I'm guessing the SSH signatures can rotate as well. I remember someone did an analysis of rotation patterns for HTTPS requests; that's when they saw some interesting clusters.
replyI saw an ISP called Microsoft, USA… is that an official microsoft computer doing that or something else?
replyYes, Microsoft shows up a lot. Some of these bots are running on Azure.
replyMy favorite ISP to spot occasionally is SpaceX / Starlink. That can’t be the most economical ISP for bot traffic, but machines can be infected, even on Starlink.