Honeypot Threat Analysis — May 8, 2026
Critical threat level — massive coordinated attack activity across all honeypot services.
Threat Landscape Overview
In today’s blog post, we take a deep dive into our Raspberry Pi 5 honeypot lab located in Spain. On May 8th, 2026, several critical activities were recorded across different security tools and protocols.
The SSH honeypot (Cowrie) saw an impressive 637 connections over the day. Of these, 730 login attempts were made, with a significant number of 99 commands being executed by attackers attempting to gain unauthorized access. The unique IP addresses reported for this honeypot reached 90, indicating a high volume of activity and varied attack vectors.
Moving on to the Multi-Protocol Honeypot (OpenCanary), we found an alarming spike in events at 3331 occurrences over the day. These incidents involved 12 unique IP addresses attempting connections via FTP/Telnet/MySQL/Redis/VNC/Git, highlighting a sophisticated range of cyber threats targeting these protocols.
The HTTP LLM honeypot (Galah + qwen2.5 AI) registered an impressive 125 requests and 40 IPs. The HTTP paths scanned included “/SDK/webLanguage”, “/login”, ”/”, “/og-default.png”, and ”*,” suggesting a comprehensive approach to scanning web endpoints, likely for exploitation or gaining unauthorized access.
Analyzing the severity of these activities, we identified that they were all critical in nature, indicating high-level threat activity from multiple sources. The total unique attackers reported reached ~142 IPs, with significant overlap among these threats, further emphasizing their malicious intent.
Interestingly, 11 IP addresses have been reported to AbuseIPDB for investigation and potential blocking measures. Among the top passwords tried were “admin,” "
In terms of HTTP scanning patterns, “/SDK/webLanguage” was scanned most frequently. This suggests that attackers may be targeting endpoints for exploitation or attempting to bypass security measures on these platforms.
Notably, the threat landscape has shown an increase in IP activity from known malicious actors, indicating a growing sophistication in cyber threats against web services and data protection mechanisms.
As we move forward with our honeypot infrastructure, it is crucial to monitor these trends closely. The Raspberry Pi 5’s open-source nature provides an excellent foundation for continuous improvement and detection of emerging threats.
SSH Brute Force Analysis
The SSH honeypot (Cowrie) experienced a significant spike in login attempts on May 8th, with over 730 attempted connections to the system. Of these, 99 unique commands were executed by attackers attempting to gain unauthorized access through brute force methods. This activity is indicative of a persistent and aggressive attack pattern aimed at exploiting security vulnerabilities within SSH-based systems.
The use of password guessing techniques is evident from the high frequency of “123456” being tried alongside common admin passwords like “admin,” "
The 90 unique IPs reported for this honeypot further emphasize the scale of this attack campaign, with multiple individuals or groups contributing to this high volume of activity.
It is imperative that security measures are continually improved to detect such brute force attacks effectively. Regular updates and stronger password policies can help deter these types of unauthorized access attempts.
Web Scanner Activity
The Multi-Protocol Honeypot (OpenCanary) has reported an increase in events over the day, with 3331 occurrences involving multiple protocols including FTP/Telnet/MySQL/Redis/VNC/Git. These incidents highlight a broad range of threats targeting these protocols, indicating that attackers are increasingly using multi-layered techniques to evade detection and gain access.
The 12 unique IP addresses involved in this activity suggest that the targets may be web-based services or applications that use multiple protocols. Scanning for “/SDK/webLanguage” indicates that attackers may be attempting to exploit specific functionalities within these systems, potentially leading to data breaches or unauthorized access.
While the low number of commands executed (90) compared to other types of honeypot activity suggests a more comprehensive nature of this attack, it is still concerning given the high volume of IP addresses involved. This highlights the need for robust security measures across multiple protocols and improved detection systems for these types of scans.
In conclusion, while each type of honeypot provides valuable insights into different aspects of cyber threats, combining them can offer a more comprehensive view of the evolving threat landscape. Continuous monitoring and updating of security measures are essential to protect against such sophisticated attacks.
This analysis was generated by qwen2.5:1.5b running locally on the Raspberry Pi 5 honeypot lab. All data comes from real attacks captured in the last 24 hours. View the raw data report for complete metrics.