Malware Libraries Update: New LibSSH Version Seen in 2026

Is your malware detection playbook stuck in the past? Good. Because the bad guys aren’t.

Here’s a malware library update that should make defenders sweat. The <a href="/tag/mdrfckr/">mdrfckr</a> campaign. We’ve seen it. It’s old. It’s tired. It was first documented way back in 2018. Yet, here we are, in April 2026, and it’s still kicking. And now, it’s got a new trick up its sleeve.

The Same Old Song and Dance

This isn’t a brand new threat. Not by a long shot. The file hash? a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2. Seen it. The persistence string? mdrfckr. Heard that one too. This is the same persistent, annoying Shellbot artifact that’s been trawling the internet for years. It hijacks accounts, cleans up competition, the usual playbook. And the authorized_keys file? Unchanged for four years. Imagine that. Sticking with what works.

But Wait, There’s a Twist

The real story here, the tiny little detail that matters, is the libSSH client version. The campaign, which has been documented by the likes of Trend Micro and dissected on blogs like port22.dk, has been evolving its tools. Previously, we saw versions tied to libSSH 0.6.x and then 0.9.x. But now? My sensor caught it using libSSH 0.11.x.

This might sound like nitpicking. A minor version bump. But for detection engineers, it’s everything. Signatures tied to older SSH client versions? They’re blind to this new iteration. It’s like having a key that only fits half the locks. And guess which locks are now open?

The New Hassh: A Wake-Up Call

Between April 14th and April 21st, 2026, my DShield sensor logged 24 unique IPs using the mdrfckr campaign. All of them, every single one, advertised the SSH client banner SSH-2.0-libssh_0.11.1. This translates to a new hassh fingerprint: 03a80b21afa810682a776a7d42e5e6fb.

This new fingerprint doesn’t match any previously documented versions for this campaign. The previous hashes were 51cba57125523ce4b9db67714a90bf6e (libssh 0.6.x) and f555226df1963d1d3c09daf865abdc9a (libSSH 0.9.x). It’s a clear signal: attackers are updating their tools, and defenders need to keep pace.

Every one of the 24 IPs in the April 2026 cluster advertised the SSH client banner SSH-2.0-libssh_0.11.1 and produced the hassh fingerprint 03a80b21afa810682a776a7d42e5e6fb.

Why Does This Matter for Detection?

This isn’t just about tracking a single botnet’s minor upgrade. It’s a broader commentary on the arms race. Attackers are constantly iterating. They find a successful method, like the mdrfckr campaign’s persistence and cleanup tactics, and then they slowly, methodically update the components that might get them detected. This libSSH update is precisely that. It’s a quiet evolution. A way to slip under the radar of signature-based detection that hasn’t been updated. The entire playbook — the disabling of security attributes, the account takeover, the cleanup of rivals — remains consistent. Only the flavor of the client library changes. This highlights the critical need for behavioral analysis and anomaly detection, not just static signatures. Relying solely on old IOCs is a fool’s errand.

The Shellbot’s Persistence

It’s frankly disheartening. Seven years of documented activity. Multiple threat intelligence firms have published on this. And still, it persists. The core techniques are ancient by internet standards. Account hijacking. Backdoors. Cleaning up rivals. The mdrfckr campaign embodies a certain stubborn, low-level malware persistence. It’s not sophisticated nation-state stuff, no zero-days here. It’s just… effective. And by updating its client library, it’s ensuring it remains effective against lazy or outdated security postures. This is the kind of persistent threat that grinds down defenses over time. It’s the drip, drip, drip of compromises that eventually leads to a flood.

Recommendations: Don’t Be the Weak Link

For those tasked with building detection rules, this is simple. If your rules are pinned to specific SSH client versions or older hassh fingerprints for this campaign, they’re already missing the mark. You need to update your signatures to include the new hassh: 03a80b21afa810682a776a7d42e5e6fb.

But more importantly, you need to look beyond the specific fingerprints. The core commands: chattr -ia .ssh, chpasswd, /tmp/secure.sh — these are the behaviors that are truly indicative. Are you monitoring for these? Are you alerting when these appear in sequence, especially after an SSH login? The mdrfckr campaign is a reminder that while shiny new exploits get all the press, the bread-and-butter of persistent threats is often just a subtle tweak of existing tooling.

FAQ

What is the mdrfckr campaign? It’s an old but persistent Shellbot malware campaign that hijacks SSH accounts, establishes persistence, and cleans up competing malware. It’s been active since at least 2018.

Will this new libSSH version be detected by existing antivirus software? It depends on the antivirus. Signature-based solutions might miss it if they haven’t been updated with the new hassh fingerprint (03a80b21afa810682a776a7d42e5e6fb). Behavioral detection may still catch it.

What should defenders do about the new libSSH version? Update detection signatures to include the new hassh and focus on behavioral indicators of the campaign’s commands and post-authentication activities.

🧬 Related Insights

• Read more: FIRESTARTER Malware Survives Cisco Patches [Analysis]
• Read more: Linux Kernel Vulnerability: Dirty Frag