Wormable Panchan Peer-to-Peer Botnet Harvests Linux Server Keys

The Japanese-language Panchan botnet has been discovered stealing SSH keys from Linux servers across Asia, Europe, and North America, with a focus on telecom and education providers.

A peer-to-peer (P2P) botnet and worm called Panchan has been actively breaching Linux servers and harvesting Secure Shell (SSH) keys to perform lateral movement — at times brute-forcing credentials.
Thats according to researchers from Akamai, who discovered the botnet in late March. Written in Golang, it parses local
SSH private keys
and known hosts on each victim (using a static dictionary), then uses them to spread itself further.
While it could use the botnet for anything, Panchan is focused on a
cryptojacking endgame
for now.
It is mostly a cryptojacker, so I dont think its that dangerous. But it is unique, Akamai researcher Stiv Kupchik says. P2P communication is not that common in malware, and the SSH key harvesting also seems pretty novel. Also, I dont think Ive ever seen a Japanese threat actor.
The malware is believed to have Japanese origins (its name is a possible reference to Panchan Rina, the Japanese kickboxer), and focuses on attacking telecommunications education providers in Asia, Europe, and North America.
From Kupchiks perspective, education was likely a highly targeted vertical because of the SSH-key harvesting aspect of the botnet.
I have seen some victim institutes that were in the same country, or very close geographically, he says. “I think that academic collaborations between institutes might yield a higher percentage of shared SSH keys than in other verticals, so maybe that is the reason.
The malware — which deploys two miners, XMrig and nbhash, has a handful of unique technical features,
according to the Akamai researchers
. For one, it uses NiceHash for its mining pools and wallets. Because Nicehash is a regular wallet (using certain defined Bitcoin addresses for deposits) and not a blockchain wallet, Akamai was unable to see transaction and mining details to estimate the actual revenue that Panchan has earned.
Further, to hamper traceability, the cryptominers are dropped as memory-mapped files without any disk presence, and the cryptomining can be terminated if any process monitoring is detected.
Theres also a godmode feature baked into the malware, in the form of an admin panel that can edit the mining configuration — another unique feature of Panchan, according to the firm.
Because the malware uses a basic list of default passwords to spread, Kupchik says one of the key steps security teams can take to stop the malware in its tracks is through password hardening.
The dictionary that the malware uses to spread is extremely basic, so any non-default password should help thwart it, he explains. “Segmentation and access control can help mitigate the SSH key harvesting risk, and MFA can help as well.
He adds that Akamai has published indicators of compromise, queries, signatures, and scripts that organizations can use to test for infection.
The report also recommends continuous monitoring of virtual machine resources. Monitoring could alert security teams to suspicious activity since botnets focused on cryptojacking can raise machine resource usage to abnormal levels.
In the case of Panchan, resource usage monitoring would have also terminated the cryptomining entirely, according to the report.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Wormable Panchan Peer-to-Peer Botnet Harvests Linux Server Keys