Essential Insights
- The persistent “mdrfckr” SSH campaign has maintained a stable authorized_keys file for nearly eight years, with recent activity showcasing a new client library version (libssh 0.11.1) that bypasses existing detection rules.
- Attackers are coordinating rapid, clustered SSH brute-force attempts (notably on April 19, 2026) using a consistent set of compromised credentials, targeting multiple IPs within a tight timeframe.
- The campaign’s evolving SSH client signature (hassh) underscores the importance of multi-faceted detection—relying solely on previously identified hashes or signatures could result in blind spots.
Threat, Attack Techniques, and Targets
The malware campaign discussed involves a known threat called “mdrfckr,” linked to Outlaw or Shellbot activities. Attackers use SSH to breach target systems. They deliver malware by writing a specific authorized_keys file with a SHA-256 hash that has remained unchanged since 2018. The attackers target various systems, primarily those with SSH accessible accounts. They use a sequence of commands for reconnaissance, password changes, and cleanup of competing malware. Specifically, between April 14 and April 21, 2026, multiple IPs coordinated to inject the same SSH key into target systems. They employed a new SSH client version, libssh 0.11.1, different from previously documented versions, indicating an evolution in their attack techniques. The attack relies on consistent behavior such as the use of specific commands and the insertion of the same public key across multiple sessions. Detection can be complicated by changes in the SSH client software used by the threat actors, making it essential to monitor multiple indicators.
Impact, Security Implications, and Remediation Guidance
The impact of this threat involves unauthorized access through persistent SSH keys, enabling attackers to run commands, gather reconnaissance, and possibly maintain long-term control over compromised systems. The changing SSH client version, indicated by different hassh fingerprints, highlights the need for updated detection strategies. If organizations are relying solely on hassh or older signatures, they may miss the current campaign stage. The consistent SHA-256 hash of the SSH key remains a reliable indicator. Security teams should prioritize monitoring this hash, the comment string “mdrfckr,” and the specific command sequences associated with this campaign. Additionally, defenders should watch for the new hassh value related to libssh 0.11.1. For remediation, it is recommended to review and remove unauthorized SSH keys, reset compromised accounts, and update detection rules. Since specific guidance is not included here, organizations should consult their security vendors or relevant authorities for detailed responses.
Continue Your Tech Journey
Explore the future of technology with our detailed insights on Artificial Intelligence.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
