-node correlation by command fingerprint
ConfidenceHigh · consistent cross-node behavior · 1,021 sessions · stable SSH key comment across all variants
ReplayRepresentative reconstruction · stage order and inter-stage timing based on observed medians · not raw terminal capture
RF-001 · MDRFCKR · 2026-03 · 1,021 SESSIONS · NULLROUTE ATLAS
>_nullroute