Wednesday, 20 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 20, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 119 unique attackers ⚡ 36,771 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today marks another day of continuous threat activity for our Raspberry Pi 5 honeypot lab in Spain. The data suggests an increase in malicious probes and a notable spike in SSH brute force attempts with several unique IP addresses being used.

Geographical Analysis

The geographical distribution reveals that the majority of attacks originate from the United States (36%), Germany (9%), China (6%), Russia Federation (5%), Belgium (5%), Netherlands (3%), Vietnam (2%), and Romania (2%). The small number in unknown or Hong Kong is expected, given the diverse nature of global cyber threats.

SSH Brute Force Analysis

The SSH honeypot received 638 connections and 553 login attempts. A significant portion, 2 commands executed, indicates that attackers are attempting to automate processes on compromised systems, suggesting a high level of interest in executing tasks without human intervention. The most common passwords tried were “admin”, “123456”, “1234”, “P”, and “password”. This underscores the importance of strong password policies.

Post-Exploitation Behavior

The number of TTY sessions (sessions: 17) indicates that attackers are actively monitoring their environments for valuable data. The commands executed suggest further targeting activities, possibly including reconnaissance or preparation for lateral movement within the network.

Web Scanner Activity

With only 50 HTTP requests and 26 unique IP addresses, there is a low volume of activity in this category. This suggests that while some attackers are using automated tools to scan vulnerabilities, they may be less focused on web-based attacks due to lower success rates or resource constraints.

Malware Captures

No malware samples were captured today, indicating that the honeypot’s defenses remain effective against real-world malware attempts.

SSH Tarpit (Endlessh)

There was no tarpit data observed during the day, suggesting that the attacker traffic did not encounter any significant delays or resource constraints through this method.

Canarytoken Alerts

The number of alerts triggered by fake AWS keys/SSH keys used by attackers is quite high at 48. These tokens were sourced from a single IP address (182.8.227.193) with various user agents and OS information, highlighting the effectiveness of our honeypot in detecting and blocking potential attack vectors.

Community Defense

The IP addresses reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield indicate that while we are monitoring these networks for threats, they may be part of broader security operations. The malware hashes submitted to VirusTotal and OTX help in understanding the evolving tactics used by attackers.

Conclusion

Stay tuned as we continue to improve our defenses and stay ahead of evolving cyber tactics.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →