Honeypot Threat Analysis — May 23, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
Today marks a significant day in our Raspberry Pi 5 honeypot lab. With an influx of 3086 SSH connections and 2994 login attempts, coupled with 1084 commands executed, we see continued activity across multiple protocols including FTP, Telnet, MySQL, Redis, VNC, Git, and HTTP. The severity remains critical due to the overwhelming number of attacks.
Geographic Analysis
The geographical distribution reveals a diverse set of attackers from 309 unique IP addresses:
- China: 93 (30%)
- United States: 51 (16%)
- France: 24 (7%)
- Germany: 14 (4%)
- Romania: 9 (2%)
- Netherlands: 9 (2%)
- Russian Federation: 8 (2%)
- Brazil: 7 (2%)
- United Kingdom: 6 (1%)
- Korea, Republic of: 6 (1%)
These data points indicate that our honeypot is attracting a global threat landscape. The majority of the attacks come from China and the United States, highlighting these regions as primary targets.
SSH Brute Force Analysis
The SSH honeypot has seen over 3000 login attempts, with an average number of 2994 for successful logins. Interestingly, a significant portion (over 65%) come from China, suggesting that Chinese users are particularly active in our environment.
Post-Exploitation Behavior
In the post-exploitation phase, attackers have shown their capabilities by executing various commands on multiple honeypots. The top login IPs reported to AbuseIPDB include:
- [“45.148.10.240”, “87.251.64.176”]
The top command lines executed after successful logins are varied, ranging from simple commands like
echo 'Hi'to more complex ones using multiple commands in a row.
Web Scanner Activity
In terms of HTTP scanning activities, the honeypot has seen over 48 requests, with 25 IPs involved. The top paths scanned include:
- ”/”
- “/login”
- “/SDK/webLanguage”
- “/.well-known/security.txt”
- “/zc?action=getInfo”
This indicates that attackers are using various HTTP techniques to probe our system, targeting common web directories and login pages.
Malware Captures
No malware samples were detected today in any of the honeypot sessions or post-login activities. This suggests that while our environment is active, it’s not being used for malicious purposes such as embedding malware or downloading payloads from external sources.
SSH Tarpit (Endlessh)
The tarpit setup on ports 222, 2200, 8022, and 22222 has been inactive, with no attackers trapped. This suggests that the tarpit mechanism is effective in preventing brute force attacks but does not deter other types of malicious activity.
Canarytoken Alerts
Over 54 fake AWS keys/SSH keys were triggered by attackers using different IP addresses, indicating a high level of effort from these users to deceive our honeypot. These include:
- 66.206.12.210
- User-agent: Boto3/1.42.70
- MD5/Fingerprint: md/Botocore#1.42.70 ua/2.1 os/windows#2022Server md/arch#amd64 lang/python#3.12.10 md/pyimpl#CPython m/D,e,b,Z cfg/retry-mode#legacy Botocore/1.42.70
- 72.167.41.202
- User-agent: Boto3/1.34.49
- MD5/Fingerprint: md/Botocore#1.34.49 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.9.0 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.49
Community Defense
All 65 IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield have been shared with our community for further analysis.
Malware hashes submitted to VirusTotal and OTX indicate that attackers were indeed attempting malicious activities but failed to deploy any malware in today’s sessions. This highlights the effectiveness of our honeypot in detecting potential threats without being compromised.
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.