Research & Threat Intel

Intelligence from
the front line

Analysis of attack techniques and threat trends based on the intrusion attempts captured by our honeypot in production.

PDF PDF · ES / EN
Full report · Intelligence series
Anatomy of an SSH attack
4 chapters · Echo → GPU Hunter → Dropper → root escalation
Available in Spanish and English · Available in Spanish and English
Descargar PDF (ES) → Download PDF (EN) →
Real sessionHuman factorcurl | bash

Logs in as root and the first thing it does is show off the specs with neofetch

Not everyone who knocks at the door is a bot. This session was driven by a person: a desktop SSH client, hand-typed credentials and a very human obsession — installing neofetch to see what machine they had taken over. They tried five different ways.

Credential StuffingCampaignsOPSEC

Silent probing: when the attacker only checks that your password works

Of the 143,337 sessions the honeypot logged over eight days, 3,399 —2.4%— authenticated and disconnected without running a single command. Few in number, but revealing: they're not after the machine, they're only checking whether the credential works.

Malware Botnet Cryptomining

XMRig in stealth mode: how miners avoid detection in 2026

Unauthorized cryptomining arrives in two phases. First a silent GPU hunter checks whether the machine has a GPU. Only then does it install the miner. 18,276 sessions documented.

Credential Stuffing

The most common passwords in SSH attacks: a dataset from our honeypot

26,345 real credentials captured in three days. The finding: they're not generic weak passwords — it's Solana node terminology. sol, firedancer, validator in every dictionary.

Campaigns Infrastructure

Coordinated campaign: 53 IPs, one Go client, one target

99.5% of the connections use SSH-2.0-Go — the fingerprint of a custom scanner. Analysis of the infrastructure, load distribution and observed botnet architecture.

APT Anti-forensics Espionage

SSH anti-forensics: the session that tried to erase its tracks

A session with FinalShell (a JSch client) ran exactly 7 commands — all to wipe logs. journalctl --vacuum-size=1K, history -c, wtmp, btmp, lastlog. What it failed to erase.

Campaigns Live

Overview: SSH attack statistics captured by our honeypot

SSH sessions, unique IPs, commands and credentials updated in real time. With a time-window selector to explore any date range.

Malware Dropper Campaigns

Dropper in production: analysis of loader.sh and the payload that didn't run

3 payload URLs, 6 downloads, 259 execution attempts, 0 bytes executed. Analysis of the dropper infrastructure and the GPU hunter → payload chain.

Persistence Escalation Campaigns

Account escalation: 21 attempts to change the root password

21 sessions ran passwd after authenticating. No binaries, no crontab, no artifacts. Changing the password is the quietest persistence there is.

Automation Campaigns Reconnaissance

The scanner's first command: why every SSH attack starts with echo

12,358 echo commands in three days. It's not noise — it's the universal protocol scanners use to verify there's a working shell before launching the real attack.

Research in your inbox

Subscribe to the monthly threat intelligence newsletter. No spam, just data.

We publish analysis based on real honeypot data. No spam, no made-up cadence.