HoneyLabsOpen-source honeypot telemetry. Query-ready.
LookupEnrichFeedsCVEsPayloadsCampaignsAEI IndexMCPBlogDocs
Dashboard

Blog · 2026-05-31

Mapping operations by how concentrated their fingerprint is

A client fingerprint is reused even as an operation rotates its IPs. Measuring how concentrated each fingerprint is across networks and ports turns a manual hunt into a live page. Among the thirteen it surfaces is the Viettel SSH botnet we mapped by hand earlier.

A client fingerprint is a property of the software, not of the address it arrives from, so an operation that rents fresh hosts keeps presenting the same JA4, JA4H, or HASSH while its IPs rotate underneath it. How that one fingerprint is spread across networks and ports is what separates a coordinated operation from a broad scanner. We built a page that measures it for every fingerprint our sensors see and surfaces the concentrated ones. Of 112 client fingerprints over the last thirty days, thirteen are concentrated the way a single operation is, including the Viettel SSH botnet we tracked down by hand earlier.

We have spent a few posts now pulling single operations out of honeypot noise, once by correlating the back ends that droppers fetch from, once by chasing a single SSH client pinned to one Vietnamese carrier. Both hunts ended in the same place. The thing that gives an operation away is the part the operator reuses, and the client fingerprint is one of the cheapest of those to reuse, because rebuilding the tool is more effort than burning an address. Each of those investigations took an afternoon of querying. The obvious next question is whether the same shape can be measured on a schedule, so the interesting fingerprints surface on their own instead of waiting for someone to go looking.

the shape of an operation

Group thirty days of traffic by client fingerprint and ask three things of each one: how many source IPs carry it, how many separate networks those IPs sit on, and how many destination ports they touch. A popular library answers the first question with a big number and the second with another big number, because common tooling runs from everywhere. libssh and the Go SSH client turn up on hundreds of addresses scattered over a hundred or more autonomous systems. A scanner answers the third question with a big number too, since sweeping a wide range of ports is the whole job of scanning.

An operation answers all three differently. It carries one fingerprint across many addresses, the way a botnet does, while those addresses stay penned inside one or two networks and aim at a single service. That combination of many IPs, few networks, and few ports is the signature we sort for. The port count does most of the work, because it draws the cleanest line between a focused operation and a crawler that touches everything.

Every client fingerprint plotted by the source IPs that carry it against the number of networks those IPs sit on. Common tooling spreads to the right across many networks; concentrated operations sit in the shaded zone to the upper left.

Plotting source IPs against networks lays the whole population out at once. The grey dots to the right are the ordinary internet, fingerprints smeared across tens or hundreds of networks, with the widest in this view reaching 267 of them. The cyan dots inside the shaded box are the ones that stay narrow while still carrying a real population: at least twenty source IPs, no more than four networks, no more than six ports. Thirteen fingerprints land there at the moment.

what floats to the top

The top three candidates by concentration score, each with its fingerprint, network type, reach, and thirty-day activity.

Ranking the concentrated set by how tight it is puts a few recognisable shapes near the top. Two of the leaders are HTTP fingerprints carried by Google-hosted addresses, one across 170 IPs and one across 80, each confined to a single network and one or two high ports, 5984 and 5986. The third is the SSH botnet from the earlier writeup, the HASSH fda360... value, 132 Viettel addresses across two networks, all of them speaking to port 22 and nothing else. It surfaced on its own, without anyone telling the page to look for it, which was the whole reason for building this.

where the IPs live

A concentrated fingerprint on its own will not tell you whether you are looking at compromised home routers or a rack of rented cloud instances, and those two mean very different things. We tag each candidate with the kind of network its addresses sit on, drawn from a public classification of autonomous systems. Consumer broadband concentration is the classic botnet shape, a population of small devices behind a single carrier, which is exactly what the Viettel cluster is. Concentration on content or hosting networks points instead at rented infrastructure or at a provider's own automation. Of the thirteen candidates today, one sits on consumer broadband, six on content networks, one on an education network, and the rest fall in unclassified space. The tag decides nothing for you. It tells you which question to ask first.

where it can mislead you

These are candidates, and the page says so in plain words. A high concentration score is a reason to open a fingerprint and read its population, never a verdict that the operation behind it is hostile. A good deal of tight traffic on cloud networks is a security vendor scanning from a small block, which is why we drop fingerprints that classify as known research or commercial scanners, the Censys and Onyphe and Shodan of the world, before anything reaches the list. Some of what survives on hosting networks will still be ordinary automation we have not catalogued. The thresholds are set conservatively, so the page would sooner miss a real operation than fill itself with noise, and the judgement stays with whoever opens the population behind a dot.

checking it for yourself

The page is live at /campaigns, recomputed every hour over a rolling thirty-day window, and every dot links straight to the population behind its fingerprint so you can read the IPs, networks, and ports yourself. If you keep your own honeypot or proxy logs, the measurement is easy to reproduce. Compute a client fingerprint for each connection, group a month of traffic by it, and count the distinct source IPs, networks, and destination ports for each fingerprint. Sort for the ones where the IP count runs high while the network and port counts stay low. The concentrated operations come out of that sort on their own.

The AsyncSSH botnet took an afternoon of querying to pin down the first time. The same shape now appears on a page that refreshes itself, next to twelve others we had never gone looking for. None of them are proven campaigns yet, and turning a candidate into a confirmed operation is still manual work. The difference is that the looking happens on its own now, and the fingerprints worth a second glance no longer have to wait for someone to come find them.