TLP:CLEAR MEDIUM

Telnet Exploit + ed25519 SSH Key Persistence

Published 2026-06-24 · Source: distributed honeypot fleet · Confidence: HIGH

266

exploit attempts

successful exploits

86%

success rate (top actor)

30d

active window

Executive Summary

Over a 30-day window, sensors observed a series of telnet exploitation attempts achieving unauthenticated remote code execution. The primary actor (195.86.56.10) achieved 31 successful exploits in a 73-minute burst — an 86% success rate — and established persistence by injecting an ed25519 SSH key with the comment chaos@kali-57ca9a, indicating the attacker operates from a Kali Linux environment. A second actor (107.141.222.62) achieved 3 successful exploits with simpler post-exploitation (reconnaissance only).

This campaign is distinct from credential-based attacks: the actors exploit a telnet service vulnerability to gain unauthenticated shell access, then use that access to install persistent SSH key backdoors. The SSH key comment provides a direct attribution indicator — the attacker is using a default Kali hostname pattern (kali-57ca9a).

Threat Actor Profile

Attribute	Primary Actor	Secondary Actor
IP	`195.86.56.10`	`107.141.222.62`
Attempts	36	3
Successes	31 (86%)	3 (100%)
Burst window	73 min (17:41 → 18:57 UTC)	87 min (13:26 → 14:53 UTC)
Post-exploit goal	SSH key persistence	System reconnaissance
Key comment	`chaos@kali-57ca9a`	—
Tooling	Automated (1 exploit / 2.4 min)	Manual or semi-automated

Exploit Activity Summary

IP	Attempts	Successes	Success rate	First seen	Last seen	Notes
`195.86.56.10`	36	31	86%	2026-06-10 17:41	2026-06-10 18:57	SSH key injection
`2.26.252.153`	103	2	2%	2026-05-26	2026-06-24	Persistent scanner (29 days)
`107.141.222.62`	3	3	100%	2026-06-10 13:26	2026-06-10 14:53	Recon only
`178.62.39.8`	15	1	7%	2026-06-08 08:29	2026-06-08 12:53	—
`176.65.139.46`	72	0	0%	2026-06-20	2026-06-24	High volume, no success
`176.65.148.183`	15	0	0%	2026-05-31	2026-06-01	—
`185.192.125.141`	12	0	0%	2026-06-23	2026-06-23	—

Post-Exploitation Analysis — Primary Actor (195.86.56.10)

After achieving RCE via the telnet exploit, 195.86.56.10 executed a systematic SSH key injection sequence. The attacker verifies each step — checking file existence, size, and line count after writing the key:

# 1. Create SSH directory with correct permissions
mkdir -p /root/.ssh && chmod 700 /root/.ssh

# 2. Inject ed25519 key (variable-based approach)
A='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfv8guaSsyXbOvI7nVcj19fWzpPN9pq9MkpduxxYver chaos@kali-57ca9a'
echo $A > /root/.ssh/authorized_keys

# 2b. Alternative: direct echo (used 4 times)
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfv8guaSsyXbOvI7nVcj19fWzpPN9pq9MkpduxxYver chaos@kali-57ca9a" \
  >> /root/.ssh/authorized_keys

# 3. Set restrictive permissions
chmod 600 /root/.ssh/authorized_keys

# 4. Verify injection (attacker checks the result)
wc -c /root/.ssh/authorized_keys       # 7 times — check file size
cat /root/.ssh/authorized_keys | wc -l  # 6 times — check line count

# 5. Lightweight recon
hostname; id; uname -a | cut -d\  -f1-3

The verification steps (wc -c and wc -l) are unusual — most automated attack tools fire the injection and move on. The presence of verification commands suggests either a semi-automated tool with feedback loops or a human operator checking their work in real time.

Post-Exploitation — Secondary Actor (107.141.222.62)

# Minimal recon — no persistence established
uname -a
hostname
cat /etc/passwd | head -5

The ed25519 Key as an Attribution IOC

The SSH key comment chaos@kali-57ca9a provides two attribution signals:

chaos — the local username on the attacker's machine
kali-57ca9a — the hostname, following Kali Linux's default naming pattern (kali-XXXXXX where XXXXXX is a random hex suffix generated during installation)

This key is a strong, persistent IOC. If this key appears in any authorized_keys file, it indicates this specific attacker has compromised the system. The key should be searched for across all managed hosts.

MITRE ATT&CK Mapping

ID	Technique	Evidence
T1190	Exploit Public-Facing Application	Telnet service exploitation — unauthenticated RCE
T1098.004	SSH Authorized Keys	ed25519 key injection into `/root/.ssh/authorized_keys`
T1098	Account Manipulation	Modifying root's SSH configuration for persistent access
T1087	Account Discovery	`id`, `hostname`, `cat /etc/passwd`
T1082	System Information Discovery	`uname -a`

Campaign Timeline

Date (UTC)	Event
2026-05-26	First telnet exploit attempt observed (`2.26.252.153`). Persistent scanner begins 29-day campaign.
2026-05-31	`2.26.252.153` achieves first successful exploit.
2026-06-08	`178.62.39.8` attempts 15 exploits, 1 success.
2026-06-10 13:26	`107.141.222.62` achieves 3/3 successful exploits. Reconnaissance only (uname, hostname, passwd).
2026-06-10 17:41	Primary event: `195.86.56.10` begins 73-minute burst. 36 attempts, 31 successes. SSH key injection with `chaos@kali-57ca9a` key.
2026-06-10 18:57	`195.86.56.10` stops after 31 successful exploits. No further activity from this IP.
2026-06-20 → 24	`176.65.139.46` attempts 72 exploits with 0 successes — possibly different exploit variant or patched targets.

Indicators of Compromise

SSH ed25519 Key

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfv8guaSsyXbOvI7nVcj19fWzpPN9pq9MkpduxxYver

Key comment: chaos@kali-57ca9a

Network — Exploit Source IPs

195.86.56.10 — primary actor (31 successful exploits, SSH key injection)

107.141.222.62 — secondary actor (3 successful exploits, recon only)

2.26.252.153 — persistent scanner (103 attempts, 2 successes, 29-day window)

176.65.139.46 — high-volume scanner (72 attempts, 0 successes)

178.62.39.8 — opportunistic (15 attempts, 1 success)

176.65.148.183 — scanner (15 attempts, 0 successes)

185.192.125.141 — scanner (12 attempts, 0 successes)

8.210.187.32 · 64.190.113.196 · 195.18.27.10 · 91.92.40.63 · 80.66.72.105 · 80.253.251.72 — low-volume scanners

Host — Persistence Artifacts

/root/.ssh/authorized_keys — ed25519 key with comment "chaos@kali-57ca9a"

/root/.ssh/ — directory created with chmod 700

Command Pattern IOC

echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfv8guaSsyXbOvI7nVcj19fWzpPN9pq9MkpduxxYver chaos@kali-57ca9a" >> /root/.ssh/authorized_keys

wc -c /root/.ssh/authorized_keys (post-injection verification)

A='ssh-ed25519 ...'; echo $A > /root/.ssh/authorized_keys (variable-based injection)

Detection Signatures

Suricata — ed25519 Key String in Traffic

alert tcp $EXTERNAL_NET any -> $HOME_NET any (
  msg:"cowrAI ed25519 SSH key injection (chaos@kali-57ca9a)";
  flow:to_server,established;
  content:"AAAAIKfv8guaSsyXbOvI7nVcj19fWzpPN9pq9MkpduxxYver";
  content:"chaos@kali"; distance:0;
  classtype:trojan-activity; sid:9003040001; rev:1;
)

Suricata — authorized_keys Manipulation Pattern

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (
  msg:"cowrAI Telnet post-exploit authorized_keys injection";
  flow:to_server,established;
  content:"authorized_keys";
  content:"chmod 600"; distance:0;
  threshold:type both, track by_src, count 2, seconds 60;
  classtype:trojan-activity; sid:9003040002; rev:1;
)

OSSEC / Wazuh — authorized_keys Key Detection

<rule id="100304" level="14">
  <if_sid>530</if_sid>
  <match>AAAAIKfv8guaSsyXbOvI7nVcj19fWzpPN9pq9MkpduxxYver</match>
  <description>chaos@kali-57ca9a SSH key injected into authorized_keys</description>
</rule>

SSH Key Sweep — Find Compromised Hosts

# Search for the chaos@kali-57ca9a key across all managed hosts
grep -r "AAAAIKfv8guaSsyXbOvI7nVcj19fWzpPN9pq9MkpduxxYver" \
  /root/.ssh/ /home/*/.ssh/ 2>/dev/null

# Or via Ansible
ansible all -m shell -a \
  'grep -l "kali-57ca9a" ~/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/null'

Collection Methodology

Data collected by a distributed honeypot fleet running SSH and Telnet protocol lures. The Telnet lure emulates a vulnerable telnet service that accepts unauthenticated connections. All post-exploitation commands were captured at the application layer, including SSH key injection sequences and reconnaissance commands. Source IP addresses and timing were correlated to distinguish automated scanning from targeted exploitation bursts.