A honeypot observations post documenting a threat actor attempting to install and use the masscan port scanner on a compromised host to scan for RDP and SSH targets, with SSH hardening mitigations.