HomeIntelligenceBrief
BREACH BRIEF🟡 Medium ThreatIntel

Iranian‑Linked Botnet Activity Detected in Cowrie Honeypot Logs (Feb 2026)

SANS ISC observed a unique payload marker and successful Telnet login from IP 64.89.161.198 across multiple sensors, suggesting an Iran‑state‑linked botnet probing internet‑exposed services. TPRM teams should verify remote‑access controls and block malicious indicators.

LiveThreat™ Intelligence · 📅 March 19, 2026· 📰 isc.sans.edu
🟡
Severity
Medium
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
isc.sans.edu

Iranian‑Linked Botnet Activity Detected in Cowrie Honeypot Logs (Feb 2026)

What Happened – On 19 Feb 2026, two SANS ISC‑monitored Cowrie honeypots recorded an echo command containing the string “MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here”. The same source IP 64.89.161.198 was seen from 30 Jan to 22 Feb 2026 conducting port‑scans, a successful Telnet login (TCP/23) and web‑honeypot interactions.

Why It Matters for TPRM

  • Indicates active reconnaissance and credential‑spraying against internet‑exposed services that third‑party vendors may host.
  • Demonstrates a possible Iran‑state‑linked botnet (“iranbot”) capable of persisting across multiple sensors.
  • Early‑stage activity that could evolve into credential‑theft, ransomware deployment, or supply‑chain compromise.

Who Is Affected

  • Any organization exposing Telnet, SSH, or web services to the internet (e.g., MSPs, cloud‑hosted SaaS, IoT device manufacturers).

Recommended Actions

  • Verify that all remote‑access services enforce strong, MFA‑protected authentication; disable plain‑text Telnet where possible.
  • Review firewall and IDS/IPS rules for outbound connections to known malicious IPs (including 64.89.161.198).
  • Conduct threat‑intel enrichment on the “iranbot” indicator set and update blocklists.

Technical Notes – The payload string appears to be a marker used by the botnet to confirm successful compromise. Activity was captured via Cowrie (SSH/Telnet honeypot), a web‑honeypot, and iptables logs. No CVE is associated; the vector is likely credential‑spraying or brute‑force on Telnet. Source: SANS ISC Diary – Interesting Message Stored in Cowrie Logs (Mar 18 2026)

📰 Original Source
https://isc.sans.edu/diary/rss/32810

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →