Interesting Message Stored in Cowrie Logs, (Wed, Mar 18th)
This activity was found and reported by BACS student Adam Thorman as part of one of his assignments which I posted his final paper [1] last week. This activity appeared to only have occurred on the 19 Feb 2026 where at least 2 sensors detected on the same day by DShield sensor in the cowrie logs an echo command that included: "MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here". My DShield sensor captured activity from source IP 64.89.161.198 between 30 Jan - 22 Feb 2026 that included portscans, a successful login via Telnet (TCP/23) and web access that included all the activity listed below captured by the DShield sensor (cowrie, webhoneypot & iptables logs).
AI Analysis
Technical Summary
This threat involves a botnet-driven attack campaign observed primarily on February 19, 2026, targeting IoT and 64-bit Linux systems. The attack was detected through multiple DShield sensors and honeypots, including Cowrie, which logged an echo command containing the unique string "MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here." The source IP 64.89.161.198 conducted port scans and achieved successful Telnet logins on TCP port 23, followed by uploading a shell script designed to exploit vulnerabilities in IoT devices and Linux systems. The script, identified by its hash and available on VirusTotal, attempts remote code execution (RCE), allowing the attacker to execute arbitrary commands on compromised devices. The activity was limited in time and scope, with no known widespread exploitation or active exploits reported in the wild. The attack leverages weak or default Telnet credentials commonly found in IoT devices, enabling unauthorized access. The presence of web access logs and iptables logs suggests attempts to maintain persistence or further exploit the compromised hosts. The threat was discovered and analyzed by a BACS student as part of an academic assignment and reported by the SANS Internet Storm Center. While the severity is currently low, the attack underscores ongoing risks posed by exposed Telnet services and unpatched IoT devices vulnerable to remote code execution attacks.
Potential Impact
The potential impact of this threat includes unauthorized remote access to IoT and Linux-based devices, leading to device compromise, inclusion in botnets, data exfiltration, or use as a pivot point for further network attacks. Successful exploitation could degrade device availability or integrity and facilitate large-scale distributed denial-of-service (DDoS) attacks or other malicious activities. Organizations with exposed Telnet services or poorly secured IoT devices are at risk of infiltration, which could result in operational disruptions, reputational damage, and increased incident response costs. However, the limited scope and lack of known active exploits reduce the immediate risk. The threat highlights the persistent vulnerability of IoT ecosystems and the importance of securing remote access protocols. If left unmitigated, such attacks could escalate, especially as attackers refine their payloads or combine them with other attack vectors.
Mitigation Recommendations
1. Disable Telnet services on all devices unless absolutely necessary; replace with secure alternatives like SSH with key-based authentication. 2. Enforce strong, unique credentials on all IoT and Linux devices to prevent brute-force or credential stuffing attacks. 3. Implement network segmentation to isolate IoT devices from critical infrastructure and limit lateral movement. 4. Deploy intrusion detection/prevention systems (IDS/IPS) to monitor for suspicious port scanning, login attempts, and known payload signatures such as the "MAGIC_PAYLOAD_KILLER_HERE" string. 5. Regularly update and patch IoT firmware and Linux operating systems to remediate known vulnerabilities. 6. Utilize honeypots and logging to detect early signs of compromise and gather threat intelligence. 7. Restrict inbound access to management interfaces via firewall rules and VPNs. 8. Conduct regular security audits and penetration tests focused on IoT and remote access services. 9. Monitor threat intelligence feeds and community reports for emerging variants or exploitation campaigns related to this activity. 10. Educate staff and administrators on the risks of exposed Telnet services and the importance of secure configurations.
Affected Countries
United States, Germany, Iran, Russia, China, India, Brazil, United Kingdom, France, Netherlands
Interesting Message Stored in Cowrie Logs, (Wed, Mar 18th)
Description
This activity was found and reported by BACS student Adam Thorman as part of one of his assignments which I posted his final paper [1] last week. This activity appeared to only have occurred on the 19 Feb 2026 where at least 2 sensors detected on the same day by DShield sensor in the cowrie logs an echo command that included: "MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here". My DShield sensor captured activity from source IP 64.89.161.198 between 30 Jan - 22 Feb 2026 that included portscans, a successful login via Telnet (TCP/23) and web access that included all the activity listed below captured by the DShield sensor (cowrie, webhoneypot & iptables logs).
AI-Powered Analysis
Technical Analysis
This threat involves a botnet-driven attack campaign observed primarily on February 19, 2026, targeting IoT and 64-bit Linux systems. The attack was detected through multiple DShield sensors and honeypots, including Cowrie, which logged an echo command containing the unique string "MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here." The source IP 64.89.161.198 conducted port scans and achieved successful Telnet logins on TCP port 23, followed by uploading a shell script designed to exploit vulnerabilities in IoT devices and Linux systems. The script, identified by its hash and available on VirusTotal, attempts remote code execution (RCE), allowing the attacker to execute arbitrary commands on compromised devices. The activity was limited in time and scope, with no known widespread exploitation or active exploits reported in the wild. The attack leverages weak or default Telnet credentials commonly found in IoT devices, enabling unauthorized access. The presence of web access logs and iptables logs suggests attempts to maintain persistence or further exploit the compromised hosts. The threat was discovered and analyzed by a BACS student as part of an academic assignment and reported by the SANS Internet Storm Center. While the severity is currently low, the attack underscores ongoing risks posed by exposed Telnet services and unpatched IoT devices vulnerable to remote code execution attacks.
Potential Impact
The potential impact of this threat includes unauthorized remote access to IoT and Linux-based devices, leading to device compromise, inclusion in botnets, data exfiltration, or use as a pivot point for further network attacks. Successful exploitation could degrade device availability or integrity and facilitate large-scale distributed denial-of-service (DDoS) attacks or other malicious activities. Organizations with exposed Telnet services or poorly secured IoT devices are at risk of infiltration, which could result in operational disruptions, reputational damage, and increased incident response costs. However, the limited scope and lack of known active exploits reduce the immediate risk. The threat highlights the persistent vulnerability of IoT ecosystems and the importance of securing remote access protocols. If left unmitigated, such attacks could escalate, especially as attackers refine their payloads or combine them with other attack vectors.
Mitigation Recommendations
1. Disable Telnet services on all devices unless absolutely necessary; replace with secure alternatives like SSH with key-based authentication. 2. Enforce strong, unique credentials on all IoT and Linux devices to prevent brute-force or credential stuffing attacks. 3. Implement network segmentation to isolate IoT devices from critical infrastructure and limit lateral movement. 4. Deploy intrusion detection/prevention systems (IDS/IPS) to monitor for suspicious port scanning, login attempts, and known payload signatures such as the "MAGIC_PAYLOAD_KILLER_HERE" string. 5. Regularly update and patch IoT firmware and Linux operating systems to remediate known vulnerabilities. 6. Utilize honeypots and logging to detect early signs of compromise and gather threat intelligence. 7. Restrict inbound access to management interfaces via firewall rules and VPNs. 8. Conduct regular security audits and penetration tests focused on IoT and remote access services. 9. Monitor threat intelligence feeds and community reports for emerging variants or exploitation campaigns related to this activity. 10. Educate staff and administrators on the risks of exposed Telnet services and the importance of secure configurations.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/32810","fetched":true,"fetchedAt":"2026-03-19T00:42:30.057Z","wordCount":385}
Threat ID: 69bb4676771bdb1749e386d3
Added to database: 3/19/2026, 12:42:30 AM
Last enriched: 3/19/2026, 12:42:48 AM
Last updated: 3/19/2026, 2:49:01 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.