53
Coordinated IPs
99,5%
SSH-2.0-Go
996
Exec without shell
26.584
Total sessions

The fingerprint that gives it all away

The first sign that this campaign is different is the client_version field of the SSH handshake. This identifier is set by the client on connect — it's the "client signature" the server sees before any authentication. In legitimate traffic, you'd see a mix of OpenSSH_9.x, PuTTY_Release_X.XX, paramiko and the like.

In our honeypot, over the three days of observation, 99.5% of the connections presented exactly the same identifier:

Dominant fingerprint

SSH-2.0-Go — 26,225 connections out of 26,353 total (99.5%)

This identifier corresponds to Go's native SSH library (golang.org/x/crypto/ssh). It is not an SSH client for human use. It's the footprint of a scanner or custom bot written in Go.

The remaining 359 legitimate clients: paramiko 2.12 (44), PuTTY 0.83 (44), paramiko 5.0 (21), libssh2 (9).

Load distribution across IPs

The 53 IPs don't act independently. The distribution of attempts per IP reveals a campaign architecture with differentiated roles:

IPAttemptsObserved pattern
45.148.[REDACTED].1835.173High frequency, small dictionary (51 unique creds)
2.57.[REDACTED].1774.403High frequency, small dictionary (37 unique creds)
45.148.[REDACTED].2403.402High frequency, medium dictionary (101 unique creds)
83.168.[REDACTED].991.524Medium frequency, broad dictionary (379 unique creds)
91.92.[REDACTED].611.522Medium frequency, broad dictionary (761 unique creds)
192.109.[REDACTED].781.520Medium frequency
92.118.[REDACTED].621.407Medium frequency
195.178.[REDACTED].301.365Medium frequency

The tactical read: the top three IPs act as "battering rams" — they try the most likely credentials (123456, solana, root/sol) at maximum speed. The medium-frequency IPs do a broader sweep of the credential space. Classic botnet division of labor.

Exec sessions: 996 attempts without opening a shell

Part of the campaign uses SSH's exec channel instead of the interactive shell channel. This lets commands be run directly without opening a terminal session — faster and potentially harder to detect for tools that only log interactive shells.

Exec channel (no interactive shell)

996 exec attempts blocked by the honeypot. The most frequent exec commands are identical to the GPU hunter pattern: uname -s -v -n -r -m, lspci | grep VGA, uptime -p.

Using exec instead of shell is consistent with a scanner that only needs to detect whether the machine has a GPU — it doesn't need a full interactive session.

Why the Go client matters

Legitimate SSH clients —OpenSSH, PuTTY, WinSCP— are tools designed for human use. Go's SSH library is exactly the opposite: a low-level API that lets you write programmatic SSH clients with full control over the handshake, the channels and error handling.

Using golang.org/x/crypto/ssh directly has concrete implications for the attacker:

What to add to your blocklist

The IPs observed in this campaign during the analysis period. Any IP-based blocklist is short-lived — attackers rotate infrastructure — but it can buy time.

# IPs con mayor volumen de ataques (2026-06-11 a 2026-06-13)
45.148.[REDACTED].183 45.148.[REDACTED].240 2.57.[REDACTED].177
83.168.[REDACTED].99 91.92.[REDACTED].61 192.109.[REDACTED].78
92.118.[REDACTED].62 195.178.[REDACTED].30 45.156.[REDACTED].166
45.156.[REDACTED].253 45.156.[REDACTED].254 80.94.[REDACTED].168
# Regla de detección: block SSH-2.0-Go si no es cliente interno conocido

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

Data source
honeypot CipherSentry · 2026-06-11 a 2026-06-13
← All articles