N
NorthQuinn
research.northquinn.com
NorthQuinn Inc.

Threat Intelligence
Research

Primary research and threat actor analysis published by NorthQuinn Inc. All findings submitted through responsible disclosure channels before publication.

TLP:CLEAR -- Approved for unrestricted community distribution per FIRST TLP 2.0
8.29MEvents Collected
6,516Malicious Actors
15C2 Servers
12Malware Samples
Responsible Disclosure: All IOCs and novel findings in NorthQuinn research are submitted to Shadowserver Foundation, CISA ICS-CERT, VirusTotal, and AbuseIPDB prior to publication. Malware samples are submitted to VirusTotal and MalwareBazaar for community benefit.
Publications
May 2026 NQ-TIR-2026-001

Threat Actors in the Wild: A 10-Day Observational Study of Malicious SSH, ICS, and Botnet Activity Against Internet-Exposed Infrastructure

A structured 10-day collection study documenting 8,292,401 events across 6,516 confirmed malicious actors, 15 C2 servers, and 12 malware samples captured against internet-exposed ICS-persona infrastructure. Findings include a previously undocumented Outlaw botnet SSH backdoor key (SHA256:MkYY9qiVsFGBC5WkjoClCkwEFW5iSjcGQF7m4n4H7Cw) not present in any existing threat intelligence database at time of discovery, Solana ecosystem credential targeting, and a disciplined APT-tier reconnaissance cluster operating across Google Cloud, Alibaba, and Viettel infrastructure. All findings submitted to Shadowserver Foundation, CISA ICS-CERT, VirusTotal, and AbuseIPDB through responsible disclosure channels before publication.

BotnetSSHOutlawMiraiMoziICS/SCADAC2APTHASSHResponsible Disclosure
Download PDF View IOCs
NQ-TIR-2026-001-A Technical Addendum

Extended behavioral analysis: 18 novel Mirai/Mozi beacon strings (first documented), full Outlaw attack chain reconstruction across 26 sessions, Solana credential wordlist breakdown, HASSH cluster deep-dive including post-quantum Tor-routed actor, TCP/IP pivot session analysis, YARA detection rules, and net-new IOC catalogue.

Download Addendum PDF
May 2026 NQ-HOW-2026-001

Overriding Cowrie’s Default Process List in Docker: A Root Cause Analysis

A non-obvious interaction between Docker’s VOLUME instruction in the Cowrie base image, Python’s ConfigParser interpolation, and anonymous volume lifecycle behavior silently prevents custom process lists from loading. The result is a working honeypot serving the stock Cowrie default process list to every attacker — with no error output to indicate the failure. This paper presents the complete root cause chain and a tested fix that works reliably across multi-container honeynet deployments.

CowrieDockerHoneypotICSHoneynetRoot Cause AnalysisOperator Tooling
Download PDF