Honeypot Threat Analysis — May 31, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
Today on May 31, our Raspberry Pi 5 honeypot lab experienced a high level of activity across multiple security surfaces. We observed 1292 SSH connections and 1185 login attempts from diverse IP addresses, with 89 unique IPs generating commands. The SSH honeypot itself handled 79 HTTP requests through the Galah + qwen AI system.
The Multi-protocol honeypot reported a significant number of events across FTP/Telnet/MySQL/Redis/VNC/Git, indicating a robust threat surface being monitored and analyzed by our honeypots. This indicates that both active and persistent threats are present in our environment, with varying attack vectors and techniques employed by attackers.
Geographic Analysis
The majority of these attacks originated from countries such as the United States (24%), China (13%), and Germany (10%). Romania, Netherlands, Belgium, France, Taiwan, and Vietnam also showed notable activity. This geographic spread underscores the global nature of cybersecurity threats and the importance of monitoring international borders.
SSH Brute Force Analysis
The top passwords tried included “admin”, “123456”, “123”, “1234”, and “1”. The most active IPs were 45.153.34.186, 87.251.64.176, 116.99.173.243, 116.110.149.99, and 2.57.122.238.
Post-Exploitation Behavior
During the day of activity, we observed sessions with 35 TTY logins. Among these, successful login attempts were noted as “successful_logins.” The attackers’ post-exploitation behavior included various commands and activities indicative of their ongoing infiltration efforts within our environment. This includes scanning for vulnerabilities in services running on our honeypots.
Web Scanner Activity
The HTTP paths scanned by the attackers included “/SDK/webLanguage”, ”/”, “/favicon.ico”, “/app/system/entrance.php?n=includeGALAH_PATHS_PHm=moduleGALAH_PATHS_PHc=weixinGALAH_PATHS_PHa=doapi”, and “/zc?action=getInfo”. These scans were part of their reconnaissance phase, seeking to map out our internal network infrastructure.
Malware Captures
No malware samples were detected during today’s activity. However, the presence of fake AWS keys/SSH keys used by attackers in Canarytoken triggers suggests that even legitimate users could inadvertently fall victim to such attacks if they share or reuse credentials across different systems.
SSH Tarpit (Endlessh)
There was no active tarpit configuration on ports 222, 2200, 8022, and 22222. This indicates that our honeypot’s defenses are robust against prolonged attacks using these specific ports.
Canarytoken Alerts
The attackers used fake AWS keys/SSH keys from a total of 70 IPs across three different locations. These included the IP addresses 138.199.43.101, 175.29.7.17, and 170.64.151.205, as well as an unknown user-agent string.
Community Defense
We reported these IPs to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield for further investigation and potential remediation of the attackers’ activity. Additionally, we submitted malware hashes captured from the SSH tarpit to VirusTotal and OTX, ensuring that the malicious payloads are identified and mitigated.
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.