Tuesday, 9 June 2026 💀 critical 🤖 qwen2.5:1.5b

Honeypot Threat Analysis — June 9, 2026

Critical threat level — massive coordinated attack activity across all honeypot services.

🌍 214 unique attackers ⚡ 3,348 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitymalware-capturethreat-intelligence

Threat Landscape Overview

As of today’s data, our Raspberry Pi 5 honeypot in Spain has been active for several weeks. The SSH honeypot (Cowrie) reports a steady stream of activity with over 642 connections and 523 login attempts. Users executed an impressive total of 605 commands across various protocols including FTP/Telnet, MySQL/Redis, VNC, Git, and even SSH.

The Multi-protocol honeypot (OpenCanary) has seen 2,580 events from over 64 unique IP addresses engaging in multiple services. This is a testament to the versatility of our security setup, capable of protecting against diverse attack vectors simultaneously.

In terms of command-and-control channels, we’ve caught a significant amount of activity with Gihah+qwen AI being used for various requests and commands, indicating strong engagement from sophisticated attackers.

Geographic Analysis

Analyzing the geographic data provided by GeoIP shows that our honeypot attracts traffic primarily from countries in Asia (139 IPs from China), North America (137 IPs from United States), Singapore (70 IPs), UK (32 IPs), Netherlands (31 IPs), Germany (31 IPs), Korea, Republic of (23 IPs), India (20 IPs), Hong Kong (17 IPs), and Brazil (16 IPs). The high proportion of traffic coming from China is particularly noteworthy given recent geopolitical tensions.

SSH Brute Force Analysis

The data on brute force attacks shows a mix of login attempts using common usernames like “root” or “cisco.” There were also successful connections to the honeypot’s administrative interface, indicating that attackers are looking for ways to escalate privileges. The commands executed suggest an interest in basic system information and network details.

Post-Exploitation Behavior

The post-exploitation phase of the attacks is evident through TTY session data. Users engaged with various command shells like “uname -s -v -n -r -m” or simply using different terminal sessions for better security practices by changing default configurations. This indicates that attackers are testing the environment to ensure they can operate undetected.

Web Scanner Activity

The HTTP LLM honeypot, equipped with Galah and qwen AI, has seen several successful requests from various paths like “/SDK/webLanguage”, ”/”, “/login”, “/zc?action=getInfo”, and “/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php”. These scans show a keen interest in web applications that could be exploited for further access.

Malware Captures

One notable malware sample was captured via SSH, indicating the attackers’ ability to deploy payloads through our honeypot. The details provided are indicative of a trojan horse script with significant size (140K) and engines used for execution.

Tarpit Report

There is no active tarpit data reported on our honeypot today, suggesting that we have successfully intercepted all attackers without them being able to fully exploit or escape. This is an excellent indicator of the effectiveness of our security setup against brute force attacks.

Canarytoken Alerts

The absence of canary token triggers indicates that none of the fake credentials were used in our ongoing operations. It’s important to monitor for any signs of this tactic, as attackers often use crafted data points to bypass detection mechanisms.

Community Defense

We have shared the IPs and threat intelligence with various cybersecurity communities such as AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. This collaboration helps in maintaining a robust defense against real threats.

Conclusion

Our honeypot continues to be an effective tool for monitoring cyber activity in our region. The data shows that while the threat landscape is dynamic with various attack vectors, we have successfully intercepted multiple types of attacks and malware samples. By sharing this information with the community, we contribute to a more secure environment for all online activities.

Stay vigilant against evolving threats!

This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.

🤖

This analysis was generated by qwen2.5:1.5b running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →