This document summarizes how to track threat actors on a budget by setting up honeypots to monitor attacks. It describes tracking a group in China that spreads malware via SSH passwords. Samples of the group's malware were analyzed, revealing DNS servers and routers as targets for DDoS attacks. The communication protocol was reversed to identify targets in real-time. This provided insights into the group's operations and infrastructure to block.