90.596
Total SSH sessions
431
Attacking IPs
12.358
echo commands
14%
Of all commands

The automated liveness test

Authenticating is easy — the attacker has dictionaries and time. What it doesn't have is certainty about what's on the other side. The session could be a real shell, a honeypot, a server that accepts connections but blocks commands, or an environment with output disabled. The scanner resolves that uncertainty before sending its real instructions. It does so with the simplest command that exists.

# Three echo variants observed in sessions from the campaign
$echo test
$echo 1
$echo -e '\x41\x42\x43' # \x41\x42\x43 = "ABC" — capability probe, not obfuscation
# Expected output: the same text. If it responds → working shell → next phase

The third variant is the most revealing. echo -e '\x41\x42\x43' prints "ABC" — but it does so via hex sequences, not literal text. The purpose isn't to hide the content (ABC doesn't need hiding), but to verify that the shell correctly interprets escape sequences. That's tactical information: if the shell processes -e with escape sequences, the attacker knows exactly what kind of environment it's working with.

The gate that filters sessions

If the echo returns the expected text, the scanner moves to the next phase — in this campaign, the GPU hunter. If there's no response or the output is unexpected, the session is discarded. This explains why a significant share of sessions ends without any further command: the echo didn't respond as the script expected, and the automation moved on to the next target.

Echo as the first link in the chain

In the analyzed sessions, the echo always precedes the hardware reconnaissance block. The full sequence, in sessions that reached phase 2:

echo testlspci | grep VGAnvidia-smi -quname -s -v -n -r -m

The echo acts as a traffic light: green, continue; no response, discard. It's the lowest possible cost to avoid wasting the rest of the script on a useless environment. The full pattern of the GPU hunter that comes next is analyzed in detail in the previous article in this series.

Why this signature matters

The echo as a liveness check isn't exclusive to this campaign — it's a universal pattern in automated SSH tooling. Any script that needs to verify it has a working shell before continuing uses it. That makes it a more reliable behavioral signature than the source IP or the SSH client's User-Agent. A burned IP is replaceable in minutes; the script's behavioral protocol changes much more slowly.

What sets this campaign apart from a generic scanner is the sequence that follows. The echo only has value if what comes after is deliberate — and in this case it is: a GPU hunter targeting infrastructure with graphics accelerators. The echo is the first line of the script; the rest of the script reveals the intent.

Detection — and its limits

The echo itself isn't an alarm signal — it's a legitimate command. The signature is the context: an echo immediately after authentication, with no prior legitimate command, is script behavior, not human behavior.

Important limitation

The echo -e '\x41\x42\x43' variant is detectable because it uses hex sequences. The simple variant — echo 1 — is indistinguishable from legitimate use. No alerting rule catches it without massive false positives.

What does detect both variants: session behavior. A server that introduces artificial latency in the first 200ms, or returns output slightly different from what's expected, can make the scanner discard the target without knowing why. Passive defense covers where active detection fails.

The echo has no secrets. It exfiltrates no data, installs nothing, opens no ports. It's just a question: is anyone there? The answer it gets determines whether your server is going to receive the rest of the attack. The signal is worth its weight in gold precisely because it's so cheap to send: if the attacker bothers to ask the question, it's because what comes next matters.

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

About the author
Pablo Cortés
Head of Research · CipherSentry. Analyzes real attack patterns captured by the SSH honeypot. Specialized in coordinated campaigns, persistence TTPs and malware classification.
Data source
CipherSentry SSH honeypot · 2026-06-26 a 2026-06-28
← All articles