What made this case unusual was the attackers' operational security—or lack thereof. Their C2 server exposed a /stats endpoint with no authentication, giving me real-time visibility into their campaign metrics: 91,505 IPs scanned, 59,128 successful compromises, 64.6% success rate. The writeup covers:
Full attack chain (reconnaissance → exploitation → data exfiltration → persistence) C2 API architecture (4 endpoints, all unauthenticated) Data exfiltration pipeline (.env files, SSH keys, cloud credentials) Persistence mechanisms (systemd services, FRP tunnels, GOST proxies) Detection signatures (Suricata/Snort rules, YARA)
The attackers are harvesting credentials at industrial scale—roughly 300K credential sets per day at current pace. Their targeting appears indiscriminate (mode: random_ips), which suggests they're going for volume over precision. For those interested in the tooling: the honeypot that captured this is Beelzebub [0], an open-source project I've been maintaining for 3+ years. It uses LLMs to generate dynamic responses that keep attackers engaged longer, which helps capture more complete attack chains like this one. Happy to discuss the technical details, methodology, or anything about running deception infrastructure. [0] https://github.com/mariocandela/beelzebub