Honeypot Threat Analysis — June 10, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
Today’s SSH honeypot (Cowrie) saw a robust activity level of 164 connections and login attempts. The network is active with 281 commands executed by attackers. Additionally, there were 300 events recorded in the Multi-protocol honeypot (OpenCanary), indicating varied threat methods.
Geographic Analysis
The geographical analysis reveals that threats originate predominantly from countries as follows:
- United States: 165 IPs
- China: 149 IPs
- Singapore: 73 IPs
- United Kingdom: 41 IPs
- Germany: 35 IPs
- Netherlands: 32 IPs
- Korea, Republic of: 28 IPs
- India: 22 IPs
- Hong Kong: 20 IPs
- Russian Federation: 18 IPs
The country with the highest number of unique IPs is the United States, followed closely by China and Singapore. This pattern suggests that these regions remain significant threats despite being less commonly associated with cyberattacks.
SSH Brute Force Analysis
SSH brute force attempts continue to dominate the activity levels. The top attackers have used common passwords such as “91566946b1d8deb0”, “aad3f9ba1d6740cc”, “6e86f2270ed47801”, and “6460662e217c7a9f”. These patterns indicate a common set of passwords used by attackers.
Post-Exploitation Behavior
In the TTY sessions, attackers have conducted commands that suggest an attempt to elevate privileges or install additional tools. The most significant commands include:
uname -s -v -n -r -m(shows system information)cd ~; chattr -ia .ssh; lockr -ia .ssh(attempted to create and modify SSH configuration files)uname -m(another attempt at showing system information)
These actions suggest that attackers are exploring the environment for further footholds or looking for vulnerabilities.
Web Scanner Activity
The HTTP LLM honeypot (Galah + qwen AI) indicates a variety of scanning patterns. The most common paths scanned include:
//SDK/webLanguage/login/.env/.env.local
These activities suggest that attackers are scanning for vulnerable systems, possibly looking to exploit known vulnerabilities.
Malware Captures
No malware samples were downloaded today by the SSH honeypot, indicating a lack of attempts at exploiting common malware types.
SSH Tarpit (Endlessh)
The tarpit on ports 222/2200/8022/22222 saw 32 connections trapped and no wasted time. This active defense strategy shows that the honeypot is effectively blocking attackers, reducing their attack surface.
Canarytoken Alerts
Fake AWS keys and SSH keys were triggered by the honeypot, indicating that attackers are using these tokens for various malicious activities. The detailed logs show a variety of token types from different IP addresses, suggesting diverse threat actors.
Community Defense
The honeypot is reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. It also submits malware hashes to VirusTotal and OTX for analysis.
Honeypot Infrastructure
Today’s blog post reflects the ongoing efforts of a Raspberry Pi 5-based honeypot lab in Spain. The infrastructure is designed to simulate various attack vectors, providing valuable data for threat intelligence analysts like yourself. By sharing these insights, we aim to contribute to the global effort against cyber threats and highlight the importance of robust cybersecurity measures.
Conclusion
The SSH honeypot continues to be a powerful tool in our arsenal against modern-day attacks. As technology evolves, so too must our defenses. The honeypot infrastructure is designed with future-proofing in mind, ensuring it remains effective in identifying new attack vectors as they arise. Stay informed and vigilant!
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.