Adjacent SSH brute-force campaigns observed alongside Sorry-worm: Multiverze sshd backdoor, Diicot/Opera updated 2026 build, Mirai-derived sshscan kit. Indicators in three confidence tiers, YARA and Sigma rules, hunting queries, a reproducible activity timeline, and defensive recommendations.

Binary-level analysis of Sorry-worm: hardcoded RSA-2048 attribution-stable indicator, AES-CBC encryption pipeline, 48-byte fixed prefix on encrypted files, UNIX-nanosecond victim ID, embedded SSH wordlist, and the layered SSH scan that runs concurrently with encryption. The single most important property: encryption and SSH propagation occur concurrently in the same process.

A previously undocumented Linux ransomware-worm hybrid, propagating from compromised SSH relays approximately 8 hours after the sample's first public sandbox submission. Two independent propagation events from unrelated IPs, separated by ~7 hours, more consistent with autonomous worm-style propagation than a single hands-on session.

The vulnpocalypse framing assumes defense is static while offense gets new tools. Looking at the actual research and product landscape, that misses what's happening on the defensive side at the same time.

You can't deter a machine. But you can deter the operator behind it - by making the machine a liability. When intention itself becomes retrievable, the offensive economics of agentic operations changes shape.

Findings from four controlled wargame labs running ~1,000 LLM-driven intrusions against a HIIH high-interaction honeypot. Persistence is universal. Attackers come in three shapes. Counter-forensics has arrived - and counter-intelligence works.