18.276
GPU hunter sessions
10.915
Attempts with "sol"
2.555
/bin/./uname evasions
3
Payload URLs

The anatomy of the GPU hunter

Before installing any miner, the attacker needs to know whether the investment is worthwhile. A server without a GPU mines monero at a fraction of the hashrate of one with a GPU. The first objective, therefore, is hardware reconnaissance — and doing it without raising alerts.

The sequence we observed in 18.276 sessions is identical across all of them — the signature of an automated script:

# Phase 1: is there a PCI GPU attached?
$lspci | grep VGA | cut -f5- -d ' '
$lspci | grep VGA -c
$lspci | grep "3D controller" | cut -f5- -d ' '
# Phase 2: is it NVIDIA? how much VRAM?
$nvidia-smi -q | grep "Product Name" | head -n 1 | awk '{print $4, $5, $6, $7, $8}'
# Phase 3: OS fingerprint (with evasion)
$/bin/./uname -s -v -n -r -m
$uptime -p
$nproc

Evasion technique: path traversal in uname

The use of /bin/./uname instead of uname is a technical detail with a clear purpose. The dot (.) in the middle of an absolute path is a directory element that references the current directory — in this context, it is ignored by the kernel. The result is exactly the same as uname.

The value lies in the string signature: a detection rule that looks for the literal uname in command logs might not catch /bin/./uname if the implementation does not normalize paths before comparing.

Observed frequency

2.555 executions of /bin/./uname versus 33.548 of uname directly. The technique is used in specific sessions — it is not universal across the campaign, which suggests different tools or different configurations of the same scanner.

The link to crypto credentials

The GPU hunter campaign and the Solana-oriented credential dictionary are not a coincidence. Solana node operators frequently use servers with GPUs to accelerate validation operations. A compromised server belonging to a Solana validator offers double value:

The payload attempt

On six occasions during the observation period, the sessions attempted to download an external script, spread across three distinct destinations. None managed to execute:

Captured payload URLs

Defanged URLs (hxxp). Forensic artifacts — do not access or reconstruct.

http://151.242.[REDACTED].40/loader.sh — direct IP with no DNS resolution. 684 bytes captured in the honeypot's isolated environment; execution was blocked.

http://197.255.[REDACTED].88:1987/favico.ico — a high port and a decoy name (a fake favicon). Exactly 684 bytes, the same size as the previous one: the same payload served from a second host.

http://31.172.[REDACTED].45/mot — 2 attempts, 0 bytes received. The download failed or was blocked at the source.

How to detect GPU hunters in your infrastructure

The detection signals are clear and inexpensive to implement:

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

Data source
CipherSentry SSH honeypot · 2026-06-26 to 2026-06-28
← All articles