Friday, 15 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 15, 2026

Critical threat level — massive coordinated attack activity across all honeypot services with 2522 SSH connections from 114 unique IPs.

🌍 136 unique attackers ⚡ 5,803 events 📊 View raw data report →
ssh-brute-forcehoneypotmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

May 15, 2026 marked a critical severity day for our honeypot network. With 2,522 SSH connections, 2,591 login attempts, and 762 captured commands from 114 unique IPs, the Cowrie SSH honeypot bore the brunt of the assault. Simultaneously, OpenCanary recorded 2,519 multi-protocol events from 22 distinct sources, and 32 canarytoken triggers confirmed that attackers were actively exploring planted credentials.

This was one of the most aggressive days recorded, with threat actors demonstrating both automated brute-force capabilities and manual post-exploitation behavior.

SSH Brute Force Analysis

The SSH attack volume was exceptional. Out of 2,591 login attempts, attackers favored common credential pairs with 123456, admin, and password among the top passwords tried. The credential 3245gs5662d34 appeared repeatedly, suggesting a shared wordlist circulating among botnet operators.

Top attacking IPs included 45.156.87.254 and 176.65.132.129, both exhibiting sustained, automated brute-force patterns consistent with compromised infrastructure being used as attack platforms.

The 762 captured commands reveal sophisticated post-exploitation behavior — attackers were not just testing credentials but actively attempting to establish persistence.

Post-Exploitation Behavior

Among the most notable captured commands:

  • SSH key injection: Attackers attempted to inject authorized keys into ~/.ssh/authorized_keys using the notorious mdrfckr SSH key, a signature of a well-known cryptomining botnet family.
  • System reconnaissance: Commands like uname -a, uname -s -v -n -r -m, and cat /proc/cpuinfo | grep name | wc -l were used to fingerprint the system and assess mining potential.
  • Anti-forensics: Commands including chattr -ia .ssh and lockr -ia .ssh attempted to remove immutable attributes from SSH directories to enable unauthorized modifications.

This pattern — credential bruteforce → key injection → CPU enumeration — is the classic cryptojacking kill chain.

Canarytoken Activity

A remarkable 32 canarytoken triggers were recorded, indicating attackers interacted with strategically placed fake credentials and files. This confirms that threat actors are not just scanning ports — they are actively exploring file systems and testing discovered credentials.

Community Defense

All 18 verified malicious IPs were reported to AbuseIPDB with detailed evidence. Attack data was shared with AlienVault OTX, Blocklist.de, and SANS DShield to contribute to collective threat intelligence. The automatic IP graduation system promoted 1 IP past the 200-event threshold to permanent iptables block status.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab in Spain. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →