Saturday, 18 April 2026 🟠 medium 🤖 antigravity

Honeypot Threat Analysis — April 18, 2026

532 SSH connections from 78 IPs with Vietnamese IP clusters emerging as a dominant attack source.

🌍 78 unique attackers ⚡ 532 events 📊 View raw data report →
ssh-brute-forcehoneypotthreat-intelligence

Threat Landscape Overview

Moderate activity with 532 SSH connections from 78 unique IPs. 663 login attempts exceeded connection count, indicating some sessions ran multiple authentication rounds. A Vietnamese IP cluster emerged as a significant attack source.

SSH Brute Force Analysis

The password shortlist narrows: admin, 123456, 1234, 12345678. Persistent scanner 80.66.66.10 maintains its daily presence. Three Vietnamese IPs (27.79.1.40, 27.79.46.233, 116.99.171.186) appeared prominently — these 27.79.x.x and 116.99.x.x ranges belong to Vietnamese ISPs and likely represent compromised home routers being used as attack proxies.

The 32 post-authentication commands show continued reconnaissance activity from a subset of attackers.

The Vietnamese IP cluster (27.79.x.x) has been appearing consistently. This pattern suggests a large botnet operating through compromised SOHO routers in Vietnam — a common vector for SSH brute force campaigns in Southeast Asia. IP 2.57.122.238 continues its regular visits from a European hosting provider.

Community Defense

All 78 attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →