Like many internet worms, the Hajime malware has a lifecycle. A Hajime infection begins when a node already in the Hajime network–scanning random IPv4 addresses on the public internet–discovers a device which accepts connections on TCP port 23, the designated port for the Telnet service. The attacking Hajime node attempts several username and password combinations from its hardcoded list of credentials and, upon being granted entry, examines the target system and begins its infection in stages. The first stage is a small, short-lived file-transfer program which connects back to the attacking node and copies down a much larger download program. The download program–the second stage–joins a peer-to-peer decentralized network and retrieves its configuration and a scanning program. The scanning program searches the public internet for more vulnerable systems to infect, thus continuing the lifecycle.