Adjacent SSH brute-force campaigns observed alongside Sorry-worm: Multiverze sshd backdoor, Diicot/Opera updated 2026 build, Mirai-derived sshscan kit. Indicators in three confidence tiers, YARA and Sigma rules, hunting queries, a reproducible activity timeline, and defensive recommendations.

Binary-level analysis of Sorry-worm: hardcoded RSA-2048 attribution-stable indicator, AES-CBC encryption pipeline, 48-byte fixed prefix on encrypted files, UNIX-nanosecond victim ID, embedded SSH wordlist, and the layered SSH scan that runs concurrently with encryption. The single most important property: encryption and SSH propagation occur concurrently in the same process.

A previously undocumented Linux ransomware-worm hybrid, propagating from compromised SSH relays approximately 8 hours after the sample's first public sandbox submission. Two independent propagation events from unrelated IPs, separated by ~7 hours, more consistent with autonomous worm-style propagation than a single hands-on session.

Findings from four controlled wargame labs running ~1,000 LLM-driven intrusions against a HIIH high-interaction honeypot. Persistence is universal. Attackers come in three shapes. Counter-forensics has arrived - and counter-intelligence works.