Thursday, 4 June 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — June 4, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 284 unique attackers ⚡ 22,536 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

Today’s activity at our Raspberry Pi 5 honeypots showed a high level of engagement from attackers. The SSH honeypot saw over 1679 connections and 1516 login attempts, with an impressive 985 commands executed across different protocols. Meanwhile, the Multi-protocol honeypot logged 20,788 events via FTP/Telnet/MySQL/Redis/VNC/Git. The HTTP LLM honeypot received only 69 requests but involved over 30 unique IPs.

Geographic Analysis

The primary attack locations were concentrated in China (50% of total attacks), the United States (43%), Brazil (26%), Belgium (23%), Germany (22%), and India (7%). This distribution indicates a global interest in exploiting our honeypots, with some countries showing higher engagement rates.

SSH Brute Force Analysis

The attack patterns included well-known passwords like “0”, “admin”, “1234”, “123456”, and “3245gs5662d34”. The attackers also utilized sophisticated commands, such as uname -s -v -n -r -m for system information. This indicates a mix of brute force attempts and more advanced post-authentication techniques.

Post-Exploitation Behavior

In the TTY sessions, attackers attempted to escalate privileges with commands like cd ~; chattr -ia .ssh; lockr -ia .ssh, indicating their persistence in gaining further access once they were inside the system. They also performed extensive scanning on HTTP paths such as /, /SDK/webLanguage, and /login. This shows a thorough exploration of the honeypot’s services.

Web Scanner Activity

No specific patterns emerged from the HTTP scanning, but it suggests that some attackers are still targeting these resources for reconnaissance or gaining additional footholds within the infrastructure. The absence of malware captures today indicates a focus on gaining access rather than deploying malicious payloads.

Malware Captures

Today no known malware was detected by any of our honeypots. This is reassuring given the nature of the system’s design, which aims to simulate various types of vulnerabilities for defensive purposes. However, it underscores the importance of continuous monitoring and updating security measures.

SSH Tarpit (Endlessh)

There were no tarpit data reported today from Endlessh on ports 222/2200/8022/22222, indicating that attackers did not engage in long-term attempts to overload the system’s resources. This suggests a more tactical approach rather than brute force attacks.

Canarytoken Alerts

The honeypot encountered 84 instances of fake AWS keys/SSH keys used by attackers, pointing towards the sophistication of these attacks and their intent to bypass security measures.

Community Defense

All IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield are now updated with this information. The sharing of threat intelligence helps in preemptively defending against future attacks.

Conclusion

Our Raspberry Pi 5 honeypots continue to serve as a valuable tool for understanding attack patterns and improving our defensive strategies. By analyzing these activities, we can identify areas that need further protection and refine our security measures accordingly. Stay vigilant and keep your systems updated!

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →