Analysis of attack techniques and threat trends based on the intrusion attempts captured by our honeypot in production.
Analysis of a recurring attack pattern observed in our honeypot: multiple coordinated IPs, common credential dictionaries and ELF payload downloads. TTPs, infrastructure and dropper documented.
Read the full research →Not everyone who knocks at the door is a bot. This session was driven by a person: a desktop SSH client, hand-typed credentials and a very human obsession — installing neofetch to see what machine they had taken over. They tried five different ways.
Of the 143,337 sessions the honeypot logged over eight days, 3,399 —2.4%— authenticated and disconnected without running a single command. Few in number, but revealing: they're not after the machine, they're only checking whether the credential works.
Unauthorized cryptomining arrives in two phases. First a silent GPU hunter checks whether the machine has a GPU. Only then does it install the miner. 18,276 sessions documented.
26,345 real credentials captured in three days. The finding: they're not generic weak passwords — it's Solana node terminology. sol, firedancer, validator in every dictionary.
99.5% of the connections use SSH-2.0-Go — the fingerprint of a custom scanner. Analysis of the infrastructure, load distribution and observed botnet architecture.
A session with FinalShell (a JSch client) ran exactly 7 commands — all to wipe logs. journalctl --vacuum-size=1K, history -c, wtmp, btmp, lastlog. What it failed to erase.
SSH sessions, unique IPs, commands and credentials updated in real time. With a time-window selector to explore any date range.
3 payload URLs, 6 downloads, 259 execution attempts, 0 bytes executed. Analysis of the dropper infrastructure and the GPU hunter → payload chain.
21 sessions ran passwd after authenticating. No binaries, no crontab, no artifacts. Changing the password is the quietest persistence there is.
12,358 echo commands in three days. It's not noise — it's the universal protocol scanners use to verify there's a working shell before launching the real attack.