MDRFCKR - a (almost) decade old botnet
Between May 3 and June 3, 2026, a threat actor operating under the handle "mdrfckr" conducted a sustained SSH credential-stuffing campaign against my internet-facing SSH honeypots. The campaign deployed 3,929 successful authentication events from 1,702 unique source IPs across 32+ countries. Upon gaining access, the attacker deployed a persistent SSH public key bearing the "mdrfckr" comment - a classic botnet recruitment / persistence mechanism.
Campaign Overview
| Metric | Value |
|---|---|
| Campaign duration | May 3 - June 3, 2026 (32 days) |
| Total successful auth events | 3,929 |
| Unique attacker IPs | 1,702 |
| Countries observed | 32+ |
| ASNs observed | 100+ |
| Unique credential pairs tried | 102+ |
| Peak daily volume | 350 events (May 27) |
| Honeypot type | Cowrie (SSH) |
| SSH key fingerprint | SHA256:MkYY9qiVsFGBC5WkjoClCkwEFW5iSjcGQF7m4n4H7Cw |
| SSH key comment | mdrfckr |
Threat Actor Background
The "mdrfckr" handle is not new. The same RSA public key - identical byte-for-byte to the one deployed in this campaign - was first observed on July 5, 2018, making this one of the longest-running persistent SSH backdoor keys known to the security community.1
Attribution: Outlaw (Dota)
The mdrfckr key is a confirmed indicator of the Outlaw threat group, also tracked as "Dota". First documented by Trend Micro in 2018, Outlaw is a financially motivated threat actor primarily targeting Linux servers via SSH brute-force attacks. Their end goal is Monero (XMR) cryptomining and building a persistent botnet for hire.2
Outlaw is believed to operate from or have strong ties to Asia, based on infrastructure overlap and tooling patterns.
Post-Exploitation Kill Chain
After gaining SSH access, the Outlaw kill chain follows a consistent pattern:
- Reconnaissance - collects CPU info, memory, running processes (
w,top) - Persistence via SSH key injection - overwrites
authorized_keyswith the mdrfckr key - Defense removal - clears
/etc/hosts.deny, kills defensive scripts (/tmp/secure.sh,/tmp/auth.sh), and removes file immutability flags (chattr -ia .ssh,lockr -ia .ssh) to prevent defenders from locking the backdoor out - Payload download - fetches a tarball via
wget/curlfrom attacker-controlled infrastructure - Malware deployment - extracts components into a hidden directory (
.configrc5)
Deployed Malware Components
| Component | Description |
|---|---|
| IRC botnet client (Perl) | Disguises as rsync; connects over port 443 to hardcoded C2 servers; supports command execution, DDoS attacks, port scanning, and HTTP file transfers |
| kswapd0 | UPX-packed modified XMRig 6.19.0; CPU-only Monero miner; named to mimic a kernel memory management process |
| Port scanner | Scans for additional SSH targets to expand the botnet |
The Perl botnet client is obfuscated via perlobfuscator.com and kills any high-CPU processes except its own whitelist (kswapd0, tsm, rsync, tor, httpd) to avoid resource contention.
The Monero wallet receiving mined funds:
Scale and Reach
According to port22.dk's analysis over a two-month observation window, the mdrfckr botnet was linked to approximately 13,000 unique compromised hosts across 152 countries.1 Later analysis of variant waves identified 28,000+ unique source IPs in a single campaign variant.3 The botnet's top victim countries are the United States (~21%), Singapore (~9%), India, and Germany.
Network Fingerprint
The scanner consistently identifies itself with:
- SSH client string:
SSH-2.0-libssh-0.6.3(evolved tolibssh-0.9.xin later variants) - HASSH:
51cba57125523ce4b9db67714a90bf6e(99.1% correlation with mdrfckr activity)
Activity Timeline
| Period | Notes |
|---|---|
| July 2018 | mdrfckr SSH key first observed in the wild |
| 2018-2022 | Sustained low-level operations; key deployed across ~13,000 hosts |
| Dec 2022 | New command chain variant detected; evolution to libssh 0.9.x |
| Dec 2024-Feb 2025 | Apparent dormancy period |
| March 2025 | Significant resurgence documented by Kaspersky2 |
| May-Jun 2026 | This campaign - 3,929 events against my Watchtower honeypots |
Attack Timeline
The campaign ran in distinct waves with notable gaps, suggesting operator-controlled scheduling rather than an automated worm:
| Phase | Days | Total Events | Intensity |
|---|---|---|---|
| Phase 1 (initial probing) | May 3 - 5 | 184 | Low |
| Phase 2 (escalation) | May 6 - 14 | 872 | Medium |
| Phase 3 (peak volume) | May 15 - 19 | 1,160 | High |
| Pause | May 20 - 25 | 0 | - |
| Phase 4 (resurgence) | May 27 - Jun 3 | 1,713 | Very High |
A 6-day pause between May 20-25 suggests the operator temporarily halted the campaign, possibly to rotate infrastructure or avoid detection.
Geographic Distribution
Attack infrastructure was heavily concentrated in China and United States, together accounting for ~32% of all events:
| Country | Events | % of Total |
|---|---|---|
| China | 647 | 16.5% |
| United States | 606 | 15.4% |
| Hong Kong | 323 | 8.2% |
| South Korea | 179 | 4.6% |
| Vietnam | 172 | 4.4% |
| Indonesia | 137 | 3.5% |
| Brazil | 137 | 3.5% |
| India | 135 | 3.4% |
| Russia | 108 | 2.7% |
| Singapore | 108 | 2.7% |
The heavy presence of Chinese and Hong Kong ASNs in the top 10 (Tencent Cloud, UCloud, Byteplus, Volcano Engine) suggests the operator may be based in or have strong operational ties to the Greater China region.
Hosting Infrastructure / ASN Distribution
The attacker primarily used cloud hosting providers and bulletproof hosting services, not residential IPs:
| ASN | Organization | Events | Cloud Type |
|---|---|---|---|
| AS132203 | Tencent Cloud (CN) | 457 | Public Cloud |
| AS135377 | UCloud HK (HK) | 191 | Public Cloud |
| AS8075 | Microsoft Corp | 181 | Public Cloud |
| AS4766 | Korea Telecom | 122 | ISP |
| AS14061 | DigitalOcean | 117 | Public Cloud |
| AS16276 | OVH (FR) | 61 | Public Cloud |
| AS150436 | Byteplus (SG) | 48 | Public Cloud |
| AS137718 | Volcano Engine (CN) | 45 | Public Cloud |
| AS31898 | Oracle Cloud | 41 | Public Cloud |
| AS53667 | PonyNet (US) | 38 | VPS / Low-cost |
The mix of major cloud providers (Tencent, Microsoft Azure, DigitalOcean, Oracle, OVH) with smaller Asian providers (UCloud, Byteplus, Volcano Engine) suggests the attacker is likely operating compromised cloud instances or using fraudulently acquired accounts rather than their own bare-metal infrastructure.
Technical Analysis
SSH Key
All successful authentications deployed the same SSH RSA-2048 public key for persistent backdoor access:
The key operation executed on each compromised host:
cd ~ && \
rm -rf .ssh && \
mkdir .ssh && \
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr" >> .ssh/authorized_keys && \
chmod -R go= ~/.ssh && \
cd ~
This overwrites any existing .ssh/authorized_keys, granting the attacker exclusive SSH key‑based access.
Credential Targeting (Top 15)
| Username | Password | Attempts |
|---|---|---|
admin |
fjbdfdjkdsfs541544 |
157 |
systemd |
Voidsetdownload.so |
58 |
root |
warnightkardesim |
51 |
ubuntu |
fjbdfdjkdsfs541544AA@@ |
44 |
linux |
linux123 |
36 |
zhxnephu |
zXXUKpvydMqzp1quBItn |
33 |
pakchoi |
Kermit123@ |
30 |
root |
linux123 |
27 |
root |
20192019 |
24 |
The attacker used both common weak passwords (linux123, 20192019) and unique, likely pre‑compromised credentials (fjbdfdjkdsfs541544, warnightkardesim), suggesting a hybrid approach: brute‑force dictionary attacks combined with credential stuffing from prior breaches.
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | SSH Brute Force / Credential Stuffing | T1110.001 |
| Persistence | SSH Authorized Keys | T1098.004 |
| Command and Control | Remote Access via SSH | T1021.004 |
| Discovery | System Information Discovery | T1082 |
Indicators of Compromise (IOCs)
SSH Key
- Fingerprint:
SHA256:MkYY9qiVsFGBC5WkjoClCkwEFW5iSjcGQF7m4n4H7Cw - Comment:
mdrfckr - Key type: RSA 2048
Network
- 1,702 unique source IPs across 32 countries
- Predominantly cloud-hosted (Tencent Cloud AS132203, UCloud AS135377, Microsoft AS8075)
Personal Take-Aways
The most terrifying thing was that within 1 minute of opening port 22, the first brute-force attacks hit my honeypots. Not hours, not days - one minute. There's something out there, constantly scanning, waiting for any open SSH port. When working on firewalls or opening new ports, I first try it out on a non-internet facing server or Linux box so I can test things without the worry of misconfiguring a firewall or ssh configuration to allow everyone on my machines.
What I'm unsure about is the 6-day pause between May 20 and May 25. Watching the graph flatline was almost more unsettling than the activity. Did one of their infrastructure providers get shut down? Was law enforcement involved? Or is there actually a human somewhere in this automated scan, deciding when to lie low and when to press go?
The mdrfckr key has been in the wild since 2018. Almost a decade, same key, same playbook, and it's still working.
For this reason, I use only SSH key pairs (private/public) for authentication - both on my servers in the cloud and at home in my homelab.
-
mdrfckrs - part one - port22.dk ↩↩
-
Outlaw botnet detected in an incident contained by Kaspersky - Securelist ↩↩
-
mdrfckrs - part two - port22.dk ↩