Threat Ecosystem Insight: September 2025

EXECUTIVE SUMMARY

Between the monitored collection periods, multiple honeypot sensors recorded coordinated malicious activity including SSH intrusions, credential harvesting, system reconnaissance, and cryptominer resource competition checks. Cowrie SSH honeypots captured full interactive shells (root and guest) and attacker commands related to environment discovery, messaging credential theft, and process enumeration. Simultaneously, web honeypots revealed supporting infrastructure such as 37.187.136.61 and 200.6.48.125, which hosted SonicPanel-style phishing kits sharing JA3S fingerprints and TLS certificate serials, suggesting centralized kit reuse. The combined evidence points to a distributed but coordinated actor ecosystem that uses commodity kits and basic automation for reconnaissance, credential theft, and resource exploitation

METADATA

Host Country: Singapore

Honeypot: T-POT

Storage: 80 G

Hosting: AWS

SCOPE & COLLECTION DETAILS

Cowrie: SSH honeypot capturing full ttyrec sessions and interactive shell logs.
Web Nodes: 10 hosts captured via Shodan/urlscan exports (html_hash, JA3S, cert data).
Artifacts: Shell transcripts, binary hashes, internal IPs, phishing templates, JA3S signatures.
Objective: Identify attacker behavior, shared infrastructure, and pivot points for future hunts.

Attack Flow

Step 1 Initial Access

What: Gain entry via SSH using valid or brute-forced credentials.
Indicators / artifacts: shell prompt like root@ubuntu:~# or guest@ubuntu:~$
Example commands / evidence:

ssh root@<host>
ssh guest@<host>
MITRE: T1078 (Valid Accounts); T1210 (Exploitation of Remote Services)
Quick detection / hunt tips: review SSH auth logs (/var/log/auth.log, /var/log/secure), unusual successful logins, repeated failed attempts, new authorized_keys entries.

Step 2 Discovery

What: Enumerate the system and network to profile host, hardware, and services.
Example commands / evidence:

uname -a
cat /proc/cpuinfo
ifconfig or ip addr
MITRE: T1082 (System Information Discovery); T1046 (Network Service Discovery)
Quick detection / hunt tips: look for unusual commands in shell histories (~/.bash_history), spikes in process activity tied to discovery tools (nmap, netcat), or unusual outbound connections to reconnaissance infrastructure.

Step 3 Credential Access

What: Search for stored credentials, chat/SMS data, and session tokens in local files and app data.
Example commands / evidence:

locate D877F783D5D3EF8C
ls ~/.local/share/TelegramDesktop/tdata
Inspect /var/spool/sms or other local message stores
MITRE: T1081 (Credentials in Files); T1539 (Steal Web Session Cookie)
Quick detection / hunt tips: monitor for reads of credential files, unexpected file copies, suspicious locate results, or new archive files (tar, zip) containing app data.

Step 4 Resource Hijacking

What: Detect/remove competing miners or deploy attacker miner (cryptomining).
Example commands / evidence:

ps | grep miner
ps -ef (look for miner binaries/processes)
Check crontab or systemd timers for persistence related to miners
MITRE: T1496 (Resource Hijacking — Cryptomining)
Quick detection / hunt tips: high CPU/GPU utilization with unknown processes, unusual forked processes, connections to mining pools, and miner file names or suspicious binaries in /tmp, /var/tmp, /usr/bin.

Step 5 Phishing Infrastructure (post-compromise use)

What: Host SonicPanel-style phishing templates / web kits to harvest credentials or scale campaign infrastructure.
Example commands / evidence:

Hosting files observed on IPs such as 37.187.136.61, 200.6.48.125
Presence of web kit files, admin panels, or phishing templates on webroot directories
MITRE: T1566 (Phishing); T1583 (Acquire Infrastructure)
Quick detection / hunt tips: webserver content changes, new virtual hosts, unknown admin panels, outgoing DNS/HTTP to suspicious hosters, and scanning for phishing pages on exposed IPs.

IP's

High confidence Active still

This means you can be 90–100% certain the activity is malicious because it’s supported by multiple sources of evidence — for example:

Observed activity in honeypot logs.
The same IP or fingerprint appears in open-source threat feeds.
It reused a JA3S, TLS cert, or favicon hash linked to other known phishing servers.

Both honeypot and Shodan scan show the same JA3S fingerprint on 200.6.48.125, which also redirects to credential-harvesting pages.
thus drawing a high-confidence match.

This just means the server is currently online and responding, not an old or dead system.
It’s part of an active campaign (still serving pages, accepting SSH, etc.), and likely still being used by attackers right now.

37.187.136.61 hosted an active SonicPanel phishing login page.
That’s confirmed malicious behavior, not speculation. From our findings; hitting 37.187.136.61 and still get a live phishing panel response, that’s active infrastructure.

Medium Confidence (Supporting / Misconfigured Nodes)

Medium Confidence; These are servers that aren’t necessarily intentionally malicious, but are poorly secured or reused by threat actors.
They can be:

abandoned VPS instances that still host old content,
test or demo servers accidentally left public,
or infrastructure compromised and repurposed by attackers.

Here's a one way how i came to this conclusion: 139.59.135.166 exposes multiple management ports (IMAP, POP3, MySQL, SIP) and an expired TLS cert, classic signs of misconfiguration. Attackers might exploit or rent such a server for staging, file storage, or scanning.

Supporting; These are secondary servers that appear to assist or host parts of the attacker operation, but aren’t necessarily the main command-and-control or phishing landing pages.
They might:

host copied versions of templates or assets (e.g., images, scripts);
proxy traffic for the main server;
provide infrastructure redundancy (backup domains/IPs);
or belong to VPS ranges often used by the same operator.

Here's a one way how i came to this conclusion: 198.23.140.222 and 107.170.20.186 show changing content and similar TLS fingerprints to known malicious hosts. That suggests they’re supporting infrastructure, not front-end phishing pages, but still part of the same cluster.

Summarized Beahvior

Phishing Infrastructure: 37.187.136.61, 200.6.48.125, 177.11.49.188
Rotating/Clustered Nodes: 185.243.5.63, 185.243.5.109
Staging/Exposure: 139.59.135.166, 198.23.140.222, 107.170.20.186, 107.170.20.51
Scanning/Recon: 63.143.118.34

Cowrie Session Insights

Observed Shells:

1c2d05aa... — root shell (initial access)
c281c5cc... — guest shell
e3b0c442... — additional root session

Reconnaissance:

28ba533b... — uname -a
52a53233... — cat /proc/cpuinfo
1d6f385d... — ifconfig

Credential Search:

3fabfde4... — locate D877F783D5D3EF8C
72207911... — ls ~/.local/share/TelegramDesktop/tdata, /var/spool/sms

Resource Competition:

4e9fdfe2..., e5cefcb1... — miner detection commands

Internal IPs Found:
127.0.0.1, 192.168.112.2, 192.168.112.255

Network masks: 255.255.255.0, 255.0.0.0

(No public attacker IPs visible in session captures.)

Indicators of Compromise (IOCs)

Impact Assessment

Attackers gained shell-level access, enumerated host environments, and performed credential and miner scans.
Parallel phishing infrastructure increases the threat of credential theft and lateral pivoting.
While no C2 or persistence was captured, reconnaissance and credential access phases were completed, indicating Stage 1 compromise readiness.

Recommendations

Immediate (0–24 hrs):

Block all high-confidence malicious IPs.
Add JA3S, cert serial, and command indicators to SIEM/IDS.
Alert on credential search and miner check commands within SSH logs.

Short Term (1–7 days):

Enforce key-based SSH, disable password/root access.
Correlate /var/log/auth.log and Cowrie timestamps.
Hunt for Telegram/SMS credential queries in endpoint telemetry.

Medium Term (7–30 days):

Integrate Cowrie telemetry into ELK/MISP for auto IOC ingestion.
Deploy Suricata/Sigma detections for miner and phishing behaviors.
Periodically rotate honeypot credentials and improve deception realism.

Timeline (First Sighting and Last Beacon)

Evidence & Artifacts

Commands Executed: uname -a, cat /proc/cpuinfo, locate D877F…, ps | grep miner.
Binaries / Scripts: none downloaded within sessions (but detected on web nodes as phishing assets).
PCAPs: correlate HTTP traffic to 37.187.136.61 and 200.6.48.125 (SonicPanel templates).
Artifacts stored: /malrepo/honeypot/2025-10-Cowrie/ (subdir per IP).

Attack Analysis & TTP Mapping (MITRE ATT&CK)

Attribution Notes & Confidence

Actor Assessment: behavior resembles commodity botnet operators / malware as a service ecosystem leveraging shared phishing templates and SSH bruteforce modules.
Confidence: Moderate-High for phishing infrastructure linkage; Low for actor identity.
Overlap: page hash and JA3S values found in open-source feeds linked to IcedID and AgentTesla delivery chains.

Impact Assessment

Risk to production: if similar SSH credentials exist, attackers can pivot into internal systems.
Business impact: potential credential theft → account takeover → fraud / resource abuse.
Operational impact: miner processes can consume CPU, inflate cloud bills, and trigger DoS.
Detection gaps: minimal C2 signatures found—emphasis should be on behavioral detections.

Conclusion

The campaign reflects a modular attacker ecosystem that combines automated reconnaissance, credential theft, and phishing kit distribution.
Cowrie honeypots captured clear behavioral signatures of early intrusion and information gathering.
Proactive blocking, credential hardening, and continuous IOC ingestion are key to mitigating recurrence.

Detection Rules

Can be found on the GitHub Repo.

Threat Ecosystem Insight: September 2025

Reach Out Here: