Iranian‑Linked Botnet Activity Detected in Cowrie Honeypot Logs (Feb 2026)
What Happened – On 19 Feb 2026, two SANS ISC‑monitored Cowrie honeypots recorded an echo command containing the string “MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here”. The same source IP 64.89.161.198 was seen from 30 Jan to 22 Feb 2026 conducting port‑scans, a successful Telnet login (TCP/23) and web‑honeypot interactions.
Why It Matters for TPRM –
- Indicates active reconnaissance and credential‑spraying against internet‑exposed services that third‑party vendors may host.
- Demonstrates a possible Iran‑state‑linked botnet (“iranbot”) capable of persisting across multiple sensors.
- Early‑stage activity that could evolve into credential‑theft, ransomware deployment, or supply‑chain compromise.
Who Is Affected –
- Any organization exposing Telnet, SSH, or web services to the internet (e.g., MSPs, cloud‑hosted SaaS, IoT device manufacturers).
Recommended Actions –
- Verify that all remote‑access services enforce strong, MFA‑protected authentication; disable plain‑text Telnet where possible.
- Review firewall and IDS/IPS rules for outbound connections to known malicious IPs (including 64.89.161.198).
- Conduct threat‑intel enrichment on the “iranbot” indicator set and update blocklists.
Technical Notes – The payload string appears to be a marker used by the botnet to confirm successful compromise. Activity was captured via Cowrie (SSH/Telnet honeypot), a web‑honeypot, and iptables logs. No CVE is associated; the vector is likely credential‑spraying or brute‑force on Telnet. Source: SANS ISC Diary – Interesting Message Stored in Cowrie Logs (Mar 18 2026)