Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [5] (select Match Partial URL and Draw):
This is a sample list of the directories actors are scanning for using the following patterns:
/$(pwd)/.env.staging
/$(pwd)/.env.development
/$(pwd)/.env.production
/$(pwd)/.env.local
/$(pwd)/.env
$(pwd)/terraform.tfstate
/$(pwd)/docker-compose.yml
/$(pwd)/netlify.toml
This Gephi graph shows the relationship of each probed URL by the two IP addresses:
Kibana ES|QL Query
FROM cowrie*
| WHERE event.reference == “no match”
| KEEP related.ip,http.request.body.content
| WHERE http.request.body.content IS NOT NULL
| WHERE http.request.body.content RLIKE “.*\\/\\$\\(pwd\\).*”
| STATS COUNT(http.request.body.content) BY related.ip, http.request.body.content
Indicators
By selecting one of these two indicators, it shows their scanning activity for the /$(pwd)/ pattern in the ISC web logs.
We also appreciate feedback and suggestions about what tool is used to perform these scans. Please use our contact page to provide feedback.
[1] https://www.elastic.co/guide/en/elasticsearch/reference/8.19/esql-using.html
[2] https://gephi.org/
[3] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-21&ip=185.177.72.52
[4] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-25&ip=185.177.72.23
[5] https://isc.sans.edu/weblogs/urlhistory.html?url=LyQocHdkKS8uCg==
———–
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Leave a Reply