Friday, 22 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 22, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 412 unique attackers ⚡ 111,112 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s SSH honeypot saw a robust attack pattern, totaling over 3700 connections and login attempts. The primary threat vectors used were SQL injection payloads to exploit vulnerabilities, followed by password brute force attacks targeting common passwords like ‘123456’ and ‘admin’.

The Multi-protocol honeypot reported an influx of events from various protocols such as FTP/Telnet/MySQL/Redis/VNC/Git. The HTTP LLM honeypot received 45 requests, with a focus on scanning paths. SSH tarpitting was not observed.

Geographic Analysis

Attacks originated primarily from the following countries: China (94%), United States (14%), France (6%), Korea, Republic of (5%), Vietnam (4%), Hong Kong (3%), Germany (2%), Russian Federation (2%), Belgium (2%), and the United Kingdom (2%). These figures highlight the growing threat landscape in Southeast Asia.

SSH Brute Force Analysis

The majority of login attempts were for common passwords like ‘123456’ and ‘admin’. The success rate was 10%, indicating that while brute force is effective, it requires a significant amount of time to crack the password. Post-authentication commands included typical reconnaissance activities such as checking system information.

Post-Exploitation Behavior

In TTY sessions, attackers logged into systems with no notable post-exploitation activity reported today. This suggests that even if they gained access, they were not actively searching for sensitive data or attempting to propagate further threats.

Web Scanner Activity

The HTTP LLM honeypot detected over 107328 events across various protocols, indicating a high level of threat from web scanners probing for vulnerabilities. The top scanned paths included “/favicon.ico”, “/sitemap.xml”, and “/zc?action=getInfo”. This suggests that the attackers were looking for known vulnerabilities in these specific directories.

Malware Captures

No malware was detected or downloaded by today’s attacks, indicating a low level of threat from this source.

SSH Tarpit (Endlessh)

The tarpit attack was not active on any ports. As such, it did not capture any attackers and offered no defense against real-time threats.

Canarytoken Alerts

A total of 54 fake AWS keys/SSH keys were triggered by the attackers using botched credentials planted in the honeypot. These alerts highlighted that attackers had tried to use compromised or stolen credentials for malicious intent, but they did not succeed due to effective monitoring and tarpit security measures.

Community Defense

The attack was reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. The malware hashes were submitted to VirusTotal and OTX for further analysis of the potential threat vectors used by attackers.

The honeypot infrastructure is based on a Raspberry Pi 5, located in Spain. It employs open-source software (Cowrie for SSH honeypot, OpenCanary for multi-protocol monitoring) to detect threats effectively, providing timely warnings and defense against real attacks.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →