Honeypot Threat Analysis — May 27, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
Today’s activity level for our Raspberry Pi honeypots is exceptionally high. The SSH honeypot recorded a total of 898 connections and 855 login attempts, with 284 commands executed on 121 unique IPs. This surge in traffic indicates that the environment is attractive to potential attackers.
The Multi-protocol honeypot experienced 20,160 events, highlighting the effectiveness of using multiple protocols to attract different types of malicious activity. FTP, Telnet, MySQL, Redis, VNC, and Git were all targeted, with each protocol showcasing its unique vulnerabilities.
The HTTP LLM honeypot saw only 70 requests but attracted a total of 30 IPs across various paths like ”/”, “/SDK/webLanguage”, “/favicon.ico”, “/ajax/ip.php”, and “/wiki”. This suggests that attackers are diversifying their tactics to circumvent traditional IDS/IPS systems.
SSH Tarpit (Endlessh on Ports)
There was no activity in the tarpit section today, indicating low network traffic through ports 222, 2200, 8022, and 22222. This suggests that the honeypot remains operational with minimal interference.
Geographic Analysis
The GeoIP data shows that most of our activity originates from countries such as United States (44%), China (35%), France (21%), Belgium (13%), Germany (8%), Vietnam (7%), Netherlands (6%), India (6%), and Romania (5%). This geographical distribution suggests a global reach, potentially indicating the presence of international actors.
SSH Brute Force Analysis
The high number of login attempts could be indicative of brute force attacks on the honeypot. The most common passwords tried were “345gs5662d34”, “3245gs5662d34”, “admin”, and variations of standard admin passwords.
Post-Exploitation Behavior
The 33 TTY sessions recorded by our honeypot reveal that attackers are actively engaged in post-exploitation activities. They logged into the system, attempted to escape via SCP, executed commands such as clear (to reset the terminal), and changed the locale settings.
Web Scanner Activity
Our HTTP scanner identified 70 unique paths being scanned, with “/favicon.ico” appearing most frequently. This suggests that attackers are targeting specific files or directories for further exploitation or testing.
Malware Captures
No malware samples were captured today in either of our honeypots, indicating a low volume of malicious activity aimed at the system itself.
SSH Tarpit (Endlessh)
The tarpit section did not record any attackers being trapped. The lack of data suggests that the network environment is secure and effective against such traffic.
Canarytoken Alerts
There were 57 instances where fake AWS tokens were triggered by attackers, indicating that they are using a common tactic to bypass security measures by mimicking legitimate credentials. These triggers highlight the importance of implementing proper authentication mechanisms for honeypots.
Community Defense
All IPs reported to AbuseIPDB and AlienVault OTX have been shared with relevant cybersecurity communities for further investigation. Malware hashes captured on the honeypot were submitted to VirusTotal and OTX, ensuring that any malicious activity is traced back to its source.
Conclusion
Our Raspberry Pi 5 honeypot remains effective in detecting and exposing potential threats. Despite high traffic levels, we have successfully identified attackers’ tactics and behaviors, contributing to enhanced cybersecurity measures. Stay vigilant against emerging cyber threats by leveraging our live data for continuous improvement.
Thank you for visiting Threats.evitalios.com — where security intelligence meets actionable insights!
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.