Sunday, 7 June 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — June 7, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 5 unique attackers ⚡ 11 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanninghigh-severitythreat-intelligence

Threat Landscape Overview

Today’s activity on our Raspberry Pi 5 honeypots was characterized by a significant amount of SSH connections and login attempts. However, there were no notable login failures or command execution events reported. The most active IP address connected to the SSH honeypot is 32.195.202.38, with unique IPs reported to AbuseIPDB being zero.

The most common HTTP paths scanned by attackers include / and /SDK/webLanguage, indicating a desire for basic information or scripts related to web development. This suggests that the honeypot lab is effective in providing realistic targets for threat actors looking to explore their vulnerabilities.

Geographic Analysis

Our honeypots recorded 147 unique IP addresses, with the following distribution:

  • United States: 60 (40%)
  • Netherlands: 19 (12%)
  • United Kingdom: 15 (10%)
  • Portugal: 7 (4%)

The majority of attacks originate from American and Dutch IP addresses, reflecting the global nature of cyber threats.

SSH Brute Force Analysis

Today’s attacks exhibited several interesting patterns:

  • Many attempts were for basic system information (uname -s -v -n -r -m).
  • Some users attempted to change the file attributes on a .ssh directory with chattr.
  • Passwords like “root:admin” and “cisco:cisco” were tried, suggesting these are common passwords for brute force attempts.

The command "echo 'aaa'; sleep 5" was also executed within a TTY session, indicating that attackers may be testing the capabilities of the honeypot by executing commands directly.

Post-Exploitation Behavior

After gaining access to the honeypot:

  • Users attempted to change system configurations with uname -s, cat /proc/cpuinfo, and others.
  • They ran a simple command sequence for top-level configuration checks (which ls, top).
  • Some users tried to reset their SSH password using common methods like “password:admin” or changing it completely.

These actions suggest that attackers are looking for ways to maintain access without being detected, which is common behavior in the security industry.

Web Scanner Activity

The honeypot lab saw no HTTP requests from today’s attack patterns. This suggests that the current activity does not target web applications or services commonly exploited by cybercriminals.

Malware Captures

Despite capturing 88 Canarytoken triggers with fake AWS keys and SSH keys, no malware samples were downloaded by attackers. However, this indicates a level of preparedness from attackers to avoid detection using these methods.

SSH Tarpit (Endlessh)

There was no active tarpit activity on any of the listed ports (222, 2200, 8022, 22222), so there’s no need for further discussion related to this method.

Canarytoken Alerts

Today, 88 canarytoken alerts were triggered by attackers using fake AWS keys and SSH keys. These tokens originated from the following IP addresses:

  • 213.136.67.156: User-agent: “Boto3/1.34.46 md/Botocore#1.34.46 ua/2.0 os/linux#6.8.0-106-generic md/arch#x86_64 lang/python#3.12.3 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.46”
  • 185.248.85.60: User-agent: “Boto3/1.42.70 md/Botocore#1.42.70 ua/2.1 os/windows#2022Server md/arch#amd64 lang/python#3.12.10 md/pyimpl#CPython m/D,Z,e,b cfg/retry-mode#legacy Botocore/1.42.70”

These alerts highlight the importance of monitoring for such fake credentials in a honeypot environment.

Community Defense

All reported IPs were shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. The malware hashes captured will be submitted to VirusTotal and OTX, ensuring that any potential threats are identified and mitigated promptly.

Conclusion

Our honeypot lab is performing well in terms of both activity level and geographic distribution. While the current threat landscape remains active with a mix of brute force attacks and basic system checks, there’s no significant malware or persistent attacker presence. Our community defense measures have also been effective in alerting us to potential threats.

The Raspberry Pi 5 honeypot continues to be an excellent tool for monitoring and analyzing cyber-attacks, providing valuable insights into the evolving threat landscape.

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →