Skip to content

Inside the Honeypot: "Iranian Origin" Reconnaissance and Cryptomining Against a Public Facing Sensor

A public facing honeypot recorded four Iranian origin IPs over 21 June to 17 July 2026, together forming the full opportunistic attack lifecycle.

J
Jonathan Williams
July 17, 2026
Inside the Honeypot: "Iranian Origin" Reconnaissance and Cryptomining Against a Public Facing Sensor

Threat Intelligence Report — TLP:CLEAR (Public)
Reporting Period: 21 June 2026 – 17 July 2026
Published: 17 July 2026
Author: Threat Intelligence & Incident Response Team


Executive Summary

Between 21 June and 17 July 2026, a single internet facing honeypot sensor operated by our research team recorded sustained, structured malicious activity from four IP addresses geolocated to Iran. The activity spanned three distinct behavioral patterns; long-running low and slow beaconing, broad-spectrum port reconnaissance, and a full SSH intrusion culminating in the deployment of the RedTail cryptomining malware family.

This reporting window overlaps the ongoing 2026 Iran conflict, which began on 28 February 2026 and has been accompanied by a marked escalation in cyber activity from both Iranian state-aligned actors and independent pro-Iranian operators. U.S. and allied agencies, including CISA, the FBI, and the Canadian Centre for Cyber Security, have issued repeated advisories warning that Iran will very likely use its cyber program to respond to the joint U.S. and Israel combat operations against Iran.

Against that backdrop, it is important to be precise about attribution. The activity documented here is commodity, “financially motivated”, and opportunistic, not a targeted state operation. The value of this report is as a snapshot of the baseline noise emanating from Iranian network space during a period of heightened tension, and as a set of concrete, defender usable indicators. Two of the four source IPs were already flagged as “known attacker” by threat intelligence reputation feeds at the time of collection.


Why This Matters Right Now

The 2026 conflict has changed the risk calculus for anyone operating internet-facing infrastructure. Beyond the nation state operations that dominate headlines, defenders are seeing a rising tide of “lower sophistication” activity from the region. As one industry advisory noted during this period, Iranian and Iran aligned actors have historically relied on low sophistication methods that exploit basic vulnerabilities in internet connected systems, and the FBI has specifically reminded operators that these actors seek to exploit common vulnerabilities and default passwords as well as internet connected operational technology.

That is exactly the pattern this honeypot captured: weak-credential SSH brute forcing, opportunistic port sweeps, and automated malware staging. None of it is novel. All of it is dangerous to an unhardened, exposed host, and volume, not sophistication, is what makes it a threat during a period when scanning from the region is elevated.


Collection Environment

The data was collected by a multi-sensor honeypot deployed on a public cloud host, emulating a range of exposed services. Relevant sensors for this report:

Sensor Type Role
SSH/Telnet emulator Captures credential attempts, session commands, and uploaded files
Generic TCP catch-all Records connection attempts to arbitrary ports
Network IDS Generates signature-based alerts on session traffic

All destination addressing, hostnames, and internal identifiers have been removed for public release. Timestamps are UTC.


Threat Actor Activity Overview

Four Iranian origin IP addresses were observed. Three originate from the same autonomous system (AS213790, “Limited Network LTD”); the fourth from AS212607 (“Saeid Shahrokhi”). The shared ASN and complementary behaviors suggest these are related nodes in a broader opportunistic campaign rather than four unrelated actors.

Source IP ASN Reputation Behavior Events
77.90.185.20 AS213790 Known attacker SSH intrusion → RedTail deployment 119
185.93.89.79 AS213790 (unflagged) Persistent low-and-slow beaconing to :4444 164
192.253.248.180 AS213790 Known attacker Broad-spectrum port reconnaissance 56
5.10.249.25 AS212607 Known attacker Rapid sequential port sweep (5901–6000) 75

Actor 1 — 77.90.185.20: SSH Intrusion and RedTail Cryptominer Deployment

This is the most significant actor in the dataset. It executed a complete attack chain: credential brute-force, successful login, malware staging over SFTP, and persistence via a rogue SSH key. Activity occurred across three sessions (8 July, 13 July, and 17 July).

Credential Attack

The actor connected using an SSH client identifying itself as SSH-2.0-Go (a Go-based scanner, not a standard OpenSSH client), fingerprinted by two distinct HASSH values:

  • 0a07365cc01fa9fc82608ba4019af499
  • 5f904648ee8964bef0e8834012e26003

It cycled through weak and default credentials. Failed attempts included ansible/ansible, root/1234qwer, rema/123456, student/student, root/Admin123!, and root/1qaz2wsx!. The honeypot accepted several by design, logging successful logins for:

Username Password First Success
root 123123123 2026-07-08 22:20 UTC
root asdfg 2026-07-13 09:58 UTC
root asd123123 2026-07-17 06:30 UTC

The rotation of passwords across sessions, a different weak root password each day, is characteristic of an automated dictionary tool working through a shared credential list, not a human operator.

Malware Staging

Immediately after authenticating, the actor uploaded six files over SFTP:

clean.sh
setup.sh
redtail.arm7
redtail.arm8
redtail.i686
redtail.x86_64

This is the textbook RedTail deployment package. RedTail is a well documented Monero (XMR) cryptomining malware family, first identified in late 2023/early 2024. The multi architecture binary set (ARM7, ARM8, i686, x86_64) lets a single automated payload compromise anything from an IoT device to a cloud server. Public research describes exactly this file sequence, noting that attack sessions followed the same sequence, beginning with the upload of clean.sh, followed by the placement of multiple RedTail binaries, and concluding with setup.sh. The setup.sh script evaluates the system architecture to determine the appropriate file version using the command uname -mp, copies the correct binary to a hidden .redtail file, cleans up the staging files, and installs a cron job for persistence.

Persistence

The captured command input reveals the persistence mechanism in full. The actor executed the payload, then wrote its own SSH public key into authorized_keys and locked the file with the immutable attribute:

chmod +x setup.sh; sh setup.sh; rm -rf setup.sh;
mkdir -p ~/.ssh;
chattr -ia ~/.ssh/authorized_keys;
echo "ssh-rsa AAAAB3NzaC1yc2E...rsa-key-20230629" > ~/.ssh/authorized_keys;
chattr +ai ~/.ssh/authorized_keys;
uname -a

The chattr +ai step is a signature persistence trick: it makes authorized_keys append-only and immutable, so a defender cannot simply overwrite or delete the attacker’s key without first removing the attribute. This matches RedTail’s documented behavior of creating backdoors via SSH keys. The embedded key comment (rsa-key-20230629) indicates a PuTTYgen-generated key reused across the campaign.

Assessment

Attribution: RedTail cryptomining botnet, commodity, financially motivated. High confidence, based on the exact filename set, the canonical clean.sh/setup.sh/multi-arch sequence, and the immutable key persistence, all of which match extensively documented RedTail tradecraft. There is no indication of state sponsorship; the Iranian geolocation reflects the origin of a commodity botnet node, not a targeted operation.


Actor 2 — 185.93.89.79: Persistent Low-and-Slow Beaconing

This IP exhibited the most disciplined and long-running behavior: near daily connections to TCP/4444 over the full 26-day window, hitting the sensor on 23 separate days. Each day it connected once or twice, almost always within the same one-to-two-second burst, plus occasional touches on ports 9000 and 9001.

Port 4444 is a well-known default for Metasploit/Meterpreter reverse shells and a common C2/handler port. The IDS flagged the traffic with two signatures:

  • ET SCAN Zmap User-Agent (Inbound) indicating the connection originated from the ZMap internet-wide scanner
  • SURICATA Applayer Detect protocol only one direction consistent with a one-way probe that never completes an application handshake

Assessment

This is automated reconnaissance / C2-port validation, not an active exploit attempt. The extreme regularity (same port, same short daily burst, ZMap user-agent) points to an “inventory style” scanner cataloguing hosts that respond on 4444, likely feeding a target list for later exploitation. The persistence over nearly four weeks is the notable feature: this host has our sensor on a recurring scan schedule.


Actor 3 — 192.253.248.180: Broad-Spectrum Port Reconnaissance

Flagged as a known attacker, this IP conducted wide, sparse port reconnaissance touching 55 unique high-numbered ports across 56 events, spread intermittently over the reporting period. Ports ranged from 1119 up to 65530, with visible clustering in the 33000–33999 range (33033, 33096, 33100, 33390, 33391, 33392, 33777, 33801, 33880, 33893).

Assessment

This is service-discovery scanning. Unlike Actor 2’s single-port focus, this actor sweeps a broad spread of non-standard ports, fishing for exposed services, proxies, or previously planted backdoors listening on unusual ports. The “known attacker” reputation flag and the “near one event per port” ratio (no repeated hammering) indicate a mapping pass rather than a brute-force or exploit attempt.


Actor 4 — 5.10.249.25: Rapid Sequential Port Sweep

Also flagged as a known attacker, and the only actor on a different ASN (AS212607). Its behavior was a tight, fast burst: 75 connections in roughly 87 minutes on 17 July, walking almost sequentially through the port range 5901–6000.

Ports 5900–5999 are the standard range for VNC (Virtual Network Computing) remote-desktop services (5900 = display :0, 5901 = display :1, and so on). Exposed, weakly authenticated VNC is a perennial target for both cryptomining crews and hands-on-keyboard intruders.

Assessment

This is a targeted VNC discovery sweep. The actor is enumerating which VNC display ports are open, almost certainly as the precursor to a VNC brute force or exploitation campaign. The compressed timeframe and sequential port walk are hallmarks of a purpose-built scanning script rather than a broad internet crawler.


Correlated Assessment

Taken together, the four actors represent the full opportunistic attack lifecycle as seen from a single sensor during a three-week window:

  1. Discovery (192.253.248.180, 5.10.249.25): broad and targeted port mapping to find exposed services.
  2. Validation / C2 inventory (185.93.89.79): persistent checking of a known handler port.
  3. Exploitation & monetization (77.90.185.20): SSH credential attack, malware staging, and cryptominer deployment for persistence.

Three of the four share AS213790, and the two “known attacker” flags plus the RedTail intrusion suggest this ASN is currently hosting active, financially motivated botnet infrastructure.

Relationship to the 2026 conflict: This activity is best understood as elevated background noise rather than conflict driven targeting. It is commodity cybercrime originating from Iranian network space; the kind of volume that rises whenever a region’s infrastructure is mobilized, but which carries no signature of the destructive, infrastructure-focused state operations that agencies have warned about during this period. Defenders should treat it accordingly: block the indicators, harden the basics, and reserve heightened alerting for the TTPs described in official state-actor advisories.


Indicators of Compromise (IOCs)

Source IP Addresses

Indicator Type Context
77.90.185.20 IPv4 RedTail SSH intrusion; AS213790
185.93.89.79 IPv4 Persistent :4444 beaconing (ZMap); AS213790
192.253.248.180 IPv4 Broad port recon; AS213790; known attacker
5.10.249.25 IPv4 VNC sweep (5901–6000); AS212607; known attacker

Malware Artifacts (RedTail)

Filename SHA-256
clean.sh 197c74408e15bd1168105f564f96aace4fd4819961b724630bf5a6be4878daf8
setup.sh 783adb7ad6b16fe9818f3e6d48b937c3ca1994ef24e50865282eeedeab7e0d59
redtail.arm7 3625d068896953595e75df328676a08bc071977ac1ff95d44b745bbcb7018c6f
redtail.arm8 dbb7ebb960dc0d5a480f97ddde3a227a2d83fcaca7d37ae672e6a0a6785631e9
redtail.i686 048e374baac36d8cf68dd32e48313ef8eb517d647548b1bf5f26d2d0e2e3cdc7
redtail.x86_64 59c29436755b0778e968d49feeae20ed65f5fa5e35f9f7965b8ed93420db91e5

SSH Client Fingerprints (HASSH)

  • 0a07365cc01fa9fc82608ba4019af499
  • 5f904648ee8964bef0e8834012e26003
  • Client version string: SSH-2.0-Go

Attacker SSH Key Comment

  • rsa-key-20230629 (embedded in authorized_keys persistence)

Behavioral / Network Indicators

  • Repeated inbound connections to TCP/4444 with a ZMap user-agent
  • Sequential connection sweep across TCP/5901–5999 (VNC discovery)
  • SFTP upload of the six-file RedTail package following SSH login
  • chattr +ai ~/.ssh/authorized_keys command in session logs

MITRE ATT&CK Mapping

Tactic Technique ID Observed Behavior
Reconnaissance Active Scanning: Scanning IP Blocks T1595.001 Port sweeps by 192.253.248.180, 5.10.249.25, 185.93.89.79
Reconnaissance Active Scanning: Vuln Scanning T1595.002 VNC port range enumeration
Initial Access Valid Accounts T1078 Weak root credential logins
Credential Access Brute Force: Password Guessing T1110.001 SSH dictionary attack
Execution Command and Scripting Interpreter: Unix Shell T1059.004 sh setup.sh execution
Persistence Account Manipulation: SSH Authorized Keys T1098.004 Rogue key written to authorized_keys
Defense Evasion File and Directory Permissions Modification T1222.002 chattr +ai immutable flag
Defense Evasion Indicator Removal: File Deletion T1070.004 rm -rf setup.sh cleanup
Impact Resource Hijacking T1496 RedTail Monero cryptominer deployment

Recommendations

For any organization operating internet facing hosts during the current threat environment:

Immediate
- Block the four source IPs and the AS213790 / AS212607 ranges at the perimeter where operationally feasible.
- Alert on any of the RedTail file hashes and on the creation of .redtail files.
- Hunt for chattr +ai against authorized_keys and for unexpected append-only/immutable attributes on SSH config files.

Hardening (addresses the root cause seen here)
- Enforce key-based SSH authentication and disable password login entirely; disable direct root login. Every successful intrusion in this dataset relied on a weak root password.
- Restrict SSH and VNC exposure behind a VPN or IP allow-list; never expose VNC (5900–5999) directly to the internet.
- Monitor for outbound connections to cryptomining pools and for unexplained CPU load.
- Audit authorized_keys on all hosts for unrecognized keys, especially any with the immutable attribute set.

Strategic
- Follow the current CISA, FBI, and allied advisories on Iranian-affiliated activity and prioritize detections for the destructive, OT/ICS-focused TTPs they describe — a different and higher-severity threat than the commodity activity in this report.


Analyst Note on Confidence and Scope

This report is derived from a single honeypot sensor over a 26-day window. It documents what was observed, not the full extent of any actor’s operations. The RedTail attribution is high confidence and based on well established public tradecraft. The characterization of all four actors as commodity/opportunistic is deliberate: nothing in the data supports a stronger claim of state direction, and analysts should resist the pull to over-attribute routine cybercrime to nation state activity simply because of its geographic origin during a conflict. Indicators are provided for defensive use and should be validated against your own environment before blocking.

TLP:CLEAR: Approved for public release. All internal infrastructure identifiers have been redacted.