Thursday, 30 April 2026 💀 critical 🤖 antigravity

Honeypot Threat Analysis — April 30, 2026

Critical — nearly 2,000 SSH connections, 4,235 OpenCanary events, and 85 Galah requests. MikroTik router scanning detected.

🌍 137 unique attackers ⚡ 6,314 events 📊 View raw data report →
ssh-brute-forcehoneypotweb-scanningmulti-protocolhigh-severitythreat-intelligence

Threat Landscape Overview

End of the month with a bang: 1,994 SSH connections (89 IPs), 4,235 OpenCanary events (13 IPs), and 85 Galah web requests (35 IPs). The OpenCanary spike from a small number of IPs indicates concentrated multi-protocol scanning campaigns.

SSH Brute Force Analysis

2,433 login attempts with 365 post-auth commands — sustained critical-level exploitation. The bulletproof hosting range 45.156.87.254 leads again, supported by 176.65.132.254 and persistent 87.251.64.176. Vietnamese SOHO router botnet continues via 27.79.44.244 and 27.79.45.168.

A new command appeared: /ip cloud print — this is a MikroTik RouterOS command. Attackers are specifically probing for compromised MikroTik routers, which have been a major botnet vector since the 2018 Winbox vulnerability. Also spotted: echo -n login_success, a callback beacon confirming the shell is alive.

Web Scanner Activity

85 Galah requests targeting /login, /SDK/webLanguage (Hikvision camera exploit), and standard reconnaissance paths. The /SDK/webLanguage path is CVE-2017-7921 — a critical Hikvision authentication bypass. Go-http-client user agent indicates automated tooling.

Community Defense

7 IPs reported to AbuseIPDB. All data shared with AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →