Honeypot Threat Analysis — May 28, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
As of today, our Raspberry Pi 5 honeypot in Spain has reported a significant activity level with a total unique attacker count of approximately 114. The majority of attacks originated from countries like the United States (43%), France (20%), Belgium (17%), and Germany (11%). Notable attackers include IP addresses 45.156.87.253, 192.109.200.220, 27.79.1.116, 171.243.148.230, and 103.228.36.205.
Geographic Analysis
Where Do The Attacks Originate?
The majority of attacks come from the United States (43%), France (20%), Belgium (17%), Germany (11%), China (12%), Russia (5%), and the Netherlands (9%). This geographical distribution suggests a sophisticated attacker base targeting multiple regions.
Notable Patterns
- The top 6 attackers are based in the United States, France, Belgium, Germany, China, and Russia. These countries often have significant cybersecurity measures.
- Countries with high vulnerability include Vietnam and the Russian Federation due to recent political instability or economic issues.
SSH Brute Force Analysis
The SSH honeypot has recorded a total of 1926 connections and 1823 login attempts. The most common password used was “123456,” followed by “123” and “1.” This indicates that the attackers are using well-known credentials, possibly due to poor security practices or lack of password strength.
Post-Exploitation Behavior
What Attackers Looked For
The most successful attacks were able to gain a foothold on our honeypot. The attackers attempted commands such as “ls,” “cat /etc/passwd,” and “whoami” to identify the server’s capabilities. They also logged into the system using the usernames “admin” and “root.”
Web Scanner Activity
What Are Attackers Looking For?
The top paths scanned by the HTTP LLM honeypot include “/SDK/webLanguage”, ”/”, “/favicon.ico”, “/status/414”, and “/boaform/admin/formLogin?username=ec8GALAH_PATHS_PHpsd=ec8”. These URLs suggest that attackers are looking for vulnerabilities in web applications or trying to exploit known flaws.
Malware Captures
No Malware Today
There were no malware samples captured by today’s attacks. This is important data as it indicates the effectiveness of our honeypot and its ability to detect real payloads without being compromised.
SSH Tarpit (Endlessh)
Trapped Attackers?
No tarpit data was recorded for today’s session, suggesting that attackers were quick to exploit any available vulnerabilities on our honeypot. The lack of a tarpit indicates the effectiveness of our monitoring tools in identifying and preventing attacks.
Canarytoken Alerts
Fake Credentials Used
The 63 fake AWS keys used by attackers indicate that they are using brute force methods or trying to exploit known vulnerabilities. This is an important finding as it shows how sophisticated some attackers have become, using real-world techniques against a honeypot environment.
Community Defense
Shared IP Addresses
All reported IPs were shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield for further investigation. Malware hashes from VirusTotal were also submitted to confirm the authenticity of the attacks.
Geolocation Details
The country distribution is as follows: United States (43%), France (20%), Belgium (17%), Germany (11%), China (12%), Russia (5%), Netherlands (9%), Vietnam (7%), and the Russian Federation (3%).
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.