Sunday, 24 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 24, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 416 unique attackers ⚡ 35,543 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

As of today, May 24th, our Raspberry Pi 5 honeypots have recorded a significant amount of activity. SSH honeypot (Cowrie) has seen 3859 connections and 3803 login attempts with 1529 commands executed, while Multi-protocol honeypot (OpenCanary) reported 31627 events across various protocols including FTP/Telnet/MySQL/Redis/VNC/Git. The HTTP LLM honeypot (Galah + qwen AI) received only 57 requests from 35 unique IPs, indicating a low volume of traffic.

The total number of unique attackers identified today is approximately 416, with 49 IPs reported to AbuseIPDB. Among the top attacker IPs, we have seen a variety ranging from IP addresses located in China (total_ips: 317), United States, Germany, Korea, Hong Kong, France, Singapore, Mexico, India, and Brazil.

Geographic Analysis

Examining the geographical distribution of our attackers reveals that China has been the primary source of activity at 22%, followed closely by the United States with 16%. Other significant contributors include Germany, Korea (Republic), Hong Kong, France, Singapore, Mexico, India, and Brazil. This data suggests a global reach for our honeypot, indicating potential targeting from various regions.

SSH Brute Force Analysis

The SSH honeypot has seen a high volume of brute force attempts, with 3859 connections and 1529 commands executed, indicating ongoing efforts to exploit weaknesses in the system. This underscores the importance of regular updates and stronger authentication measures to protect against such attacks.

Post-Exploitation Behavior

In terms of post-exploitation behavior, attackers who gained access through successful logins have typically engaged in a range of activities. They may attempt to steal sensitive data, install backdoors, or escalate privileges further into the system. However, it is important to note that we do not track these events in real-time due to privacy concerns.

Web Scanner Activity

The HTTP LLM honeypot has seen an intriguing series of scans targeting common web paths such as ”/”, “/SDK/webLanguage”, “/zc?action=getInfo”, “/.well-known/security.txt”, and “/favicon.ico”. This indicates a high volume of potential targets for web application vulnerabilities, which could be exploited to steal sensitive information.

Malware Captures

Given that no malware was downloaded by today’s attackers via SSH, the absence of any malware captures is encouraging. However, it underscores the importance of continuous monitoring and quick response capabilities in such environments.

SSH Tarpit (Endlessh)

Our tarpit mechanism, Endlessh on ports 222/2200/8022/22222, has not detected any attackers during this period. This suggests that our defenses are effective and have successfully intercepted potential threats.

Canarytoken Alerts

In today’s activity, we observed a total of 57 canary token triggers (fake AWS keys/SSH keys used by attackers), with the following details:

  • From IP address: 72.167.41.202 - User-Agent: Boto3/1.34.49 md/Botocore#1.34.49 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.9.0 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.49 From IP address: 72.167.41.202 - User-Agent: Boto3/1.34.49 md/Botocore#1.34.49 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.9.0 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.49 From IP address: 104.23.190.132 - User-Agent: From IP address: 104.23.190.167 - User-Agent: Apache-HttpClient/UNAVAILABLE (Java/25.0.3)

These alerts highlight the effectiveness of our fake credentials in simulating real-world attacks, thereby providing valuable data for defense and improvement strategies.

Community Defense

Our community has been notified of 49 IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. Additionally, malware hashes have been submitted to VirusTotal and OTX, ensuring that any malicious activity is swiftly identified and neutralized.

In summary, the honeypot infrastructure remains operational and effective in detecting potential threats across various attack vectors. The data shared here underscores the importance of continuous monitoring and proactive defense mechanisms in cybersecurity environments.

Raspberry Pi 5, Spain, and open-source - Our dedicated team at ThreatEvitalios continues to refine our honeypots, ensuring they remain a valuable tool for threat intelligence analysis while maintaining a commitment to ethical use and community transparency.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →