SSH-Snake
SSH-Snake is a self-modifying, fileless, self-propagating SSH worm released on 4 January 2024. It is implemented as a bash shell script that autonomously searches a compromised host for SSH private keys, credentials, and related artifacts, including shell history files such as .bash_history. It uses discovered SSH credentials to laterally move to additional systems over SSH, copies itself to those systems, and repeats the process. On first run, it modifies itself by removing comments, whitespace, and unnecessary functions to reduce size. Reported target-discovery sources include shell history as well as commands such as last and arp. Sysdig reported that SSH-Snake has been used in active offensive operations and identified attacker infrastructure storing per-victim output files; observed collected data included discovered credentials, target IP addresses, and victims’ bash history. Sysdig assessed with high confidence that operators deploying SSH-Snake were exploiting known Atlassian Confluence vulnerabilities for initial access in many cases, although other exploits may also have been used. The malware has been associated with the CRYSTALRAY threat actor/campaign cluster, which used SSH-Snake for lateral movement as part of broader operations involving credential theft and cryptominer deployment. Reported victim counts grew from roughly 100 in early observations to campaigns later associated with more than 1,500 victims. High-confidence behavioral indicators mentioned in the content include SSH connections from compromised hosts, reads of sensitive files, searching for private keys or passwords, and harvesting of bash history and SSH-related artifacts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Released on 4 January 2024, SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique"...modifies itself when it is first run... All comments, whitespace, and unnecessary functions are removed... allows it to remain fileless."
Credential Access
2 techniques"SSH-Snake ... autonomously searches the system it is run on for SSH credentials. Once credentials are found, the script attempts to log into the target system..."
"...automatically searches through known credential locations and shell history files..." and "find_from_bash_history , where commands of ssh , scp , and rsync are searched for and parsed."
Discovery
1 technique"...perform automatic network traversal... creating a comprehensive map of a network and its dependencies..." and "...it looks at sources of information, including last and arp to gather target data."
Lateral Movement
1 technique"SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network."
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Self-modifying SSH worm that harvests SSH keys/credentials and shell history from compromised hosts, propagates laterally via SSH to additional systems, and exfiltrates collected data to a C2 server.
A self-modifying, fileless Bash-based worm/tool that performs automated network traversal and mapping by harvesting SSH private keys/credentials (from common key locations and shell history), using them to SSH into additional hosts, copying itself to those hosts, and repeating the process. It also exfiltrates/records discovered credentials, target IPs, and bash history for operator follow-on activity.
SSH-Snake is a worm that propagates via SSH, used to automate credential theft and lateral movement across networks, often as part of cryptomining campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.