During the 10-day monitoring period, Embedded World's honeypot infrastructure detected 15,652 security alerts from 1,573 unique attackers operating across 10 countries and leveraging 10 distinct ISPs. Attack origination was heavily concentrated in Germany (via cloud providers), with secondary activity from Switzerland, the United States, and the United Kingdom. The threat landscape reveals a diverse ecosystem of attackers ranging from legitimate security scanners to organized credential-harvesting operations and targeted intrusion attempts, each employing distinct methodologies and infrastructure.
Credential compromise detection dominates the threat profile, accounting for 5,438 alerts (35% of total activity), concentrated across five ISPs (tzulo, Datacamp, FOP Dmytro Nedilskyi, M247 Europe, and UK2.NET). These coordinated SSH/RDP brute-force operations target role-based corporate accounts with leaked credential lists and common passwords, indicating active botnet or hired credential-stuffing service activity. Country-specific targeted attacks (6,988 alerts) are primarily attributable to a legitimate Qualys vulnerability scanner cluster operating from Oracle Cloud infrastructure (five coordinated IPs in the 64.39.102.x range), performing authorized web application assessments with distinctive Qualys-branded payloads and callback mechanisms.
A critical specialized threat emerges from DMZHOST (single IP 45.148.10.244), which conducts highly targeted fuzzing for exposed cloud secrets and API keys (AWS credentials, Stripe/PayPal keys, SendGrid configurations, CI/CD files). This represents a sophisticated financial fraud or phishing infrastructure acquisition campaign, distinct from generic vulnerability scanning. Additionally, Microsoft Azure infrastructure hosts a WordPress webshell post-exploitation campaign, with five IPs reconnecting to previously planted PHP shells, suggesting either attacker persistence or rapid shell-dropping by multiple actors exploiting the same compromised hosts.
Cloud providers—particularly Oracle Cloud (9,001 alerts), DigitalOcean (608 alerts), and Microsoft Azure (131 alerts)—host the highest-volume attack infrastructure, enabling attackers to operate at scale while leveraging legitimate cloud IP space to evade reputation-based filtering. Out-of-band (OOB) callback activity reveals advanced attacker sophistication: DigitalOcean attackers use shared Interactsh/Burp Collaborator infrastructure across five distributed IPs for blind SSRF/RCE verification, while Oracle Cloud's Qualys scanner uses w3.org and qualys.com callbacks for command injection validation. A single Ukrainian ISP operator (FOP Dmytro Nedilskyi) hosts multiple coordinated brute-force nodes, suggesting either VPS fleet compromise or deliberate abuse of cheap regional hosting. Notably, 525 DigitalOcean alerts and 745 total alerts are sourced from IPs completely unknown to third-party threat intelligence, indicating freshly provisioned attacker infrastructure or deliberate operational security measures.
Immediate actions should prioritize isolating or rate-limiting credential-based services exposed to the internet, as the 35% credential compromise alert rate reflects active and systematic brute-force campaigns. Organizations should verify their SSH/RDP services are not broadcasting to the public internet or are protected by multi-factor authentication and account lockout policies. The targeted cloud-secrets harvesting activity warrants urgent audit of publicly exposed AWS credentials, API keys, and CI/CD configuration files across S3 buckets, GitHub repositories, and container registries. Finally, the presence of WordPress webshell activity on Azure infrastructure suggests a need for immediate WordPress security assessments, including malware scanning, plugin vulnerability patching, and file integrity monitoring on any self-hosted or cloud-deployed WordPress instances within the organization's ecosystem.
| Country specific targeted attack | 6.988 | |
| Credential Compromise Detected | 5.438 | |
| Fuzzing attack | 1.975 | |
| Attacker with IP unknown to integrated 3rd party threat Intelligence | 745 | |
| Injected Command Callback Domain Detected | 280 |
| CH | 9.003 | |
| US | 5.304 | |
| GB | 396 | |
| RO | 324 | |
| NL | 211 |
👉 Click a slice to explore that ISP’s details below
👉 Click a slice to explore that attacker’s details below
Five IPs from Oracle Cloud (64.39.102.170/171/174/181/182) exhibit near-identical attack profiles: ~1,500 country-specific attacks targeting DE, extensive fuzzing against 195.34.187.44 (400+ URLs each covering Apache Struts CVEs, XSS, SQLi, LFI/path traversal, RFI, and dozens of legacy CMSes), OOB callback injection using http://www.qualys.com and http://www.w3.org, and identical credential sets (admin/pass1234, ishaan-litellm/langchain, technician/TrippLite, localadmin/localadmin, etc.). The consistent use of Qualys-branded payloads (e.g., QUALYS-STRUTS-370547, QualysQID 13251, QUALYS_XSS) and www.qualys.com as the OOB callback strongly indicates this is a Qualys vulnerability scanner performing authorized or coordinated web application assessments rather than a malicious actor. The wget/curl command injection callbacks all point back to the scanning IP on ephemeral ports, confirming active out-of-band verification of RCE vulnerabilities (Struts OGNL, shellshock-style CGI, etc.). 64.39.102.182 and 64.39.102.171 are not flagged by third-party threat intel, consistent with a legitimate scanner fleet.
Five IPs across two subnets (68.235.46.x, 23.234.96/105.x) perform pure brute-force credential attacks with no fuzzing or OOB activity, targeting generic corporate account names (finance, maintenance, staff, student, helpdesk, support, travel, camera). Password choices are a mix of default/welcome patterns (welcome1, Welcome123, P@ssw0rd, 123456789) and company/username-derived combos (Mario2022!, Tyrell2022, Blaine123), typical of credential list enumeration. The 68.235.46.162 IP introduced a novel office2/OFFIC321 token pair flagged by the Baithive engine, suggesting active dictionary evolution or custom wordlist usage. This cluster likely represents a botnet or hired credential-stuffing service operating across tzulo infrastructure.
Six IPs split across two subnets (45.134.142.x, 37.19.221.x) conduct parallel credential stuffing against decoy systems, collectively hitting role-based accounts (manager, support, techsupport, backup, oracle, vmware, postgres) with varied but realistic enterprise passwords. The credential diversity (multilingual names: angela, simone, amanda, atelier; service accounts: backupexec, timeclock, postgres) suggests use of a broad leaked credential corpus. The two subnets appear to be cooperating infrastructure — likely the same operator using Datacamp hosting for distributed brute-force to avoid per-IP rate limiting. No fuzzing or OOB callbacks indicate a purely credential-harvest focused campaign.
A single IP (45.148.10.244) performs highly targeted fuzzing (200 country-specific hits, 124 fuzz attempts) exclusively hunting for exposed cloud credentials, API keys, and configuration files: AWS credentials (.aws/credentials, ses_credentials.json, akia_ses.txt), payment API keys (stripe.json, stripe_connect.yml, paypal.json), email service configs (sendgrid.json, postmark.yml, mailgun.php, sparkpost_api_key.txt), and CI/CD secrets (.circleci/config.yml, .codefresh/, cdk.json). This is a highly specialized attack profile distinct from generic web fuzzing — the attacker is specifically targeting modern cloud-native application stacks (AWS SES/S3, Stripe, SendGrid, Serverless). The breadth of targeted paths (30 distinct batches) indicates use of a purpose-built cloud-secrets scanner wordlist, likely for financial fraud or phishing infrastructure acquisition.
Five IPs (143.110.205.225, 167.71.116.192, 167.71.146.215, 137.184.91.169, 104.248.77.100) exclusively use wget callbacks to a shared OAST infrastructure domain (*.ctcu31hm272c73bv6mqg968gtjq5djfn9.oast.me) with per-request unique subdomains, indicating use of a tool like Interactsh or Burp Collaborator for blind out-of-band exploitation verification. Each IP generates only 2 detections each, suggesting targeted probing rather than mass scanning — the low volume per IP may be deliberate evasion of rate-based detection. All five IPs are unknown to third-party threat intelligence, consistent with freshly provisioned attacker infrastructure. The shared OAST parent domain across all five IPs confirms a single operator distributing probes across multiple Digital Ocean nodes.
Five IPs (88.210.63.x, 92.63.197.80) produce 32–36 credential attempts each, targeting a mix of generic system accounts (info, storage.controller, svc-ldap-admin, directadmin, serveradministrator) and personal names with numeric suffixes (glover123, carney/111111, elias/123456). Password patterns lean heavily on 111111, 123456, qwerty, pass, and 12345, indicating a low-sophistication automated tool using a high-volume common password list. The ISP (a Ukrainian individual operator, "FOP" = Ukrainian sole trader registration) hosting multiple attack IPs simultaneously suggests either a compromised VPS fleet or deliberate abuse of cheap Ukrainian hosting for botnet C2 or credential farming infrastructure.
Five IPs from Azure (20.205.226.191, 20.63.210.169, 20.207.204.235, 20.219.132.149, 4.194.42.236) conduct WordPress-specific fuzzing searching for pre-planted or opportunistically uploaded PHP webshells (wso.php, alfa.php, alfa-rex.php7, bolt.php, goods.php, rip.php, as.php, xwx1.php). The URL patterns target both standard WordPress paths (/wp-content/plugins/, /wp-includes/, /wp-admin/) and obfuscated filenames within them, suggesting these are post-exploitation callbacks — the attacker previously dropped shells and is now reconnecting, or scanning for shells left by other actors. The overlapping URL sets across IPs (e.g., /autoload_classmap.php, /wk/index.php, /goods.php appear across multiple IPs) indicate a shared tool or playbook. Azure's abuse of legitimate cloud IP space makes these harder to block via simple IP reputation.
Five IPs (194.59.12.230, 31.222.247.63, 103.151.103.164, 195.69.162.88, 185.98.42.194) exclusively attempt logins using realistic full-name formatted usernames (hoai.nguyenhuy, cathrin.salzmann, tram.dothingoc, sivasurya.prakash, fatima.alshumimi, raghdaa.badr) with a narrow, rotating password set (Password123!, Welcome123!, Qwerty123!). This pattern is characteristic of targeted Active Directory / VPN / OWA spraying using harvested employee name lists (likely from LinkedIn or corporate data leaks), with passwords chosen to avoid lockout thresholds. The multinational name diversity (Vietnamese, German, Arab, Indian, Serbian surnames) suggests the credential list was aggregated from multiple company breaches. 195.69.162.88 uses a fixed password (Welcome123!) across all attempts — a textbook password-spray technique.
A single IP (85.11.182.5) generates 48 credential attempts with an unusually specific and internally consistent password set: W@llnutF00d$, WcF00d$, $W@llnutF00d$, @t0mC@t76, ActionJackson1!, Berlin2, Fiber1, Comcast1, along with multiple admin variants and named accounts (ldapuser, rwebster, bucher, poates, WCAdmin, rcs.svc). The password themes (WallnutFood, Tomcat, ISP names like Comcast/Verizon/Fiber) and service account names suggest this is a targeted attack against a specific organization's known credential patterns, possibly derived from a prior breach or insider knowledge. The high specificity and low IP count (single node) distinguish this from generic stuffing — this resembles a targeted intrusion attempt rather than automated mass credential scanning.
Three IPs from an unidentified ISP (185.218.138.39, .15, .11) use service/role account names with complex passwords (Qwerty123!, 123qweASD!, 1qaz@WSX, P@ssw0rd, Abc@123), while 85.239.146.38 sends a single attempt with a clearly randomized username (fdsfsdfsertwerwe) and password, likely a probe or test request. 185.218.138.39 is specifically flagged as unknown to all third-party threat intelligence, combined with targeting of non-standard accounts (puppet, sleep, radio, topicnorm) suggesting experimental or research-driven credential testing. The low attempt counts (2–20 per IP) and complex passwords indicate deliberate evasion of velocity-based detection systems.