On November 10, 2025, a honeypot operated by an ISC intern detected a sophisticated attack involving a successful SSH brute force login from IP 103.148.195.161, which is associated with a government network but likely compromised. The attacker logged in as root using the password 'linux' and maintained access for nearly two minutes without executing commands, instead uploading a malicious ELF trojan named 'sshd'. This trojan is designed to masquerade as the legitimate OpenSSH daemon, thereby evading detection by blending in with normal system processes. Analysis of the trojan hash on VirusTotal and Hybrid-Analysis confirmed its malicious nature and revealed capabilities including credential dumping (T1003.008), obfuscation (T1027), sandbox evasion (T1497), execution guardrails (T1480), abuse of elevation control mechanisms (T1548.001), and masquerading (T1036.005). The attack chain began with brute forcing valid credentials (T1110.001, T1078) and culminated in deploying a persistent backdoor for long-term access. The attacker’s use of a government IP address likely reflects a compromised infrastructure rather than direct nation-state attribution, underscoring the importance of cautious threat actor attribution. The attack demonstrates advanced tactics aimed at stealth and persistence, avoiding typical red flags such as command execution during the session. The diary emphasizes the need for proactive threat hunting and monitoring for subtle indicators such as brief, quiet sessions. Recommended mitigations include disabling password authentication in favor of SSH keys, IP allowlisting, deploying IDS/IPS and EDR solutions, continuous threat hunting, and enforcing multi-factor authentication (MFA).

For European organizations, this threat poses significant risks particularly to critical infrastructure, government agencies, and enterprises relying on SSH for remote administration. The trojan’s ability to masquerade as a legitimate process and evade detection tools increases the likelihood of prolonged undetected compromise, potentially leading to credential theft, lateral movement, and data exfiltration. The use of brute force to gain initial access indicates that weak or default credentials remain a critical vulnerability. The stealthy nature of the attack complicates incident detection and response, increasing the risk of strategic espionage or sabotage. Given the geopolitical sensitivity of government IPs involved, misattribution could lead to political tensions or misdirected defensive actions. European entities with high-value assets or those involved in sensitive sectors such as energy, defense, and finance are particularly vulnerable. The attack also highlights the importance of robust identity and access management practices to prevent unauthorized access and persistence.

1. Disable password-based SSH authentication entirely and enforce the use of cryptographic SSH keys with strong passphrases. 2. Implement strict IP allowlisting for SSH access, limiting connections to known, trusted networks and VPNs. 3. Deploy and fine-tune IDS/IPS and Endpoint Detection and Response (EDR) solutions to detect anomalous SSH sessions, especially those with no command execution but file uploads. 4. Conduct regular threat hunting exercises focusing on brief or quiet SSH sessions and unusual process masquerading. 5. Enforce multi-factor authentication (MFA) for all remote access, including SSH gateways and jump hosts. 6. Monitor and audit SSH logs for unusual login patterns, including logins from government or cloud IP ranges not normally associated with your organization. 7. Maintain an updated inventory of authorized SSH keys and remove stale or unused keys promptly. 8. Use file integrity monitoring to detect unauthorized changes to critical binaries such as sshd. 9. Educate security teams on the risks of misattribution and the importance of contextual threat intelligence. 10. Collaborate with national Computer Emergency Response Teams (CERTs) to share intelligence on suspicious IPs and malware hashes.