Analysis of 'iranbot' Message in Cowrie Honeypot Logs

A recent observation within Cowrie honeypot logs has revealed an intriguing string—"MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here"—alongside other indicators of reconnaissance and attempted access. This activity, initially identified and reported by BACS student Adam Thorman, offers a glimpse into potential adversary TTPs and the value of honeypot deployments in threat intelligence gathering, as detailed by the SANS Internet Storm Center (ISC) Handler’s Diary.

The recorded events suggest a methodical approach by an unknown entity, probing exposed services and leaving behind a unique marker. While the activity occurred on simulated environments, it provides valuable insights for defenders seeking to understand initial access vectors and reconnaissance tactics used by adversaries.

Technical Details of Observed Honeypot Activity

The primary indicator of compromise (IoC) from this incident is the specific echo command payload containing the iranbot_was_here string, logged on February 19, 2026. This message was detected by at least two DShield sensors configured with Cowrie honeypots. The use of a distinct string suggests either an attempt at self-attribution, a calling card, or perhaps a test by a specific group to confirm successful execution within a target environment.

Beyond this peculiar message, the source IP 64.89.161.198 exhibited a broader range of activities against the DShield sensor between January 30 and February 22, 2026. These activities included:

• Portscans: General network scanning to identify open ports and services, a common preliminary step in reconnaissance. This aligns with MITRE ATT&CK tactic T1046 (Network Service Discovery).
• Successful Telnet Login (TCP/23): A successful authentication attempt was observed against the honeypot’s Telnet service. While this occurred on a honeypot, it highlights the continued risk associated with legacy, unencrypted protocols like Telnet. Adversaries frequently target such services for initial access, often leveraging weak or default credentials, or even credential stuffing. This could be mapped to T1078 (Valid Accounts) for initial access.
• Web Access: General web requests were also observed, indicating further exploration of accessible services.

The Cowrie honeypot, designed to emulate SSH and Telnet services, successfully captured these interactions, providing forensic data on the commands executed post-login. This capability is crucial for understanding an attacker’s immediate actions following initial compromise, even in a simulated environment.

Detecting and Analyzing ‘iranbot’ Activity in Honeypots

For security professionals tasked with detecting iranbot activity in honeypots or similar custom payloads, constant vigilance and robust logging are essential. The iranbot_was_here string serves as a clear IoC for this specific campaign. Organizations leveraging honeypots should configure their SIEM or logging solutions to alert on this particular string or similar patterns indicative of unique adversary markings.

The successful Telnet login, even to a honeypot, underscores the persistent danger of unencrypted access methods. Monitoring for attempts to connect to or authenticate against Telnet (or other insecure protocols like FTP, Rlogin, etc.) on any network segment is critical, regardless of whether a full compromise is expected.

Implications and Recommendations for Defenders

While the observed activity was confined to honeypot environments, it offers practical insights into potential threats. Adversaries, including those using the iranbot string, are actively conducting reconnaissance and attempting initial access. Defenders should prioritize hardening perimeter defenses and continuously monitoring for similar TTPs.

Cowrie Honeypot Security Monitoring Best Practices

For effective Cowrie honeypot security monitoring best practices, organizations should:

• Regularly Analyze Logs: Beyond automated alerts, conduct periodic manual analysis of honeypot logs to identify novel attack patterns, new IoCs, or previously unknown attacker behaviors.
• Integrate with SIEM: Forward honeypot logs to a central SIEM for correlation with other security event data, allowing for a broader understanding of attack campaigns and potential pivots to production environments.
• Custom Signatures: Develop custom signatures or rules based on unique strings like iranbot_was_here to immediately flag future occurrences.
• Geolocation and IP Reputation: Incorporate geolocation data and IP reputation services to contextualize incoming connections to honeypots.

Telnet Successful Login Detection and Prevention

Preventing and detecting successful Telnet logins on production systems is paramount. Even though this incident involved a honeypot, it serves as a stark reminder. Key actions include:

• Disable Telnet: Completely disable Telnet on all production systems. Replace it with secure, encrypted alternatives like SSH for remote access.
• Strong Authentication: Implement multi-factor authentication (MFA) and strong, unique passwords for all administrative interfaces and services that require remote access.
• Network Segmentation: Utilize network segmentation to isolate critical assets and restrict management interfaces to specific administrative networks.
• Monitor Authentication Logs: Continuously monitor authentication logs for unusual login attempts, brute-force attacks, or successful logins from suspicious IP addresses. Implement alerts for failed login attempts (e.g., three failed attempts within a minute) to detect potential brute-force activities. Solutions like EDR or SIEM can greatly assist here.
• Least Privilege and Zero Trust: Apply the principle of least privilege to user accounts and adopt a Zero Trust architecture, ensuring that every access request is verified regardless of its origin.

By proactively monitoring honeypot activities and rigorously securing production infrastructure, organizations can significantly reduce their attack surface and enhance their ability to detect and respond to emerging threats, even those indicated by cryptic messages from the future.