Honeypot Threat Analysis — May 4, 2026
Critical severity persists — Sunday scanning operations maintain 2,000+ SSH connections with Go-based automated tooling on the web front.
Threat Landscape Overview
Five consecutive critical days. 1,985 SSH connections (88 IPs), 4,235 OpenCanary events (13 IPs), and 85 Galah web requests (35 IPs). The automated nature of these attacks means no weekend dip — machines don’t rest.
SSH Brute Force Analysis
2,392 login attempts maintaining the relentless pace. The top 5 passwords haven’t changed in days: 123456, admin, 123, password, 1234. This stagnation reflects the universal nature of credential stuffing — the same wordlists recycled across millions of targets.
The echo -n login_success callback command continues appearing, suggesting a botnet that tracks successful compromises across its target list by echoing unique strings back to a C2 server.
Web Automation Patterns
The Go-http-client/1.1 user agent dominates Galah requests, indicating purpose-built scanning tools written in Go. The Go programming language has become the de facto standard for building offensive security tools due to its easy compilation into standalone binaries for any platform.
Multi-Protocol Trends
The OpenCanary event count remains flat at 4,235 from just 13 IPs — the same concentrated scanners performing exhaustive protocol sweeps. This consistency across multiple days suggests a scheduled scanning operation rather than opportunistic probing.
Community Defense
7 IPs reported to AbuseIPDB. All data shared with AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.