IntrusionLabs / threat intelligence

Sign in

← Back to feed

14.103.118.120

TAGGED MALICIOUS how we decide →

Threat Confidence

37%

Location

🇨🇳 CN

ASN

AS4811 · China Telecom Group

Cloud Provider

—

Total Events

25

Average by volume

Agent Count

1

First / Last Seen

2026-04-02 06:05 — 2026-04-18 23:03

Attack Types

ssh:bruteforce

MITRE ATT&CK Techniques

Reconnaissance

T1595 T1595.002

Initial Access

T1078

Defense Evasion

T1070.004

Credential Access

T1110 T1110.001

Discovery

T1046 T1082

Command and Control

T1105

External Corroboration

Not flagged by any external feeds

Campaigns

HASSH 03a80b21afa8… — SSH-2.0-libssh_0.11.1 (110 IPs, 26 countries) HASSH Active high 🇨🇳 CN

110 IPs 30918 events

2026-02-27 — ongoing · 110 IPs are running an identical SSH client (HASSH fingerprint 03a80b21afa8…). Top network: Chinanet (AS4134). Geographic and ASN …

Session Forensics

scanner ×1 malware_dropper ×2 credential_probe ×1 opportunistic_bruter ×1

Sessions

5 (3 with login)

Avg Depth Score

0.57

Commands Executed

9

Files Downloaded

3

Notable Commands

cd ~; chattr -ia .ssh; lockr -ia .ssh
lockr -ia .ssh
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
cat /proc/cpuinfo | grep name | wc -l
echo "root:sHvV3kWwGasv"|chpasswd|bash
rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;

Fingerprints

HASSH

03a80b21afa810682a776a7d42e5e6fb

SSH Client

SSH-2.0-libssh_0.11.1

Evidence Timeline

Malware Dropper 9c3049b8f761 w4m_seattle_01 · 2026-05-15 18:54

6 2 1 100%

Loading events...

Scanner bb1aa2e39e6e w4m_singapore_01 · 2026-04-18 23:01

15%

Loading events...

Opportunistic Bruter 25d4a9ecaafe w4m_singapore_01 · 2026-04-02 06:05

1 50%

Loading events...

Credential Probe cd22fac01ec3 w4m_singapore_01 · 2026-04-02 06:05

1 20%

Loading events...

Malware Dropper 3c1e1f000df4 w4m_singapore_01 · 2026-04-02 06:05

3 1 1 100%

Loading events...