Saturday, 30 May 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — May 30, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 103 unique attackers ⚡ 6,145 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

In today’s blog post, we provide an overview of our Raspberry Pi 5 honeypot lab located in Spain. The data collected indicates a high level of activity across multiple protocols and attack types, with critical severity levels.

Geographic Analysis

Attacks originate primarily from the following countries:

  • United States: 12 (20%)
  • Germany: 9 (15%)
  • Netherlands: 8 (13%)
  • China: 8 (13%)
  • Romania: 5 (8%)
  • Vietnam: 4 (6%)
  • United Kingdom: 2 (3%)
  • Taiwan: 2 (3%)
  • Korea, Republic of: 2 (3%)

The patterns show a mixed origin with regional dominance in the United States and Germany.

SSH Brute Force Analysis

SSH honeypot collected 1349 connections with an average login attempt rate of 0.8%, and attackers used commands executed on average once per IP for 63 unique IPs. The most common passwords tried were “admin”, “123456”, “123”, “1234”, followed by the empty string.

Post-Exploitation Behavior

After gaining access, we observed a total of 35 TTY sessions and executed successful login attempts on average once per IP. This suggests attackers are looking for sensitive information or admin accounts.

Web Scanner Activity

HTTP LLM honeypot recorded 97 requests with top paths scanned as /SDK/webLanguage, /, /zc?action=getInfo, /favicon.ico, /.well-known/security.txt. These scans indicate that the honeypot is being targeted by web scanners looking for vulnerabilities.

Malware Captures

No malware was downloaded today, confirming our efforts to maintain a clean environment and protect against real threats.

SSH Tarpit (Endlessh)

There were no tarpit data collected in the logs, indicating that all attackers bypassed this feature without any delay or disruption.

Canarytoken Alerts

67 fake AWS keys/SSH keys were triggered by attackers. These canarytokens used user-agents reflecting real AWS deployments but with different IP addresses and OS versions, suggesting a sophisticated attack pattern aimed at evading detection.

Community Defense

All reported IPs have been shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. No malware samples were captured in today’s activity.

Rules for the Honeypot Infra

Please note that this data reflects our live activity, which may differ based on current trends and changes in threat patterns.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →