{"id":3132,"date":"2026-05-15T07:04:38","date_gmt":"2026-05-15T07:04:38","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/"},"modified":"2026-05-15T07:04:38","modified_gmt":"2026-05-15T07:04:38","slug":"guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/","title":{"rendered":"[Guest Diary]  New Malware Libraries means New Signatures, (Fri, May 15th)"},"content":{"rendered":"<div><meta charset=\"UTF-8\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"><br \/>\n<title><\/title><\/p>\n<style type=\"text\/css\">:root {\n    --isc-maroon: #7a1f1f;\n    --isc-maroon-dark: #5e1717;\n    --isc-link: #0066cc;\n    --isc-text: #1a1a1a;\n    --isc-muted: #555;\n    --isc-rule: #d0d0d0;\n    --isc-code-bg: #f4f4f4;\n    --isc-code-text: #c0392b;\n    --isc-block-bg: #1e1e1e;\n    --isc-block-text: #e6e6e6;\n    --isc-callout-bg: #fafafa;\n    --isc-table-header: #ececec;\n  }<\/p>\n<p>  * { box-sizing: border-box; }<\/p>\n<p>  html, body {\n    margin: 0;\n    padding: 0;\n    background: #ffffff;\n    color: var(--isc-text);\n    font-family: \"Open Sans\", \"Source Sans Pro\", -apple-system, BlinkMacSystemFont, \"Segoe UI\", Roboto, Helvetica, Arial, sans-serif;\n    font-size: 15px;\n    line-height: 1.6;\n  }<\/p>\n<p>  .isc-header {\n    background: var(--isc-maroon);\n    color: #ffffff;\n    padding: 14px 24px;\n    border-bottom: 4px solid var(--isc-maroon-dark);\n  }\n  .isc-header .brand {\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 22px;\n    font-weight: bold;\n    letter-spacing: 0.3px;\n  }\n  .isc-header .brand a { color: #ffffff; text-decoration: none; }\n  .isc-header .tagline {\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 12px;\n    color: #f3d6d6;\n    margin-top: 2px;\n  }<\/p>\n<p>  main {\n    max-width: 920px;\n    margin: 0 auto;\n    padding: 28px 32px 48px;\n  }<\/p>\n<p>  h1.diary-title {\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 26px;\n    line-height: 1.25;\n    color: var(--isc-maroon);\n    margin: 8px 0 10px 0;\n    border-bottom: 1px solid var(--isc-rule);\n    padding-bottom: 12px;\n  }<\/p>\n<p>  .meta {\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 13px;\n    color: var(--isc-muted);\n    margin-bottom: 24px;\n  }\n  .meta strong { color: var(--isc-text); }\n  .meta a { color: var(--isc-link); text-decoration: none; }\n  .meta a:hover { text-decoration: underline; }<\/p>\n<p>  h2 {\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 19px;\n    color: var(--isc-maroon);\n    margin-top: 32px;\n    margin-bottom: 10px;\n    padding-bottom: 4px;\n    border-bottom: 1px solid var(--isc-rule);\n  }<\/p>\n<p>  h3 {\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 16px;\n    color: var(--isc-text);\n    margin-top: 22px;\n    margin-bottom: 8px;\n  }<\/p>\n<p>  p { margin: 10px 0; }<\/p>\n<p>  a { color: var(--isc-link); }\n  a:hover { text-decoration: underline; }<\/p>\n<p>  code, .inline-code {\n    font-family: \"SFMono-Regular\", Consolas, \"Liberation Mono\", Menlo, Courier, monospace;\n    font-size: 13px;\n    background: var(--isc-code-bg);\n    color: var(--isc-code-text);\n    padding: 1px 5px;\n    border-radius: 3px;\n    word-break: break-all;\n  }<\/p>\n<p>  .callout {\n    background: var(--isc-callout-bg);\n    border-left: 3px solid var(--isc-maroon);\n    padding: 10px 16px;\n    margin: 14px 0;\n    font-family: \"SFMono-Regular\", Consolas, \"Liberation Mono\", Menlo, Courier, monospace;\n    font-size: 13px;\n    color: var(--isc-text);\n  }<\/p>\n<p>  figure {\n    margin: 22px 0;\n    text-align: center;\n  }\n  figure img {\n    max-width: 100%;\n    height: auto;\n    border: 1px solid #cccccc;\n    display: block;\n    margin: 0 auto;\n  }\n  figcaption {\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 13px;\n    color: var(--isc-muted);\n    margin-top: 8px;\n    font-style: italic;\n  }\n  figcaption strong { color: var(--isc-text); font-style: normal; }<\/p>\n<p>  table.diary-table {\n    border-collapse: collapse;\n    width: 100%;\n    margin: 16px 0;\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 13.5px;\n  }\n  table.diary-table th,\n  table.diary-table td {\n    border: 1px solid #b8b8b8;\n    padding: 8px 12px;\n    text-align: left;\n    vertical-align: top;\n  }\n  table.diary-table th {\n    background: var(--isc-table-header);\n    font-weight: bold;\n  }\n  table.diary-table code {\n    font-size: 12.5px;\n  }<\/p>\n<p>  ul.ioc-list {\n    list-style: disc;\n    padding-left: 28px;\n    margin: 12px 0;\n  }\n  ul.ioc-list li { margin: 6px 0; }<\/p>\n<p>  ol.references {\n    padding-left: 28px;\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 13.5px;\n    line-height: 1.55;\n  }\n  ol.references li {\n    margin: 6px 0;\n    word-break: break-word;\n  }\n  ol.references a { color: var(--isc-link); }<\/p>\n<p>  table.appendix-ip-table {\n    border-collapse: collapse;\n    margin: 14px 0;\n    font-family: \"SFMono-Regular\", Consolas, \"Liberation Mono\", Menlo, Courier, monospace;\n    font-size: 13px;\n  }\n  table.appendix-ip-table td {\n    border: 1px solid #b8b8b8;\n    padding: 8px 14px;\n    text-align: center;\n    background: #fcfcfc;\n  }<\/p>\n<p>  .byline-banner {\n    background: var(--isc-callout-bg);\n    border: 1px solid var(--isc-rule);\n    border-left: 3px solid var(--isc-maroon);\n    padding: 10px 14px;\n    margin: 6px 0 22px 0;\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 13.5px;\n    font-style: italic;\n    color: var(--isc-text);\n  }<\/p>\n<p>  .isc-footer {\n    border-top: 1px solid var(--isc-rule);\n    margin-top: 40px;\n    padding-top: 14px;\n    font-family: Arial, Helvetica, sans-serif;\n    font-size: 12px;\n    color: var(--isc-muted);\n    text-align: center;\n  }<\/p>\n<p>  @media (max-width: 640px) {\n    main { padding: 20px 16px 40px; }\n    h1.diary-title { font-size: 22px; }\n    table.appendix-ip-table td { padding: 6px 8px; font-size: 12px; }\n  }\n<\/style>\n<p><main><\/p>\n<div class=\"meta\">This is a Guest Diary by Gokul Prema Thangavel, an ISC intern as part of the SANS.edu Bachelor Degree Program.<\/div>\n<h2>Introduction<\/h2>\n<p>The SHA-256 <code>a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2<\/code> is one of the most-observed Outlaw \/ Shellbot artifacts on the public internet. <strong>VirusTotal<\/strong> first ingested it on 5 July 2018 [2]. It is the SHA-256 of the <code>authorized_keys<\/code> file written by the campaign whose persistence comment string is <strong>mdrfckr<\/strong>, a campaign documented in handler diaries, vendor reports, and independent honeypot research for nearly seven years.<\/p>\n<p>This diary <strong>does not announce<\/strong> a new campaign. The file hash, the public key, the <code>mdrfckr<\/code> comment string, the <code>chattr -ia .ssh<\/code> defensive disarm, the <code>chpasswd<\/code> account hijack, and the <code>\/tmp\/secure.sh<\/code> competitor cleanup are all well-described in prior reporting [3][4][5][6][7]. What this diary does add is one new data point in an existing lineage: between 14 and 21 April 2026, my DShield sensor [8] observed the <code>mdrfckr<\/code> campaign using a <strong>third libssh client version<\/strong> that has not, to my knowledge, been published as part of this campaign\u2019s hassh chronology. The botnet\u2019s <code>authorized_keys<\/code> file is unchanged across four years. Its SSH client library is on its third documented major version. Detection rules pinned to the older hasshes will miss the current generation.<\/p>\n<p>The point of this diary is to put the prior reports side by side with my April 2026 observation, document the new hassh, and offer detection-engineering guidance for handlers maintaining <code>mdrfckr<\/code>-aware rules.<\/p>\n<h2>What is already known<\/h2>\n<p>I want to be careful to credit the prior work this diary builds on, because the new contribution is small relative to it.<\/p>\n<p>The <code>mdrfckr<\/code> persistence key was first associated with the Outlaw \/ Dota family by <strong>Trend Micro<\/strong> in 2018 [3], with subsequent updates in 2019 and follow-up reporting from <strong>Anomali<\/strong>, <strong>Yoroi<\/strong> [9], <strong>Juniper<\/strong> [10], <strong>CounterCraft<\/strong> [11], <strong>Cybereason<\/strong>, and <strong>Kaspersky<\/strong>. The recon command sequence and the competitor-cleanup playbook are described across that body of work. None of the file or behaviour signatures discussed in this diary are novel.<\/p>\n<p>In late 2022 and early 2023, the <code>port22.dk<\/code> blog [4][7] published a two-part deep dive on the campaign. Part one (data from October\u2013November 2022) observed 12,913 unique IPs writing the <code>mdrfckr<\/code> key from a network of 10 honeypots. Crucially, the post introduced hassh-based clustering as a defender\u2019s tool: 99.1% of the observed <code>mdrfckr<\/code>-key writes shared the hassh <code>51cba57125523ce4b9db67714a90bf6e<\/code>, which corresponds to the SSH client banner <code>SSH-2.0-libssh-0.6.0<\/code> \/ <code>SSH-2.0-libssh-0.6.3<\/code>. Part two (data from December 2022 onward) documented the campaign migrating to a second hassh <code>f555226df1963d1d3c09daf865abdc9a<\/code>, corresponding to <code>SSH-2.0-libssh_0.9.5<\/code> \/ <code>SSH-2.0-libssh_0.9.6<\/code>, with ~30,000 unique IPs across the new fingerprint and a 94.5% confidence link. Part two also documented two new related command variants: <code>chattr -ia .ssh; lockr -ia .ssh<\/code> as a separate command, and <code>lockr -ia .ssh<\/code> run on its own, executed alongside the original key-write command.<\/p>\n<p>In May 2023, a SANS ISC diary by Jesse La Grew [5] presented two example sessions writing the same SHA-256, captured via a cowrie-log enrichment script. One session originated from a DigitalOcean datacentre IP; the other from a VPN-fronted Tencent IP. Both sessions executed the post-December-2022 split-command variant.<\/p>\n<p>In May \/ June 2023, Guy Bruneau\u2019s monthly DShield diary [6] noted the same key-write playbook in honeypot data and attributed it explicitly to the Outlaw group via the original Trend Micro reporting.<\/p>\n<p>That is the public chronology this observation extends.<\/p>\n<h2>What the April 2026 sensor saw<\/h2>\n<p>Between <strong>2026-04-14 01:23:41 UTC<\/strong> and <strong>2026-04-21 02:22:56 UTC<\/strong>, my DShield sensor logged 24 unique source IPs writing the SHA-256 <code>a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2<\/code> to <code>\/root\/.ssh\/authorized_keys<\/code> (and to other compromised account paths). The cluster wrote <strong>229<\/strong> <code>authorized_keys<\/code> modifications across <strong>1,230 SSH sessions<\/strong> and executed <strong>4,133 post-authentication commands<\/strong>.<\/p>\n<p>The peak burst occurred on <strong>19 April 2026<\/strong>: 20 of the 24 IPs first connected to the sensor between <strong>06:05:19 UTC<\/strong> and <strong>06:07:30 UTC<\/strong>, a 131-second window. The remaining four IPs appeared on neighbouring days but executed the same playbook with the same key.<\/p>\n<p>The defensive-disarm and key-write command observed across every successful session is the post-December-2022 split variant documented by port22 part two:<\/p>\n<figure><figcaption>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png\" style=\"width: 936px; height: 767px;\"><\/p>\n<p>\u00a0<\/p>\n<p><strong>Figure 1:<\/strong> Cowrie session capture of one cluster IP executing the post-December-2022 split variant (defensive disarm, key write, recon).<\/p>\n<\/figcaption><\/figure>\n<div class=\"callout\">The recon, password-change, and competitor-cleanup commands match the prior published playbook exactly.<\/div>\n<p>The new data point is the SSH client.<\/p>\n<h2>The new hassh: libssh 0.11.x<\/h2>\n<p>Every one of the 24 IPs in the April 2026 cluster advertised the SSH client banner <code>SSH-2.0-libssh_0.11.1<\/code> and produced the hassh fingerprint <code>03a80b21afa810682a776a7d42e5e6fb<\/code>.<\/p>\n<figure><figcaption>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure2_hassh_per_ip.png\" style=\"width: 706px; height: 699px;\"><\/p>\n<p><strong>Figure 2:<\/strong> Per-IP hassh fingerprint listing &#8211; all 24 cluster IPs share <code>03a80b21afa810682a776a7d42e5e6fb<\/code>.<\/p>\n<\/figcaption><\/figure>\n<figure><figcaption>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure3_client_version_per_ip.png\" style=\"width: 806px; height: 767px;\">???????<\/p>\n<p><strong>Figure 3:<\/strong> Per-IP SSH client banner listing &#8211; <code>SSH-2.0-libssh_0.11.1<\/code> across the cluster.<\/p>\n<\/figcaption><\/figure>\n<p>This hassh does not match the hashes documented in port22 parts one and two, nor in the May 2023 ISC diary.<\/p>\n<table class=\"diary-table\">\n<thead>\n<tr>\n<th>Reporting period<\/th>\n<th>Hassh fingerprint<\/th>\n<th>Client banner<\/th>\n<th>Source<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Oct\u2013Nov 2022<\/td>\n<td><code>51cba57125523ce4b9db67714a90bf6e<\/code><\/td>\n<td><code>libssh-0.6.0<\/code> \/ <code>libssh-0.6.3<\/code><\/td>\n<td>port22 part one [4]<\/td>\n<\/tr>\n<tr>\n<td>Dec 2022 \u2192 2023<\/td>\n<td><code>f555226df1963d1d3c09daf865abdc9a<\/code><\/td>\n<td><code>libssh_0.9.5<\/code> \/ <code>libssh_0.9.6<\/code><\/td>\n<td>port22 part two [7]<\/td>\n<\/tr>\n<tr>\n<td><strong>Apr 2026<\/strong><\/td>\n<td><strong><code>03a80b21afa810682a776a7d42e5e6fb<\/code><\/strong><\/td>\n<td><strong><code>libssh_0.11.1<\/code><\/strong><\/td>\n<td><strong>This sensor<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>A hassh is a hash of the SSH client\u2019s advertised cipher, MAC, key-exchange, and compression algorithm lists [12]. Different libssh major versions ship with different default algorithm preferences, so each new libssh version a campaign adopts produces a new hassh. The 2026 hassh <code>03a80b21afa810682a776a7d42e5e6fb<\/code> is the third documented entry in this campaign\u2019s libssh version walk, separated from port22\u2019s last published value by approximately three years and one major libssh version (0.9 \u2192 0.10 \u2192 0.11).<\/p>\n<p>I do not have a baseline of how prevalent this hassh is across the full DShield sensor population &#8211; that is the question I would most like other handlers and DShield operators to help answer. On my single sensor, this hassh accounted for <strong>3,473 SSH log lines<\/strong> across the eight-day window, making it the most active SSH attacker-tooling fingerprint observed during the period.<\/p>\n<h2>The 24-IP burst: small confirmation of an existing observation<\/h2>\n<p>Twenty of the 24 cluster IPs first connected within a 131-second window. This is consistent with the coordination behaviour documented at much larger scale by port22, and does not represent a new claim. I mention it only for completeness, and because it has one practical implication for detection: per-source-IP rate limits (fail2ban, sshguard) will not trigger on this pattern because each IP performs only ~10 login attempts. Detection rules useful against this campaign should aggregate by <em>target account<\/em> rather than by source IP &#8211; ten distinct IPs attempting <code>steam:Steam29!<\/code> against the same host within five minutes is a stronger signature than any individual IP\u2019s behaviour.<\/p>\n<p>The cluster IPs and the credential dictionary are listed in the indicators section. None of the credential pairs are new: <code>steam:Steam29!<\/code>, <code>postgres:q1<\/code>, <code>dev:dev5<\/code>, <code>sammy:sammy26<\/code>, <code>root:AAAaaa111<\/code>, <code>root:root000@<\/code>, <code>sysadmin:test123<\/code>, <code>test1:passwd<\/code>, <code>tester:testerpass<\/code>, <code>sammy:12345<\/code>. This is the existing Outlaw target list.<\/p>\n<h2>Why this matters for defenders<\/h2>\n<p>The detection-engineering implication of the libssh version walk is straightforward: hassh-based detection rules written in 2022 or 2023 against <code>51cba57125523ce4b9db67714a90bf6e<\/code> or <code>f555226df1963d1d3c09daf865abdc9a<\/code> will silently miss the 2026 generation of the same campaign. The SHA-256 of the <code>authorized_keys<\/code> file remains the most reliable single indicator (it has not changed in four years), but operators relying on hassh enrichment as a leading indicator &#8211; for example, alerting on hassh values <em>before<\/em> a successful authentication occurs &#8211; should add <code>03a80b21afa810682a776a7d42e5e6fb<\/code> to their watch lists.<\/p>\n<p>More broadly, the four-year libssh version walk suggests the campaign operator (or operators &#8211; the persistence model has always been consistent with shared infrastructure rather than self-propagation in the strict sense) keeps the targeting infrastructure stable while letting the underlying client library age forward. A defender writing a detection rule against this campaign should expect the hassh to change again on a roughly multi-year cadence as libssh ships new defaults, and should pin alerting to the SHA-256, the public key blob, the <code>mdrfckr<\/code> comment string, and the recon command sequence &#8211; none of which have changed since 2018 &#8211; rather than to any single hassh value.<\/p>\n<h2>What I am <em>not<\/em> claiming<\/h2>\n<p>The 24-IP April 2026 cluster is much smaller than the populations port22 worked with. I cannot meaningfully extend port22\u2019s hassh-confidence statistics from one sensor\u2019s eight-day window. The 99.1% \/ 94.5% figures published in 2022 and 2023 should not be extrapolated to the 2026 hassh from this data alone &#8211; that calculation requires a multi-sensor population study, which is exactly the kind of analysis ISC handlers and the DShield operator community are positioned to do better than any of my sensors.<\/p>\n<h2>Indicators<\/h2>\n<ul class=\"ioc-list\">\n<li><strong><code>authorized_keys<\/code> SHA-256 (unchanged since 2018):<\/strong> <code>a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2<\/code><\/li>\n<li><strong>Public key comment string:<\/strong> <code>mdrfckr<\/code><\/li>\n<li><strong>April 2026 hassh:<\/strong> <code>03a80b21afa810682a776a7d42e5e6fb<\/code><\/li>\n<li><strong>April 2026 SSH client banner:<\/strong> <code>SSH-2.0-libssh_0.11.1<\/code><\/li>\n<li><strong>Burst window:<\/strong> 19 April 2026, 06:05:19 \u2192 06:07:30 UTC<\/li>\n<li><strong>Credential dictionary:<\/strong> <code>steam:Steam29!<\/code>, <code>postgres:q1<\/code>, <code>dev:dev5<\/code>, <code>sammy:sammy26<\/code>, <code>root:AAAaaa111<\/code>, <code>root:root000@<\/code>, <code>sysadmin:test123<\/code>, <code>test1:passwd<\/code>, <code>tester:testerpass<\/code>, <code>sammy:12345<\/code><\/li>\n<li><strong>24 source IPs from the April 2026 cluster (Appendix A)<\/strong><\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>The <code>mdrfckr<\/code> campaign is older than many of the SSH honeypots currently watching it. Its <code>authorized_keys<\/code> file is approaching its <strong>eighth anniversary<\/strong> on VirusTotal and has not been rotated. Its target dictionary, recon sequence, and competitor-cleanup playbook have all remained stable across the four years that public researchers have been tracking the libssh version walk. What changes is the client.<\/p>\n<p>The April 2026 hassh <code>03a80b21afa810682a776a7d42e5e6fb<\/code> joins <code>51cba57125523ce4b9db67714a90bf6e<\/code> and <code>f555226df1963d1d3c09daf865abdc9a<\/code> as the third documented entry in this campaign\u2019s lineage. Detection rules pinned to either earlier hassh will miss it. I would be very interested to hear from any other DShield operator or ISC handler who has independently observed the 0.11.x hassh writing the SHA-256 above &#8211; particularly with population data that would let the community update the hassh-to-<code>mdrfckr<\/code> confidence figures published by port22 in 2022 and 2023.<\/p>\n<h2>Acknowledgments<\/h2>\n<p>Drafting assistance from Claude (Anthropic) [13]. All log review, the hassh and SHA-256 verification, the credential and IP enumeration, and the comparison against prior reporting were done from the sensor\u2019s own logs and the cited public sources.<\/p>\n<h2>References<\/h2>\n<div class=\"references\">\n<p>[1] <a href=\"https:\/\/www.sans.edu\/cyber-security-programs\/bachelors-degree\/\">https:\/\/www.sans.edu\/cyber-security-programs\/bachelors-degree\/<\/a><\/p>\n<p>[2] <a href=\"https:\/\/www.virustotal.com\/gui\/file\/a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2\/details\">https:\/\/www.virustotal.com\/gui\/file\/a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2\/details<\/a><\/p>\n<p>[3] <strong>Trend Micro<\/strong>, <a href=\"https:\/\/www.trendmicro.com\/en\/research\/20\/b\/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems.html\">https:\/\/www.trendmicro.com\/en\/research\/20\/b\/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems.html<\/a><\/p>\n<p>[4] <strong>port22.dk<\/strong>, \u201cmdrfckrs \u2013 part one,\u201d March 2023. <a href=\"https:\/\/blog.port22.dk\/mdrfckrs-part-one\/\">https:\/\/blog.port22.dk\/mdrfckrs-part-one\/<\/a><\/p>\n<p>[5] <strong>Jesse La Grew<\/strong>, \u201cMore Data Enrichment for Cowrie Logs,\u201d SANS Internet Storm Center, 24 May 2023. <a href=\"https:\/\/isc.sans.edu\/diary\/29878\">https:\/\/isc.sans.edu\/diary\/29878<\/a><\/p>\n<p>[6] <strong>Guy Bruneau<\/strong>, \u201cDShield Honeypot Activity for May 2023,\u201d SANS Internet Storm Center, 11 June 2023. <a href=\"https:\/\/isc.sans.edu\/diary\/29932\">https:\/\/isc.sans.edu\/diary\/29932<\/a><\/p>\n<p>[7] <strong>port22.dk<\/strong>, \u201cmdrfckrs \u2013 part two,\u201d July 2023. <a href=\"https:\/\/blog.port22.dk\/mdrfckrs-part-two\/\">https:\/\/blog.port22.dk\/mdrfckrs-part-two\/<\/a><\/p>\n<p>[8] <a href=\"https:\/\/isc.sans.edu\/honeypot.html\">https:\/\/isc.sans.edu\/honeypot.html<\/a><\/p>\n<p>[9] <strong>Yoroi<\/strong>, \u201cOutlaw is Back: A New Crypto-Botnet Targets European Organizations.\u201d <a href=\"https:\/\/yoroi.company\/research\/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations\/\">https:\/\/yoroi.company\/research\/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations\/<\/a><\/p>\n<p>[10] <strong>Juniper Threat Research<\/strong>, \u201cDota3: Is your Internet of Things device moonlighting?\u201d <a href=\"https:\/\/blogs.juniper.net\/en-us\/threat-research\/dota3-is-your-internet-of-things-device-moonlighting\">https:\/\/blogs.juniper.net\/en-us\/threat-research\/dota3-is-your-internet-of-things-device-moonlighting<\/a><\/p>\n<p>[11] <strong>CounterCraft<\/strong>, \u201cDota3 malware again and again.\u201d <a href=\"https:\/\/www.countercraftsec.com\/blog\/dota3-malware-again-and-again\/\">https:\/\/www.countercraftsec.com\/blog\/dota3-malware-again-and-again\/<\/a><\/p>\n<p>[12] <a href=\"https:\/\/github.com\/salesforce\/hassh\">https:\/\/github.com\/salesforce\/hassh<\/a><\/p>\n<p>[13] <a href=\"https:\/\/www.anthropic.com\/claude\">https:\/\/www.anthropic.com\/claude<\/a><\/p>\n<\/div>\n<h2>Appendix A: Source IPs (24)<\/h2>\n<table class=\"appendix-ip-table\">\n<tbody>\n<tr>\n<td><strong>2.59.183.94<\/strong><\/td>\n<td><strong>4.210.91.174<\/strong><\/td>\n<td><strong>5.99.196.202<\/strong><\/td>\n<td><strong>35.210.61.208<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>41.128.181.199<\/strong><\/td>\n<td><strong>46.253.45.10<\/strong><\/td>\n<td><strong>62.193.106.227<\/strong><\/td>\n<td><strong>77.105.132.10<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>77.237.238.1<\/strong><\/td>\n<td><strong>80.102.218.187<\/strong><\/td>\n<td><strong>81.57.15.243<\/strong><\/td>\n<td><strong>86.110.51.47<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>89.46.131.162<\/strong><\/td>\n<td><strong>89.116.31.97<\/strong><\/td>\n<td><strong>146.59.32.130<\/strong><\/td>\n<td><strong>147.45.50.81<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>148.113.222.4<\/strong><\/td>\n<td><strong>157.173.126.206<\/strong><\/td>\n<td><strong>173.249.41.171<\/strong><\/td>\n<td><strong>173.249.50.59<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>176.147.144.172<\/strong><\/td>\n<td><strong>191.101.59.252<\/strong><\/td>\n<td><strong>194.104.94.20<\/strong><\/td>\n<td><strong>213.225.14.165<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"isc-footer\">\u00a9 SANS Internet Storm Center \u00a0|\u00a0 Guest Diary Submission<\/div>\n<p><\/main><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>This is a Guest Diary by Gokul Prema Thangavel, an ISC intern as part of the SANS.edu Bachelor Degree Program. Introduction The SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 is one of the most-observed Outlaw \/ Shellbot artifacts on the public internet. VirusTotal first ingested it on 5 July 2018 [2]. It is the SHA-256 of the authorized_keys file written [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-3132","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"This is a Guest Diary by Gokul Prema Thangavel, an ISC intern as part of the SANS.edu Bachelor Degree Program. Introduction The SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 is one of the most-observed Outlaw \/ Shellbot artifacts on the public internet. VirusTotal first ingested it on 5 July 2018 [2]. It is the SHA-256 of the authorized_keys file written [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-15T07:04:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)\",\"datePublished\":\"2026-05-15T07:04:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/\"},\"wordCount\":1642,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/\",\"name\":\"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png\",\"datePublished\":\"2026-05-15T07:04:38+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/","og_locale":"en_US","og_type":"article","og_title":"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th) - Imperative Business Ventures Limited","og_description":"This is a Guest Diary by Gokul Prema Thangavel, an ISC intern as part of the SANS.edu Bachelor Degree Program. Introduction The SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 is one of the most-observed Outlaw \/ Shellbot artifacts on the public internet. VirusTotal first ingested it on 5 July 2018 [2]. It is the SHA-256 of the authorized_keys file written [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-05-15T07:04:38+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)","datePublished":"2026-05-15T07:04:38+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/"},"wordCount":1642,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/","name":"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png","datePublished":"2026-05-15T07:04:38+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/figure1_cowrie_session.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/15\/guest-diary-new-malware-libraries-means-new-signatures-fri-may-15th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"[Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3132"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3132\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}