Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.


Repository data for MMD-0062-2017 - Credential harversting by SSH Direct TCP Forward hacking attack (aka Strudels Attack)

For the recent ACTIVE (on-going) attacker network please visit the this Github's repo data. Explanation is in Threat report or read Q & A in Infosec Institute about Strudels attack.


Last update: Wed Mar 22 08:43:34 JST 2017

We now only maintained the "Red, Hot & Chili Network" list due to lack of resource.

Newer attacker network in AS49453 | | GLOBALLAYER | NL
Older attacker network is AS49981 | | WORLDSTREAM | NL 

We have received contacts from NCSC-NL (CERT NL) via CERT-BUND (CERT DE) to confirm that 
the hoster entity 3NT.COM's Abuse Team has terminated the related customer account(s) of 
Strudels attacker actor. We herewith report that 3NT.COM has been cleaned up, so 
you can remove the block for the 3NT.COM addresses. 

The list stays as per it is for the RECORD purpose, as evidence of cyber 
crime for the law enforcement who is now investigating the case.

Law enforcement can contact directly to the related CERT or hosters for the 
identification details used by the bad actors.

- Thank you - 

You can search IP addresses you want to check in this repository, to seek in which category it is classified in MMD-0062-2017 (attackers or victims).

Cyber crime diagram to explain the mass credential stealing scheme: