April 2026 Threat Landscape: Go Eats libssh, Mirai Refuses to Die, and Half a Million RDP Probes From One Polish Reseller
In April 2026, the threat.gg honeypot network — 10 active nodes spread across multiple hosting providers — captured 3,373,000 attack sessions across 18 emulated protocols. That is more than 2.2x the volume we observed in March, and the bulk of the increase came from a single category we had assumed was past its peak: telnet.
This report walks through the protocols, the credential patterns, and the infrastructure behind the noise.
By the Numbers
| Protocol | April Volume | vs. March |
|---|---|---|
| Telnet | 1,239,579 | ⬆ ~30x |
| Jenkins | 1,041,158 | ⬆ 2.6x |
| RDP | 677,144 | ⬇ 0.6x |
| SSH | 162,473 | ⬇ 0.5x |
| Elasticsearch | 130,330 | ⬆ 13x |
| Docker API | 57,486 | ⬆ 5.7x |
| SMTP | 16,471 | ⬆ 7.8x |
| Redis | 15,449 | ⬆ 5.1x |
| PostgreSQL | 13,981 | ≈ |
| OpenClaw | 4,798 | new |
| FTP | 4,239 | — |
| etcd | 2,965 | — |
| Kafka | 1,600 | — |
| MQTT | 1,569 | — |
| VNC | 1,546 | — |
| LDAP | 1,129 | — |
| MySQL | 493 | — |
| SMB | 488 | — |
The shape of the month is very different from March. March was the “RDP month.” April is the “everything else” month — telnet exploded, Elasticsearch surged 13x, and Docker API probes nearly sextupled. The aggregate picture is one of attackers diversifying away from a single hot protocol and pressing on every door at once.
The Telnet Resurgence: 884K Attacks in 24 Hours
The headline event of April was a single-day spike of 884,716 telnet connection attempts on April 30 — by far the largest 24-hour volume we have ever recorded for any protocol. That one day represents 71% of the entire month’s telnet traffic.
The attack was not the work of a single dominant IP. The top 15 source IPs each contributed between 9,000 and 22,000 attempts, with the leaders distributed globally:
| Source IP | Country | Count |
|---|---|---|
135.181.117.241 | Canada (Hetzner) | 22,068 |
198.27.70.83 | Canada (OVH) | 21,035 |
192.227.67.225 | United States | 18,832 |
46.105.112.141 | Spain | 16,590 |
129.232.238.42 | South Africa | 16,492 |
91.211.251.44 | Netherlands | 16,489 |
91.98.224.238 | Iran | 15,567 |
223.25.112.50 | Australia | 15,047 |
The volume ramped throughout the day — 65 attempts in the 00:00 UTC hour, climbing to 117,264 in the 20:00 UTC hour — which is the classic shape of a Mirai-style botnet “waking up” alongside European and Asian working hours, when ISP traffic naturally spikes and blends scanner activity into the noise.
The credential list on display reads like a museum tour of consumer IoT defaults:
| Username | Password | Count |
|---|---|---|
root | xc3511 | 86,356 |
root | vizxv | 78,316 |
root | admin | 68,489 |
admin | admin | 62,584 |
root | 888888 | 51,049 |
root | 123456 | 43,888 |
root | default | 43,806 |
support | support | 43,378 |
root | xmhdipc | 43,123 |
root | juantech | 43,031 |
root | 54321 | 42,435 |
xc3511, vizxv, juantech, anko, xmhdipc — these are the original Mirai source-code credential pairs, leaked publicly in 2016 and now nearly a decade old. They are still being sprayed at scale because they still work. The world’s supply of unpatched DVRs, IP cameras, and budget routers is, apparently, inexhaustible.
The 606K RDP Burst: Three IPs, 48 Hours, and a Geolocation Mirage
The second-largest event of the month was a coordinated RDP campaign from three sequential IPs in the same /24:
| Source IP | GeoIP Says | RDP Attempts |
|---|---|---|
149.50.122.22 | Israel | 202,242 |
149.50.122.27 | Israel | 202,345 |
149.50.122.28 | Israel | 202,205 |
These three IPs together fired 606,792 RDP connection attempts between April 11 and April 12 — that is 89% of the entire month’s RDP volume from a single /24 in 48 hours. The dead-even distribution of attempts across the three IPs (~202K each, all within a 0.07% spread) is the fingerprint of a single operator running three parallel scan workers behind sequentially-allocated cloud IPs, not three independent infections.
Almost every attempt targeted the username administrator (606,824 total RDP attempts used that username, or 89% of the month). This is reconnaissance-by-exhaustion: the attacker assumes some percentage of internet-facing Windows hosts use weak passwords on the default admin account, and simply tries enough of them to find one.
Where the IPs actually live
The geolocation databases say “Israel,” but the registration chain tells a different story:
| Layer | Owner |
|---|---|
ARIN /16 (149.50.0.0/16) | Cogent Communications, LLC (US backbone provider) |
Cogent rwhois /19 (149.50.96.0/19) | Meverywhere sp. z o.o. — Warsaw, Poland (Al. Jerozolimskie 65/79) |
| MaxMind GeoIP | Israel |
The traffic is riding US backbone transit, sub-allocated to a Polish reseller, and only appears Israeli because the public GeoIP database has not caught up to the reassignment. This pattern — sequential cloud IPs from a small reseller registered to a generic business address, with stale GeoIP data papering over the actual operator — is increasingly common as bulletproof and grey-market hosting providers chase cheap IPv4 sub-allocations.
The April 11–12 burst pushed “Israel” into the #2 spot for total attack source country in April (608,919 attacks) — almost entirely on the strength of these three IPs that are not actually located there. This is the cleanest example of the month for why country-level threat statistics are so often misleading: a single Polish reseller, on US infrastructure, can singlehandedly make a small country look like a global RDP threat actor.
After April 12 the campaign went silent. RDP volume fell back to 200–6,000 attacks per day for the rest of the month.
Jenkins: Still the CI/CD Honeypot Magnet
Jenkins targeting remained a sustained, daily phenomenon, peaking at 142,496 attacks on April 17 and 104,334 on April 10. The largest single source was:
141.98.11.50— 225,335 Jenkins probes (22% of the month)87.121.84.131— 137,482 probes104.164.8.186— 106,106 probes
The credential patterns reveal that 152,247 Jenkins attempts arrived with empty username and password fields — these are anonymous-access probes, looking for Jenkins instances that expose /script or build queues without authentication. After those, the wordlists are heavily numeric:
admin:102030
admin:111111
admin:1
admin:11
admin:1111111
admin:111111123
admin:1111112023
admin:1111112024
admin:111111@
admin:admin
admin:123456
jenkins:jenkinsThe presence of 1111112023 and 1111112024 in the top 15 — in April 2026 — is its own piece of threat intelligence. Year-suffix passwords don’t get retired from wordlists; they accumulate. Attackers are still betting that some organizations rotated their Jenkins admin credentials in 2023 or 2024 and never touched them again, and they keep being right.
SSH: Botnet Tooling Is Now Written in Go
SSH volume dropped to a more typical ~5,400 attacks/day baseline, with one notable exception: on April 21, a single DigitalOcean IP (67.205.159.167) fired 25,149 SSH login attempts in 24 hours — a 5x spike over baseline.
The most interesting SSH signal of the month, though, was the client version distribution:
| Client banner | Count |
|---|---|
SSH-2.0-Go | 131,885 |
SSH-2.0-libssh_0.11.1 | 12,228 |
SSH-2.0-libssh_0.12.0 | 4,350 |
SSH-2.0-OpenSSH_7.4 | 4,145 |
SSH-2.0-libssh2_1.9.0 | 3,008 |
SSH-2.0-AsyncSSH_2.1.0 | 2,346 |
SSH-2.0-libssh2_1.8.1 | 1,658 |
81% of all SSH attack traffic this month came from clients reporting SSH-2.0-Go — that is, scanners written in Go using the standard library’s golang.org/x/crypto/ssh package. In March, libssh-based clients dominated. In April, Go pulled ahead by a factor of 11.
This is a real shift in attacker tooling. Go scanners compile to a single static binary with no dependencies, are trivial to drop onto compromised cloud hosts, and ship with concurrency primitives that make spraying thousands of credentials per second easy. The libssh-based generation of tools (Python wrappers, C utilities) is being displaced.
The credential patterns themselves are familiar: the 345gs5662d34:345gs5662d34 botnet marker still appears (5,344 sessions, down from 9,164 in March), and crypto-validator hunting continues — solana, sol, solv, validator, firedancer, and node collectively account for over 8,000 attempts.
Top SSH Credentials (April)
| Username | Password | Count |
|---|---|---|
345gs5662d34 | 345gs5662d34 | 5,344 |
admin | admin | 3,962 |
solana | solana | 3,008 |
root | 3245gs5662d34 | 2,730 |
sol | sol | 2,451 |
0 | 0 | 2,330 |
ubuntu | ubuntu | 2,149 |
sol | 123 | 1,221 |
sol | 1234 | 966 |
solv | solv | 939 |
validator | validator | 927 |
firedancer | firedancer | 578 |
Elasticsearch: A Spanish Scanner Farm
The most notable structural change in April was the 13x jump in Elasticsearch attacks, from 10,000 in March to 130,330. Almost all of this growth came from a single block of sequential IPs in Spain:
| Source IP | Country | ES Probes |
|---|---|---|
185.177.72.100 | Spain | 15,302 |
185.177.72.12 | Spain | 14,000 |
185.177.72.70 | Spain | 9,468 |
185.177.72.24 | Spain | 6,302 |
185.177.72.11 | Spain | 6,153 |
185.177.72.38 | Spain | 5,048 |
185.177.72.23 | Spain | 4,331 |
185.177.72.16 | Spain | 4,302 |
185.177.72.52 | Spain | 4,152 |
185.177.72.205 | Spain | 4,151 |
Ten IPs from the same Spanish /24 accounted for over 73,000 of the 130,000 Elasticsearch probes — 56% of the entire protocol’s volume for the month. Same operator pattern as the 149.50.122.0/24 RDP cluster: sequential addresses, even distribution of work, single coordinated campaign rather than a botnet.
Elasticsearch probes typically attempt to enumerate _cluster/health, _cat/indices, and dump documents from any unauthenticated index. With the rise of vector-database deployments and the use of Elasticsearch as a backing store for AI/ML pipelines, internet-facing ES instances are becoming a richer target for data exfiltration than they were a year ago.
Smaller Protocols: The Long Tail Is Lighting Up
The expansion to 18 active protocols continues to surface attacks against services that traditional threat feeds rarely cover:
- Docker API (port 2375) — 57,486 probes, up from 10K in March. Tools like
docker-pullerandmeowclientare systematically scanning for unauthenticated Docker daemons, which grant container escape and host-level RCE in a single API call. - Redis (port 6379) — 15,449 attacks, mostly unauthenticated
CONFIG SETattempts to write SSH authorized_keys files via the classicdir /root/.ssh && dbfilename authorized_keys && saveexploit chain. Five-year-old technique, still being run daily. - etcd (port 2379) — 2,965 probes attempting to dump Kubernetes cluster secrets. Anyone running a self-hosted k3s or kubeadm cluster with etcd exposed: this is for you.
- MQTT, Kafka, VNC, LDAP — collectively 5,800+ probes. The MQTT connections in particular often try to subscribe to
#(the wildcard topic) — i.e., “send me every message on this broker.”
Source Country Distribution
| Country | Total Attacks | Notes |
|---|---|---|
| United States | 721,923 | Dominated by cloud-hosted scan infrastructure |
| Israel | 608,919 | ~99% from the 149.50.122.0/24 cluster — actually a Polish reseller on Cogent transit |
| China | 270,264 | Heavy telnet, consistent month over month |
| Spain | 267,369 | Dominated by 185.177.72.0/24 ES farm |
| Germany | 182,831 | Bulletproof hosting (DMZHOST/TECHOFF continued) |
| Bulgaria | 153,947 | New entry — Jenkins-focused traffic |
| Canada | 119,057 | Hetzner / OVH scanner nodes |
| United Kingdom | 107,180 | Mostly registered shell companies for NL infra |
The “country of origin” lens is fundamentally misleading at this scale. The US, Israel, and Spain top this list not because of organic malicious activity from those geographies, but because three or four operators chose to rent IP space there.
Conclusion
The story of April 2026 is not any single protocol or any single attacker. It is that the public internet has reached a steady state where every exposed service is being exhaustively probed, with credential lists refined and recycled for nearly a decade, by tooling that increasingly compiles to a single static Go binary. xc3511 and vizxv were leaked in the 2016 Mirai source dump and are still the top two telnet passwords on the open internet a decade later — they keep being tried because they keep working. And the “country of origin” of an attack now means almost nothing: three sequential cloud IPs from a single Polish reseller, riding US backbone transit, made Israel look like the world’s second-largest source of RDP brute-force traffic for the month.
Defenders cannot stop the scanning — that ship has sailed — but they can stop being the easy answer. Key-only SSH authentication, SSO in front of CI/CD, fail2ban-style banning at the network edge, and moving administrative access behind a bastion or zero-trust gateway are the durable controls. None of the protocols in this report belong on the public internet in 2026, full stop. The job is to make sure none of your equipment is what shows up in next month’s report.
Deploy honeypots with threat.gg to see exactly what is targeting your infrastructure. Our platform captures every connection attempt across 18+ protocols and surfaces it through a real-time dashboard, REST API, and MCP integration for AI-powered analysis.
Data collected from the threat.gg global honeypot network, April 2026. All IP addresses referenced are from attacks against honeypot infrastructure and are presented for threat intelligence purposes.