Tracking a credential scanner

The Alert

At 10:23 on June 5th, ElastAlert fired a Pushover notification:

MISP Hit: Known Threat Actor
IP: 130.12.180.51 | Canada
Feed: Maltrail IOC for 2026-06-01 | Level: Medium

What followed was a two-day investigation that started with a medium-severity feed match on a Canadian IP and ended with confirmed cryptominer deployment, SSH key persistence, and a second infrastructure node that the feed had never seen.

This is a writeup of that hunt, in two parts.

Part I: The Credential Validator (130.12.180.51)

What is HASSH?

HASSH is a network fingerprinting method for SSH clients, analogous to JA3 for TLS. During the SSH key exchange, the client advertises its supported algorithms, KEX algorithms, encryption ciphers, MACs, compression methods, in a specific order that reflects the library and version used to build the client. HASSH takes that ordered list and produces an MD5 hash.

The result is a stable, tool-specific identifier that persists across IP changes, VPN rotations, and infrastructure churn. The same tool running from a different exit node produces the same HASSH. Cowrie captures the full client.kex event and our Logstash pipeline indexes it under ssh.client.

The Evidence

Pulling the session history for 130.12.180.51 reveals a clean, repetitive pattern across 13 sessions spanning 98 days:

No commands. No file transfers. No post-login activity. The session opens, authenticates, and terminates within half a second. Every time.

This is a credential validator, not an intrusion attempt, but a verification pass. The tool logs working credentials and moves on. The wordlist rotation after three months (root/P → admin/admin) confirms active maintenance of the scanning campaign.

HASSH as a Pivot

The HASSH fingerprint for this IP is 5f904648ee8964bef0e8834012e26003.

This is the default profile of a modern OpenSSH client, not a purpose-built scanner. Standard OpenSSH, scripted automation.

Querying the HASSH across all indexed sessions:

213.209.159.158 was not in any feed. Two sessions, both recent. Same HASSH, same tool, different address. The fingerprint gave us attribution the IP feed missed entirely.

Both IPs were added to MISP, cross-referenced to Event 2058.

Part II: The Attack (213.209.159.158)

The second IP didn’t stay in credential validation mode for long.

The Session

On June 5th at 19:10 UTC, 213.209.159.158 returned — this time with a different intent. The session lasted 43 seconds and contained the complete redtail deployment chain.

Phase 1: Credential access

The credential root/ts3server worked. The honeypot logged two login.success events in rapid succession, the first a validation pass, the second the actual intrusion session.

Phase 2: Command execution

chmod +x setup.sh; sh setup.sh; rm -rf setup.sh;
mkdir -p ~/.ssh;
chattr -ia ~/.ssh/authorized_keys;
echo "ssh-rsa AAAAB3NzaC1yc2E[...]" > ~/.ssh/authorized_keys;
chattr +ai ~/.ssh/authorized_keys;
uname -a

Three things happening simultaneously: deploying the malware, establishing SSH key persistence, and checking the system architecture. The chattr +ai on authorized_keys is particularly deliberate — it sets the immutable flag, preventing the key from being removed even by root without first running chattr -i.

Phase 3: File upload

Five files uploaded via SFTP in under a second:

Malware Analysis

setup.sh — the dropper

The dropper detects system architecture, finds a writable non-noexec directory, copies the appropriate redtail.$ARCH binary to a hidden file with a randomly generated name, executes it with the ssh argument, then removes all redtail.* files to cover tracks.

clean.sh — the competition remover

VirusTotal’s AI analysis is direct: the script disables and stops c3pool_miner, removes crontab entries containing download commands or reverse shells, and wipes /tmp, /var/tmp, and /dev/shm. This is standard practice in cryptominer campaigns, eliminate competing miners before deploying your own. The VT name history shows this script has been uploaded to honeypots across the world daily since at least February 2026.

redtail.arm7 — the miner

ELF32 ARM binary, UPX-packed, 1.3MB. 36/75 detections on VT. Kaspersky calls it not-a-virus:HEUR:RiskTool.Linux.BitCoinMiner.n, Rising identifies it as HackTool.XMRMiner. The VT name history shows it being uploaded from cowrie honeypots globally since January 2026 under consistent timestamps: 20260605-203421_sftp__root_redtail_arm7. This naming pattern is generated by cowrie itself, meaning this campaign has been hitting honeypots continuously for months.

Infrastructure Assessment

Both nodes share HASSH 5f904648ee8964bef0e8834012e26003. The operational pattern suggests a two-phase campaign: Phase 1 uses the Canadian node to validate credentials across a large target pool. Phase 2 uses the German node (Alexhost, known bulletproof hoster) for actual deployment against validated targets.

The credential root/ts3server is specific, not a generic default. It suggests the target pool was pre-filtered for systems running TeamSpeak 3 server installations, which commonly run as root with default credentials.

Conclusions

What started as a Medium-severity MISP alert on a single IP became a full picture of an active cryptominer campaign:

• A credential validation infrastructure operating since at least February 2026
• A deployment node on bulletproof hosting that the feed had missed entirely
• A complete malware package (dropper, miner binaries for 4 architectures, competition cleaner)
• SSH key persistence designed to survive credential rotation
• Evidence of global honeypot hits going back months in VT submission history

The HASSH pivot was the key move. Without it, 213.209.159.158 stays invisible, no feed match, no alert, no investigation. The tool fingerprint connected two infrastructure nodes that IP intelligence had treated as unrelated.

The redtail campaign is not sophisticated. The tooling is commodity, the credentials are weak, the infrastructure is rented. But it is persistent, actively maintained, and targeting a specific software stack. For any operator running internet-facing Linux systems with default credentials, this campaign is scanning for you right now.

Indicators of Compromise