Threat Intelligence Report — TLP:CLEAR (Public)
Reporting Period: 21 June 2026 – 17 July 2026
Published: 17 July 2026
Author: Threat Intelligence & Incident Response Team
Executive Summary
Between 21 June and 17 July 2026, a single internet facing honeypot sensor operated by our research team recorded sustained, structured malicious activity from four IP addresses geolocated to Iran. The activity spanned three distinct behavioral patterns; long-running low and slow beaconing, broad-spectrum port reconnaissance, and a full SSH intrusion culminating in the deployment of the RedTail cryptomining malware family.
This reporting window overlaps the ongoing 2026 Iran conflict, which began on 28 February 2026 and has been accompanied by a marked escalation in cyber activity from both Iranian state-aligned actors and independent pro-Iranian operators. U.S. and allied agencies, including CISA, the FBI, and the Canadian Centre for Cyber Security, have issued repeated advisories warning that Iran will very likely use its cyber program to respond to the joint U.S. and Israel combat operations against Iran.
Against that backdrop, it is important to be precise about attribution. The activity documented here is commodity, “financially motivated”, and opportunistic, not a targeted state operation. The value of this report is as a snapshot of the baseline noise emanating from Iranian network space during a period of heightened tension, and as a set of concrete, defender usable indicators. Two of the four source IPs were already flagged as “known attacker” by threat intelligence reputation feeds at the time of collection.
Why This Matters Right Now
The 2026 conflict has changed the risk calculus for anyone operating internet-facing infrastructure. Beyond the nation state operations that dominate headlines, defenders are seeing a rising tide of “lower sophistication” activity from the region. As one industry advisory noted during this period, Iranian and Iran aligned actors have historically relied on low sophistication methods that exploit basic vulnerabilities in internet connected systems, and the FBI has specifically reminded operators that these actors seek to exploit common vulnerabilities and default passwords as well as internet connected operational technology.
That is exactly the pattern this honeypot captured: weak-credential SSH brute forcing, opportunistic port sweeps, and automated malware staging. None of it is novel. All of it is dangerous to an unhardened, exposed host, and volume, not sophistication, is what makes it a threat during a period when scanning from the region is elevated.
Collection Environment
The data was collected by a multi-sensor honeypot deployed on a public cloud host, emulating a range of exposed services. Relevant sensors for this report:
| Sensor Type | Role |
|---|---|
| SSH/Telnet emulator | Captures credential attempts, session commands, and uploaded files |
| Generic TCP catch-all | Records connection attempts to arbitrary ports |
| Network IDS | Generates signature-based alerts on session traffic |
All destination addressing, hostnames, and internal identifiers have been removed for public release. Timestamps are UTC.
Threat Actor Activity Overview
Four Iranian origin IP addresses were observed. Three originate from the same autonomous system (AS213790, “Limited Network LTD”); the fourth from AS212607 (“Saeid Shahrokhi”). The shared ASN and complementary behaviors suggest these are related nodes in a broader opportunistic campaign rather than four unrelated actors.
| Source IP | ASN | Reputation | Behavior | Events |
|---|---|---|---|---|
77.90.185.20 |
AS213790 | Known attacker | SSH intrusion → RedTail deployment | 119 |
185.93.89.79 |
AS213790 | (unflagged) | Persistent low-and-slow beaconing to :4444 | 164 |
192.253.248.180 |
AS213790 | Known attacker | Broad-spectrum port reconnaissance | 56 |
5.10.249.25 |
AS212607 | Known attacker | Rapid sequential port sweep (5901–6000) | 75 |
Actor 1 — 77.90.185.20: SSH Intrusion and RedTail Cryptominer Deployment
This is the most significant actor in the dataset. It executed a complete attack chain: credential brute-force, successful login, malware staging over SFTP, and persistence via a rogue SSH key. Activity occurred across three sessions (8 July, 13 July, and 17 July).
Credential Attack
The actor connected using an SSH client identifying itself as SSH-2.0-Go (a Go-based scanner, not a standard OpenSSH client), fingerprinted by two distinct HASSH values:
0a07365cc01fa9fc82608ba4019af4995f904648ee8964bef0e8834012e26003
It cycled through weak and default credentials. Failed attempts included ansible/ansible, root/1234qwer, rema/123456, student/student, root/Admin123!, and root/1qaz2wsx!. The honeypot accepted several by design, logging successful logins for:
| Username | Password | First Success |
|---|---|---|
root |
123123123 |
2026-07-08 22:20 UTC |
root |
asdfg |
2026-07-13 09:58 UTC |
root |
asd123123 |
2026-07-17 06:30 UTC |
The rotation of passwords across sessions, a different weak root password each day, is characteristic of an automated dictionary tool working through a shared credential list, not a human operator.
Malware Staging
Immediately after authenticating, the actor uploaded six files over SFTP:
clean.sh
setup.sh
redtail.arm7
redtail.arm8
redtail.i686
redtail.x86_64
This is the textbook RedTail deployment package. RedTail is a well documented Monero (XMR) cryptomining malware family, first identified in late 2023/early 2024. The multi architecture binary set (ARM7, ARM8, i686, x86_64) lets a single automated payload compromise anything from an IoT device to a cloud server. Public research describes exactly this file sequence, noting that attack sessions followed the same sequence, beginning with the upload of clean.sh, followed by the placement of multiple RedTail binaries, and concluding with setup.sh. The setup.sh script evaluates the system architecture to determine the appropriate file version using the command uname -mp, copies the correct binary to a hidden .redtail file, cleans up the staging files, and installs a cron job for persistence.
Persistence
The captured command input reveals the persistence mechanism in full. The actor executed the payload, then wrote its own SSH public key into authorized_keys and locked the file with the immutable attribute:
chmod +x setup.sh; sh setup.sh; rm -rf setup.sh;
mkdir -p ~/.ssh;
chattr -ia ~/.ssh/authorized_keys;
echo "ssh-rsa AAAAB3NzaC1yc2E...rsa-key-20230629" > ~/.ssh/authorized_keys;
chattr +ai ~/.ssh/authorized_keys;
uname -a
The chattr +ai step is a signature persistence trick: it makes authorized_keys append-only and immutable, so a defender cannot simply overwrite or delete the attacker’s key without first removing the attribute. This matches RedTail’s documented behavior of creating backdoors via SSH keys. The embedded key comment (rsa-key-20230629) indicates a PuTTYgen-generated key reused across the campaign.
Assessment
Attribution: RedTail cryptomining botnet, commodity, financially motivated. High confidence, based on the exact filename set, the canonical clean.sh/setup.sh/multi-arch sequence, and the immutable key persistence, all of which match extensively documented RedTail tradecraft. There is no indication of state sponsorship; the Iranian geolocation reflects the origin of a commodity botnet node, not a targeted operation.
Actor 2 — 185.93.89.79: Persistent Low-and-Slow Beaconing
This IP exhibited the most disciplined and long-running behavior: near daily connections to TCP/4444 over the full 26-day window, hitting the sensor on 23 separate days. Each day it connected once or twice, almost always within the same one-to-two-second burst, plus occasional touches on ports 9000 and 9001.
Port 4444 is a well-known default for Metasploit/Meterpreter reverse shells and a common C2/handler port. The IDS flagged the traffic with two signatures:
ET SCAN Zmap User-Agent (Inbound)indicating the connection originated from the ZMap internet-wide scannerSURICATA Applayer Detect protocol only one directionconsistent with a one-way probe that never completes an application handshake
Assessment
This is automated reconnaissance / C2-port validation, not an active exploit attempt. The extreme regularity (same port, same short daily burst, ZMap user-agent) points to an “inventory style” scanner cataloguing hosts that respond on 4444, likely feeding a target list for later exploitation. The persistence over nearly four weeks is the notable feature: this host has our sensor on a recurring scan schedule.
Actor 3 — 192.253.248.180: Broad-Spectrum Port Reconnaissance
Flagged as a known attacker, this IP conducted wide, sparse port reconnaissance touching 55 unique high-numbered ports across 56 events, spread intermittently over the reporting period. Ports ranged from 1119 up to 65530, with visible clustering in the 33000–33999 range (33033, 33096, 33100, 33390, 33391, 33392, 33777, 33801, 33880, 33893).
Assessment
This is service-discovery scanning. Unlike Actor 2’s single-port focus, this actor sweeps a broad spread of non-standard ports, fishing for exposed services, proxies, or previously planted backdoors listening on unusual ports. The “known attacker” reputation flag and the “near one event per port” ratio (no repeated hammering) indicate a mapping pass rather than a brute-force or exploit attempt.
Actor 4 — 5.10.249.25: Rapid Sequential Port Sweep
Also flagged as a known attacker, and the only actor on a different ASN (AS212607). Its behavior was a tight, fast burst: 75 connections in roughly 87 minutes on 17 July, walking almost sequentially through the port range 5901–6000.
Ports 5900–5999 are the standard range for VNC (Virtual Network Computing) remote-desktop services (5900 = display :0, 5901 = display :1, and so on). Exposed, weakly authenticated VNC is a perennial target for both cryptomining crews and hands-on-keyboard intruders.
Assessment
This is a targeted VNC discovery sweep. The actor is enumerating which VNC display ports are open, almost certainly as the precursor to a VNC brute force or exploitation campaign. The compressed timeframe and sequential port walk are hallmarks of a purpose-built scanning script rather than a broad internet crawler.
Correlated Assessment
Taken together, the four actors represent the full opportunistic attack lifecycle as seen from a single sensor during a three-week window:
- Discovery (
192.253.248.180,5.10.249.25): broad and targeted port mapping to find exposed services. - Validation / C2 inventory (
185.93.89.79): persistent checking of a known handler port. - Exploitation & monetization (
77.90.185.20): SSH credential attack, malware staging, and cryptominer deployment for persistence.
Three of the four share AS213790, and the two “known attacker” flags plus the RedTail intrusion suggest this ASN is currently hosting active, financially motivated botnet infrastructure.
Relationship to the 2026 conflict: This activity is best understood as elevated background noise rather than conflict driven targeting. It is commodity cybercrime originating from Iranian network space; the kind of volume that rises whenever a region’s infrastructure is mobilized, but which carries no signature of the destructive, infrastructure-focused state operations that agencies have warned about during this period. Defenders should treat it accordingly: block the indicators, harden the basics, and reserve heightened alerting for the TTPs described in official state-actor advisories.
Indicators of Compromise (IOCs)
Source IP Addresses
| Indicator | Type | Context |
|---|---|---|
77.90.185.20 |
IPv4 | RedTail SSH intrusion; AS213790 |
185.93.89.79 |
IPv4 | Persistent :4444 beaconing (ZMap); AS213790 |
192.253.248.180 |
IPv4 | Broad port recon; AS213790; known attacker |
5.10.249.25 |
IPv4 | VNC sweep (5901–6000); AS212607; known attacker |
Malware Artifacts (RedTail)
| Filename | SHA-256 |
|---|---|
clean.sh |
197c74408e15bd1168105f564f96aace4fd4819961b724630bf5a6be4878daf8 |
setup.sh |
783adb7ad6b16fe9818f3e6d48b937c3ca1994ef24e50865282eeedeab7e0d59 |
redtail.arm7 |
3625d068896953595e75df328676a08bc071977ac1ff95d44b745bbcb7018c6f |
redtail.arm8 |
dbb7ebb960dc0d5a480f97ddde3a227a2d83fcaca7d37ae672e6a0a6785631e9 |
redtail.i686 |
048e374baac36d8cf68dd32e48313ef8eb517d647548b1bf5f26d2d0e2e3cdc7 |
redtail.x86_64 |
59c29436755b0778e968d49feeae20ed65f5fa5e35f9f7965b8ed93420db91e5 |
SSH Client Fingerprints (HASSH)
0a07365cc01fa9fc82608ba4019af4995f904648ee8964bef0e8834012e26003- Client version string:
SSH-2.0-Go
Attacker SSH Key Comment
rsa-key-20230629(embedded inauthorized_keyspersistence)
Behavioral / Network Indicators
- Repeated inbound connections to TCP/4444 with a ZMap user-agent
- Sequential connection sweep across TCP/5901–5999 (VNC discovery)
- SFTP upload of the six-file RedTail package following SSH login
chattr +ai ~/.ssh/authorized_keyscommand in session logs
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Observed Behavior |
|---|---|---|---|
| Reconnaissance | Active Scanning: Scanning IP Blocks | T1595.001 | Port sweeps by 192.253.248.180, 5.10.249.25, 185.93.89.79 |
| Reconnaissance | Active Scanning: Vuln Scanning | T1595.002 | VNC port range enumeration |
| Initial Access | Valid Accounts | T1078 | Weak root credential logins |
| Credential Access | Brute Force: Password Guessing | T1110.001 | SSH dictionary attack |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | sh setup.sh execution |
| Persistence | Account Manipulation: SSH Authorized Keys | T1098.004 | Rogue key written to authorized_keys |
| Defense Evasion | File and Directory Permissions Modification | T1222.002 | chattr +ai immutable flag |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | rm -rf setup.sh cleanup |
| Impact | Resource Hijacking | T1496 | RedTail Monero cryptominer deployment |
Recommendations
For any organization operating internet facing hosts during the current threat environment:
Immediate
- Block the four source IPs and the AS213790 / AS212607 ranges at the perimeter where operationally feasible.
- Alert on any of the RedTail file hashes and on the creation of .redtail files.
- Hunt for chattr +ai against authorized_keys and for unexpected append-only/immutable attributes on SSH config files.
Hardening (addresses the root cause seen here)
- Enforce key-based SSH authentication and disable password login entirely; disable direct root login. Every successful intrusion in this dataset relied on a weak root password.
- Restrict SSH and VNC exposure behind a VPN or IP allow-list; never expose VNC (5900–5999) directly to the internet.
- Monitor for outbound connections to cryptomining pools and for unexplained CPU load.
- Audit authorized_keys on all hosts for unrecognized keys, especially any with the immutable attribute set.
Strategic
- Follow the current CISA, FBI, and allied advisories on Iranian-affiliated activity and prioritize detections for the destructive, OT/ICS-focused TTPs they describe — a different and higher-severity threat than the commodity activity in this report.
Analyst Note on Confidence and Scope
This report is derived from a single honeypot sensor over a 26-day window. It documents what was observed, not the full extent of any actor’s operations. The RedTail attribution is high confidence and based on well established public tradecraft. The characterization of all four actors as commodity/opportunistic is deliberate: nothing in the data supports a stronger claim of state direction, and analysts should resist the pull to over-attribute routine cybercrime to nation state activity simply because of its geographic origin during a conflict. Indicators are provided for defensive use and should be validated against your own environment before blocking.
TLP:CLEAR: Approved for public release. All internal infrastructure identifiers have been redacted.