Threat actors are abusing the legitimate open-source benchmarking script Bench.sh as part of post-exploitation workflows in real-world intrusions, according to Flare.io researchers.
Originally released by Teddysun, the script is designed as a wrapper that automates the download and execution of network and system performance tests, most commonly leveraging tools such as Speedtest to produce a consolidated report on host capabilities.
Researchers say that attackers are now incorporating Bench.sh as a lightweight reconnaissance utility after gaining initial access. Flare.io observed attacks on its honeypot environments mimicking publicly exposed services, including JupyterLab, Jupyter Notebook, SSH daemons, Apache Tomcat instances, and vulnerable PHP-based web applications.
Bench.sh performs a sequence of automated checks that provide attackers with a system profile, including CPU benchmarking via multi-threaded tests, disk I/O measurements using temporary file write/read operations, memory availability checks, and outbound network throughput tests against geographically distributed mirrors. The script also validates connectivity and latency to external endpoints, effectively mapping network quality and potential bandwidth constraints. In some cases, attackers may extend checks to infer GPU presence or detect virtualized or throttled environments.
Analysis of several hundred attack attempts revealed two distinct operational patterns. The first involves opportunistic reconnaissance, where Bench.sh is executed as a standalone action. In such cases, no further payloads are deployed, suggesting attackers are filtering targets based on performance thresholds. This behavior was particularly evident in environments lacking GPU resources or exhibiting constrained network characteristics.
The second pattern involves a multi-stage intrusion chain where benchmarking is followed by delivery of multiple scripts that install required dependencies, modify system configurations, and execute defense evasion techniques such as disabling SELinux enforcement.
Some of the scripts were used to deploy cryptominers and Mirai-based botnet malware, as well as tools for command-and-control communication, allowing attackers to update configurations or issue remote instructions.
Discussions in underground forums and Telegram-based communities show that Bench.sh is commonly used to validate both compromised hosts and newly provisioned VPS infrastructure before deploying scanning tools, botnet clients, or control panels.
“Interestingly, Bench.sh frequently appears alongside scripts such as IP-region checkers, censorship tests, or latency probes. This combination suggests actors are not only testing raw performance but also assessing geolocation behavior, routing stability, and potential filtering by Russian or Asian providers,” the researchers noted in the report.