A coordinated botnet campaign active since 2026-05-26 flooding SSH honeypots with three targeted usernames — claude, nvidia, and onkar — to manipulate automated credential-tuning pipelines into accepting accounts that don't exist on real infrastructure. The campaign is a honeypot-fingerprinting and userdb-injection attack, not a credential breach attempt.
claude↔nvidia: 81%, claude↔onkar: 86%,
nvidia↔onkar: 82%) proves a single coordinated botnet. These are
not independent scanning campaigns — they share the same controller and wordlist infrastructure.
Beginning 2026-05-26, a botnet distributed across seven /24 subnets began flooding all 36
cowrAI honeypots with login attempts for three usernames: claude (AI assistant brand),
nvidia (GPU/AI hardware brand), and onkar (personal name used as padding).
Volume escalated 5–6× on 2026-06-02 and has sustained ~700–1,100 claude-username attempts per day
through June 24.
The attack goal is userdb injection: force automated honeypot tuning systems to add
these accounts by exceeding the minimum distinct-IP threshold. A honeypot that subsequently accepts
claude:claude can be fingerprinted as honeypot infrastructure. The same usernames pushed
into real SSH targets serve as a reconnaissance signal — if a server accepts them, it may be running
AI workloads with service accounts matching current tech-brand keywords.
cowrAI's AI sanity check on tuning report #24 flagged the additions. Manual review confirmed poisoning;
a partial apply on 2026-06-25 accepted the three legitimate co-additions
(openvpn, gpadmin, rancher) and excluded the poisoned entries.
Zero logins to claude, nvidia, or onkar were accepted across the fleet.
Automated honeypot platforms that learn from observed traffic periodically update their accepted credential list (userdb). A common tuning heuristic: if a username:password pair is seen from N distinct source IPs within a window, it likely represents real-world credential usage and is added to the accepted list.
Attackers exploit this by coordinating botnets to generate synthetic-but-convincing traffic against a target username. Once the account is accepted by the honeypot, two outcomes are possible:
claude:claude now logs in successfully and infers the target is a dynamic-userdb honeypot, not a real server.claude and nvidia credentials; a server that accepts them may be running AI workloads with matching service accounts.| Username | Category | Rationale | Real-world service? |
|---|---|---|---|
claude |
AI brand | Anthropic's AI assistant — plausible service account on AI inference infrastructure; tests for orgs running Claude API workloads | No standard Linux service |
nvidia |
AI hardware brand | NVIDIA GPU management tools; plausible on GPU server farms running CUDA workloads | No standard Linux service |
onkar |
Personal name | Padding entry — adds lexical diversity to avoid pattern detection; single-password format (onkar123) consistent with credential-list padding |
No — personal name only |
The three usernames use distinct password approaches, likely from different tooling configurations running under the same botnet controller:
| Username | Distinct Passwords | Strategy | Top Credentials |
|---|---|---|---|
claude |
54 | Two-tier: brand-specific wordlist (claude123, claude2026, Claude2026!) + generic spray (123456, password, root) |
claude:claude (231 IPs), claude:claude123 (133 IPs), claude:12345678 (131 IPs) |
nvidia |
29 | Brand-specific wordlist only (nvidia123, nvidia@1234, nvidia2025!) |
nvidia:nvidia (99 IPs), nvidia:nvidia123 (8 IPs) |
onkar |
1 | Single entry: onkar:onkar123 — minimal-effort padding |
onkar:onkar123 (100 IPs) |
onkar campaign using exactly one password
from exactly 100 IPs at exactly 100 distinct-IP spread suggests an automated tool configured
to hit the threshold ceiling and stop. The claude campaign using 54 passwords
from 615 IPs suggests a longer-running general-purpose brute-forcer with the poisoning
username added to its wordlist.
The core high-volume IPs (45.153.34.x, 45.156.87.x,
176.65.132.x, 176.65.139.x) are not single-purpose poisoning bots.
Across the same 30-day window they generated 106,616 successful logins and
83,140 failed logins against all other cowrAI-monitored usernames — standard SSH brute-force
activity. The poisoning usernames are an added layer in an existing botnet's wordlist, not a
dedicated attack infrastructure.
claude username first observed from 192.109.200.78. nvidia and onkar follow within 4 hours. All three launch same day — coordinated start.claude, nvidia, onkar.claude/nvidia/onkar. Applied userdb #52 deployed. Fleet-wide; zero success logins accepted for poisoning accounts throughout campaign.| Date | claude | nvidia | onkar | Distinct IPs |
|---|---|---|---|---|
| 2026-05-26 | 40 | 2 | 5 | 36 |
| 2026-05-27 | 76 | 12 | 4 | 33 |
| 2026-05-28 | 44 | 7 | 11 | 28 |
| 2026-05-29 | 66 | 12 | 10 | 40 |
| 2026-05-30 | 79 | 8 | 10 | 42 |
| 2026-05-31 | 54 | 19 | 8 | 32 |
| 2026-06-01 | 65 | 20 | 10 | 46 |
| 2026-06-02 | 433 | 113 | 64 | 76 |
| 2026-06-03 | 333 | 83 | 51 | 55 |
| 2026-06-04 | 544 | 121 | 72 | 59 |
| 2026-06-05 | 371 | 78 | 50 | 63 |
| 2026-06-06 | 467 | 109 | 56 | 49 |
| 2026-06-07 | 567 | 115 | 59 | 69 |
| 2026-06-08 | 766 | 133 | 97 | 74 |
| 2026-06-09 | 584 | 109 | 69 | 75 |
| 2026-06-10 | 451 | 78 | 50 | 42 |
| 2026-06-11 | 274 | 43 | 33 | 43 |
| 2026-06-12 | 325 | 41 | 38 | 46 |
| 2026-06-13 | 359 | 37 | 39 | 60 |
| 2026-06-14 | 249 | 36 | 30 | 45 |
| 2026-06-15 | 353 | 32 | 38 | 45 |
| 2026-06-16 | 392 | 45 | 39 | 52 |
| 2026-06-17 | 633 | 65 | 66 | 66 |
| 2026-06-18 | 477 | 59 | 55 | 68 |
| 2026-06-19 | 567 | 62 | 62 | 63 |
| 2026-06-20 | 752 | 143 | 75 | 69 |
| 2026-06-21 | 872 | 69 | 73 | 77 |
| 2026-06-22 | 1,114 | 81 | 69 | 68 |
| 2026-06-23 | 762 | 83 | 84 | 85 |
| 2026-06-24 | 784 | 83 | 77 | 68 |
176.65.0.0/16 and
45.153/45.156 ranges account for the highest-volume nodes.
All core IPs are general-purpose SSH brute-force bots with the poisoning usernames
layered into their existing wordlists.
| Subnet (/24) | Distinct IPs | Total Hits | Notes |
|---|---|---|---|
| 176.65.139.0/24 | 30 | 2,739 | Highest IP count; general-purpose fleet |
| 91.92.40.0/24 | 25 | 1,200 | Mid-tier volume |
| 91.92.42.0/24 | 10 | 1,321 | Same /22 as 91.92.40/24 |
| 45.156.87.0/24 | 9 | 3,485 | Highest per-IP volume; long-running nodes |
| 45.153.34.0/24 | 7 | 2,857 | Long-running; active since May 26 |
| 176.65.132.0/24 | 5 | 2,003 | Same /16 as 176.65.139/24 |
| 192.109.200.0/24 | 2 | 844 | Earliest observed IPs in campaign |
| Source IP | claude | nvidia | onkar | Total | First Seen |
|---|---|---|---|---|---|
| 176.65.139.181 | — | — | — | 678 | 2026-05-26 |
| 45.153.34.112 | 534 | 81 | 51 | 666 | 2026-05-27 |
| 45.153.34.235 | 512 | 74 | 54 | 640 | 2026-05-26 |
| 45.156.87.254 | 509 | 78 | 50 | 637 | 2026-05-27 |
| 176.65.132.24 | 461 | 74 | 47 | 582 | 2026-05-27 |
| 45.156.87.204 | 459 | 72 | 45 | 576 | 2026-05-27 |
| 192.109.200.78 | 459 | 66 | 39 | 564 | 2026-05-26 |
| 176.65.132.129 | 400 | 62 | 41 | 503 | 2026-05-27 |
| 45.153.34.71 | 373 | 59 | 37 | 469 | 2026-05-27 |
| 45.156.87.253 | 317 | 53 | 35 | 405 | 2026-05-27 |
| Pair | Shared IPs | Overlap % | Interpretation |
|---|---|---|---|
claude ↔ nvidia | 81 of 100 | 81% | Same botnet |
claude ↔ onkar | 86 of 100 | 86% | Same botnet |
nvidia ↔ onkar | 82 of 100 | 82% | Same botnet |
All observed traffic is SSH login attempts — no command execution, no dropper activity. Full credential lists observed during the 30-day campaign window:
claude:claude (231 IPs) claude:claude123 (133 IPs) claude:12345678 (131 IPs) claude:123 (116 IPs) claude:1234 (112 IPs) claude:123456 (107 IPs) claude:password (104 IPs) claude:1 (88 IPs) claude:root (87 IPs) claude:abc123 (85 IPs) claude:Claude2026! (35 IPs) claude:claude2025 (30 IPs) claude:claude! (30 IPs) claude:Claude2025! (20 IPs) claude:claude2026 (19 IPs) # ... 39 additional low-spread passwords (claude12345, claude@123, Claude11!, etc.)
nvidia:nvidia (99 IPs) nvidia:nvidia123 (8 IPs) nvidia:nvidia@1234 (1 IP) # ... 26 additional brand-variation passwords (nvidia2025!, nvidia#2024, etc.)
onkar:onkar123 (100 IPs) ← single-password campaign
| Technique ID | Name | Evidence |
|---|---|---|
| T1110.001 | Brute Force: Password Guessing | Brand-specific wordlists (claude123, nvidia2026!) targeting potential AI service accounts |
| T1110.003 | Brute Force: Password Spraying | Generic passwords (123456, password, root) sprayed from 100+ IPs against claude username |
| T1595 | Active Scanning | Fleet-wide systematic probing; same IPs also conduct general SSH brute-force (106K+ other-username logins in same period) |
| T1592 | Gather Victim Host Information | AI-branded username targeting (claude, nvidia) to identify AI infrastructure — servers that accept these accounts likely run inference workloads |
| T1205 | Traffic Signaling | Honeypot fingerprinting: a server accepting claude:claude after 600 attempts signals it's a dynamic-userdb honeypot, not production infrastructure — allows attacker to filter honeypots from real targets |
| T1584 | Compromise Infrastructure | Attempting to manipulate honeypot userdb to accept attacker-chosen accounts — once accepted, honeynet data is partially poisoned and fingerprinted |
| Username | Classification | Action |
|---|---|---|
| claude | Poisoning — AI brand | Block; never add to userdb |
| nvidia | Poisoning — AI hardware brand | Block; never add to userdb |
| onkar | Poisoning — personal-name padding | Block; never add to userdb |
| CIDR | Observed IPs | Total Hits |
|---|---|---|
| 176.65.139.0/24 | 30 | 2,739 |
| 91.92.40.0/24 | 25 | 1,200 |
| 91.92.42.0/24 | 10 | 1,321 |
| 45.156.87.0/24 | 9 | 3,485 |
| 45.153.34.0/24 | 7 | 2,857 |
| 176.65.132.0/24 | 5 | 2,003 |
| 192.109.200.0/24 | 2 | 844 |
| Pattern | Target Username | Spread |
|---|---|---|
| claude | claude | 231 IPs |
| claude123 | claude | 133 IPs |
| claude2025 / claude2026 | claude | Multi-IP |
| Claude2025! / Claude2026! | claude | 35 IPs combined |
| nvidia | nvidia | 99 IPs |
| nvidia123 | nvidia | 8 IPs |
| onkar123 | onkar | 100 IPs — single-password campaign |
Three controls that stopped this campaign:
success=0, count <= distinct_ips × 1.5 heuristic. Note: this filter did not catch this campaign because count > distinct_ips × 1.5 for all three usernames. A stronger heuristic: flag usernames with no prior appearances in any tuning report that appear from >50 IPs simultaneously.alert ssh any [45.153.34.0/24,45.156.87.0/24,176.65.132.0/24,176.65.139.0/24,91.92.40.0/22,192.109.200.0/24] any -> $SSH_SERVERS any (msg:"SSH brute-force from AI-username poisoning botnet subnet"; flow:to_server,established; threshold:type both,track by_src,count 5,seconds 60; sid:9100001; rev:1;) alert ssh any any any -> $SSH_SERVERS any (msg:"SSH login attempt with AI-brand username claude"; flow:to_server; content:"claude"; nocase; threshold:type both,track by_src,count 3,seconds 300; sid:9100002; rev:1;) alert ssh any any any -> $SSH_SERVERS any (msg:"SSH login attempt with AI-brand username nvidia"; flow:to_server; content:"nvidia"; nocase; threshold:type both,track by_src,count 3,seconds 300; sid:9100003; rev:1;)
Operators running adaptive honeypot userdb tuning should add claude,
nvidia, and onkar to a permanent exclusion list — these
should never be auto-added regardless of observation count. The subnets listed above
are suitable for SSH blocklist or rate-limit application.
claude, nvidia) as SSH brute-force usernames at scale.
As AI inference infrastructure proliferates, attackers are pre-staging credential
wordlists for accounts that may exist on GPU servers, LLM hosting platforms, and
AI API gateway infrastructure. Operators of AI workloads should audit for
claude, nvidia, openai, gemini,
llama, ollama, anthropic, and similar AI-brand
service accounts in their SSH authentication systems.
All data collected via a distributed SSH/Telnet honeypot fleet spanning multiple cloud providers and geographic regions. Login attempts are captured in near-real-time with source IP, username, password, and timestamp fields preserved for analysis.
Tuning analysis via honey-tune cron worker (daily, 02:17 UTC): aggregates top credential pairs by distinct-IP count over 7-day window, diffs against current applied userdb, runs AI sanity check, and gates auto-apply on sanity approval. Report #24 was the first to surface this campaign at sufficient volume for recommendation; the AI gate blocked auto-apply and triggered operator review.
IP-overlap analysis (Jaccard similarity) computed directly against the
events table partitioned by timestamp. No external enrichment
(ASN/geo) applied — userdb poisoning classification based solely on observed
traffic patterns and username semantics.