THIS ISC diary notes that the April 2026 activity relates to the existing mdrfckr Outlaw/Dota campaign rather than a new campaign, with a new libssh client version observed between 14 and 21 April 2026.
Between 2026-04-14 01:23:41 UTC and 2026-04-21 02:22:56 UTC, my DShield sensor logged 24 unique source IPs writing the SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 to /root/.ssh/authorized_keys and other paths, amounting to 229 authorized_keys modifications across 1,230 SSH sessions and 4,133 post-authentication commands. The cluster’s peak burst occurred on 19 April 2026, when 20 of the 24 IPs connected within a 131‑second window between 06:05:19 UTC and 06:07:30 UTC.
All 24 IPs presented the SSH client banner SSH-2.0-libssh_0.11.1 and the hassh fingerprint 03a80b21afa810682a776a7d42e5e6fb, making this the third documented libssh version in the campaign’s lineage, according to port22 part two. The SHA-256 of the authorized_keys file remains unchanged since 2018, and detection guidance remains to pin on the SHA-256, the public key blob, the mdrfckr comment string, and the recon sequence rather than to a single hassh value, with vigilance for future libssh updates.