The internet’s weirdest hacking bot: tries to force its way into servers, begs for help to escape Belarus
Its creator claims this “performance piece” is “somewhat illegal” but harmless, yet security experts warn of real risks.

Image by Cybernews.
- A self-propagating bot is probing global IP addresses, attempting to break in and spread, carrying the message “Help me escape from Belarus.”
- The creator claims the bot is a "performance piece" intended to draw attention to his situation in Belarus, not to cause harm.
- Security experts caution that, regardless of intent, the bot functions as a scan-and-brute-force tool.
Security researchers flagged a weird, malicious campaign. Someone is running hacking bots that try to brute force their way into misconfigured servers, while carrying a message: “Help me escape from Belarus, please.”
A malicious bot is rattling doorknobs across the internet, looking for any unlocked door. Already reported by dozens of honeypots for abusive activity, the clanker also carries a bizarre plea for help.
On each IP it visits, the bot tries to open /?_HELP_ME_ESCAPE_FROM_BELARUS_PLEASE_ path. The oddly formatted HTTP requests also contain this message as an email address.
We tried reaching out, and didn’t get a response, but someone else did.
The strange behavior was first reported a few months ago on Reddit by admins who noticed strange requests in their access logs.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
“Anyone else saw this poor kid trying to escape from Belarus?” one of the posts reads.
SANS Internet Storm Center also flagged the weird activity after noticing it in their honeypots.
“The request path itself /?_HELP_ME_ESCAPE_FROM_BELARUS_PLEASE_ is not a known exploit path – it appeared to be a plain-text message in the URL. Searching my logs for that particular string returned around a dozen similar HTTP requests over a 2-month period,” said Jason Callahan in a blog post.
The researcher also noted that the bot probes servers from various IPs around the globe, with no discernible pattern, which suggests a self-propagating bot rather than a single attacker.
One Redditor got a response from the bot creator, who claims to have no intention of hacking and is framing his minion as a “performance piece” to draw attention to his situation.
Still, the IPs observed in this “performance” are not at all innocent and pose a real risk.
Reported for bruteforcing, login attempts
The reverse-lookup tools indicate that the IP address, flagged by SANS, is in Singapore, and security vendors have already flagged it as a high threat.
Another IP address used by the attacker and disclosed on Reddit is in Stockholm, Sweden, and was also reported for port scanning, SSH brute-force, mail login attempts, and similar activities.
The IPs don’t indicate the attacker's location – it is likely the threat actor is using compromised devices, such as a hacked router or smart TV.
“Disregarding the origin and supposed intent of the bot, this is a straightforward scan-and-brute-force bot, and it should be treated like any other hitting a honeypot,” Callahan warns.
The bot remains active, looking for reachable hosts on popular ports, including SSH, and for hosts using weak or default credentials.
The bot’s creator claims it will self-terminate in 6 months
One Redditor received a response from the alleged hacker running the bot.
“They responded politely with a link to a site on a free web host,” the user claims.
“I half expected there to be something malicious on the page, but it is just a simple HTML page with no scripts.”
The website contains a plea from someone claiming to be Alex, a 27-year-old engineer living in Belarus.
“It’s not the greatest place to live,” the author claims.
I hope I haven’t caused you any inconvenience.Alex.
Alex further complains about mandatory conscription, fragile life, inaction of local authorities, the upsetting Russian invasion of Ukraine, international sanctions and isolation, and troubles finding job opportunities in IT.
“What am I trying to achieve with this message? I’m asking for your help. If you see any potential or opportunities in me, please point them out,” Alex claims.
The disgruntled engineer further explains his bot: it is allegedly intentionally limited, operates like a worm that scans IPs, and attempts to SSH into weak servers using only a fixed list of default credential pairs, such as admin/admin. The malware is fully autonomous, doesn’t call back to any command-and-control server.
“No exploits, no other malicious actions,” Alex claims.
“The bot has a built-in timer: six months after it starts, it self-terminates. If your device has become part of this network of spreader bots, simply reboot it. The bot doesn’t establish persistence on the system and usually runs from /tmp. Also, make sure to change any default passwords.”
Check if your data has been leaked
Alex acknowledged that this activity is irresponsible and “somewhat illegal,” but less sinister than other things in his country. In a later update, Alex assured that the purpose of his “performance piece” project is not to engage in phishing, hacking, appear pitiful to the internet, or get sponsorship in any form.
Still, the SANS blog warns that there is no way to verify the threat actor’s intentions or other information detailed on the unknown site.
“Sob stories and appeals to sympathy are also a known social-engineering lever, and a URI designed to make analysts pause and read a web page rather than immediately blocklist an IP is an effective way to buy a scanner some goodwill,” the researcher warns.
Admins are advised to always take a defensive posture and treat untrusted credential-guessing scanners the same way. Normally, such IPs are banned, dropped by firewalls, or at least rate-limited.
Many Redditors noted that the bot exploits servers that lack basic cybersecurity hygiene: weak credentials, exposed ports, unrestricted admin panels, and similar issues.