SSH LLM Honeypot caught a real threat actor (beelzebub.ai)

A low-code SSH honeypot that uses an LLM to emulate interactive shells (Beelzebub configured with an OpenAI key and gpt-4o) successfully trapped a real threat actor. The attacker (IP 45.175.100.69) logged in with admin/123456, ran standard reconnaissance (uname, uptime, nproc), and downloaded multiple payloads from deep-fm.de—including a Perl backdoor named “sshd” and an emech package. Attempts to run the payloads revealed permission issues, chmod and sudo attempts, and ultimately the Perl backdoor’s source exposed an IRC-based command-and-control: ix1.undernet.org:6667 with channels #rootbox and #c0d3rs-TeaM, admin "warlock`", hostauth “terr0r.users.undernet.org”, and a “rootbox PerlBot v2.0” signature. The researcher used those artifacts to join the channel and reported it to Undernet to disrupt the botnet. For the AI/ML and security community this demonstrates that LLM-driven honeypots can convincingly emulate SSH interactions, lure real operators, and harvest high-value telemetry (payloads, C2, TTPs) without full manual intervention. The Beelzebub example is easily deployed (single YAML service file, docker-compose) and highlights both an operational capability for automated threat intel and safety considerations: captured binaries must be handled safely and responses coordinated with network providers/IRC admins to avoid collateral effects. This case underscores LLM honeypots as practical tools for attribution and active disruption when combined with traditional malware analysis.