The Signal in the Noise
It started with reconnaissance. I noticed a cluster of IPs scanning specifically for .env files, .git configs, and neglected development environments. Unlike the usual PHP-based "spray and pray" attacks, this felt surgical. Ai analysis suggested this was specialized reconnaissance tailored to the framework I was running.
Since I don’t keep sensitive configs in my production environment, I decided to provide the attacker with exactly what they were looking for. I placed created fake .env and .git/config file. Loaded them with fake credentials, including canary tokens.
It took a few days, but the scanner eventually bit. They downloaded the files and used the credentials.
When the credentials were run, I caught the IP. While the IP was linked to a VPN, the User Agent was the first major "tell." It was a high-level Linux server and not the typical disposable cloud instance you see from automated botnets. This suggested a more permanent setup or a dedicated workstation.
I searched that VPN IP and hit a breakthrough. It was linked to a high-profile account on PTT. The IP had been used as a security verification for signing onto that account and had been associated with the user for years.
The profile handle used a feminine name, and early analysis of the metadata suggested a female persona. However, the linguistic style and the nature of the posts felt male.
I took that username to Twitter to see if the identity crossed platforms. I found a coding guy for PTT explaining the specific meaning behind that username in a post. This was the missing link that connected the handle to an individual.
His primary language of choice was Python.
He frequently discussed and built scraper tools and bots for people to use.
All of this matched the User Agent from the logs, which was hitting my server. The combination of the persistent VPN IP, the specific tech stack, and the unique username closed the loop. What started as a scan led to a developer's professional and social presence.
Seeking Advanced Tooling / Advice
I’m looking to evolve this "Active Defense" setup. I’ve proven that profiling the psychology and infrastructure works, but I need higher-level tools for the next phase.
Advanced Honey-Logic: Does anyone have recommendations for "Active" honey-files? I’m looking for decoys (like .zip or .env files) that don't just alert on a download, but can trigger a metadata-grab or a "call-home" when processed on the attacker’s machine.
Infrastructure Mapping: What are the best methods for tracking an actor once they realize they’ve been "burned" and shift to purely ephemeral cloud instances?
OSINT Learning Resources: Any suggestions for resources that focus on the crossover between Infrastructure Analysis and Linguistic/Behavioral Profiling?
If you’ve handled similar "Craftsman" level actors, I’d love to hear about your workflow or any scripts you recommend for better tracking.