June 2026 Threat Landscape: 5 IPs, Half of All Attacks
In June 2026, the threat.gg honeypot network — 8 active nodes across multiple hosting providers — captured 5,084,551 attack sessions across 18 emulated protocols from 24,728 unique source IPs. That is 55% of May’s record 9.26 million, and on the surface it reads like a quiet month.
It was not a quiet month. It was a more concentrated one.
Five IP addresses generated 2,486,870 attacks — 48.9% of everything the network saw in June. The remaining 24,723 addresses, combined, produced the other half. May’s record was driven by a noisy telnet botnet layered on top of a disciplined RDP operator. In June the botnet went quiet, the operator did not, and what was left behind is one of the clearest portraits of professionalized scanning we have captured.
Three things happened. The RDP operator we have tracked since April came back a third time — and for the first time, stopped rotating its IPs. The telnet flood vanished, taking 4.1 million attempts with it. And underneath both, attacks against developer infrastructure — Jenkins, Docker, etcd, Kafka, Elasticsearch — climbed 40% to an all-time high.
By the Numbers
| Protocol | June Volume | vs. May |
|---|---|---|
| RDP | 2,664,929 | ⬇ 0.84x |
| Jenkins | 1,276,519 | ⬆ 1.36x |
| Telnet | 654,791 | ⬇ 0.14x |
| SSH | 219,542 | ⬆ 1.17x |
| Docker API | 99,976 | ⬆ 1.71x |
| Elasticsearch | 95,963 | ⬆ 1.44x |
| Redis | 14,294 | ⬇ 0.71x |
| PostgreSQL | 12,979 | ⬇ 0.63x |
| SMTP | 12,669 | ⬇ 0.84x |
| etcd | 10,476 | ⬆ 2.81x |
| Kafka | 7,425 | ⬆ 5.09x |
| FTP | 4,270 | ⬇ 0.74x |
| OpenClaw | 3,330 | ⬇ 0.70x |
| VNC | 2,578 | ⬆ 1.45x |
| MQTT | 1,668 | ≈ |
| SMB | 1,408 | ⬆ 10.2x |
| LDAP | 1,376 | ⬆ 1.10x |
| MySQL | 358 | ⬇ 0.28x |
The headline decline is telnet and telnet alone. Strip it out and the rest of the network was busier in June than in May. Jenkins set an all-time record. Docker, Elasticsearch, etcd, and Kafka all posted their strongest months to date. The traffic did not go away; it moved.
The 149.50 Operator, Act Three: Same Five IPs, No Rotation
May’s report closed with a commitment: “We will be watching 149.50.96.0/19 for the June installment.”
It came back. And it did something new.
| Source IP | GeoIP Says | RDP Attempts | Active Window (UTC) |
|---|---|---|---|
149.50.116.115 | Israel | 498,328 | Jun 10 08:53 → Jun 14 12:58 |
149.50.116.42 | Israel | 498,177 | Jun 10 09:07 → Jun 14 13:20 |
149.50.116.119 | Israel | 497,687 | Jun 10 08:52 → Jun 14 13:17 |
149.50.116.96 | Israel | 496,640 | Jun 10 08:59 → Jun 14 13:18 |
149.50.101.134 | Israel | 496,038 | Jun 10 08:48 → Jun 13 13:59 |
Look carefully at those addresses. They are not similar to May’s — they are identical. The same five IPs, in the same order, from the same 149.50.96.0/19 sub-allocation: the block ARIN assigns to Cogent Communications, which Cogent sub-allocates to Meverywhere sp. z o.o., a reseller registered to a generic business address in Warsaw, and which MaxMind still labels as Israel.
In April this operator used three IPs. In May it rotated to five fresh ones. In June it did not rotate at all — it simply reused the exact addresses it had burned a month earlier, fired 2,486,870 RDP attempts between June 10 and June 14, and accounted for 93.3% of the month’s entire RDP volume.
That is a meaningful behavioral change. IP rotation is a cost you pay to evade blocklists. Choosing not to pay it means one of two things: either the operator has concluded that nobody is blocking it, or it has concluded that being blocked does not matter. Neither is a comfortable conclusion for defenders. The addresses that hammered our honeypots for four days in May were still working just fine in June.
The quota fingerprint
The per-IP totals are the tell. The five workers landed at 496,038 / 496,640 / 497,687 / 498,177 / 498,328 attempts — a spread of 2,290 attempts across five machines, or 0.46%.
Independent infections do not distribute work that evenly. Nothing organic does. A 0.46% spread is a scheduler dividing a fixed work queue among five workers and letting them run until the queue drains. In May the same operator’s IPs ranged from 490K to 615K — a 20% spread. In June it tightened to under half a percent. Whoever runs this campaign refined their job distribution between May and June, which is to say: someone is maintaining this thing.
The one asymmetry in the table points the same way. 149.50.101.134 has both the lowest total (496,038) and the earliest cutoff — it went quiet on June 13 at 13:59, roughly 23 hours before its four peers finished on June 14. A worker that stops early having done slightly less work is precisely what a drained queue looks like. It did not die; it ran out of things to try.
The flat line, flatter than ever
June 11 was the campaign’s peak — 1,412,197 RDP attempts in a single day. Here is every hour of it, all twenty-four:
| UTC Hour | Attempts | UTC Hour | Attempts |
|---|---|---|---|
| 00:00 | 57,841 | 12:00 | 58,820 |
| 01:00 | 59,590 | 13:00 | 58,790 |
| 02:00 | 59,815 | 14:00 | 57,694 |
| 03:00 | 59,536 | 15:00 | 57,731 |
| 04:00 | 58,767 | 16:00 | 58,482 |
| 05:00 | 59,525 | 17:00 | 58,271 |
| 06:00 | 59,315 | 18:00 | 57,446 |
| 07:00 | 58,606 | 19:00 | 57,626 |
| 08:00 | 57,106 | 20:00 | 58,419 |
| 09:00 | 57,222 | 21:00 | 61,362 |
| 10:00 | 58,234 | 22:00 | 60,733 |
| 11:00 | 58,920 | 23:00 | 62,346 |
Those twenty-four buckets sum to exactly 1,412,197 — the full day. Every one of them falls between 57,106 and 62,346 attempts, a total variance of 9%, with no diurnal curve at all. Not a hint of a business day, a timezone, or a human being. This is a rate limiter doing exactly what it was configured to do, for a full day, without supervision.
Compare it to the telnet traffic in the same month, which lurches by an order of magnitude hour to hour as thousands of infected consumer devices wake and sleep on independent schedules. Same honeypots, same calendar, two completely different machines behind the traffic — and the hourly histogram alone is enough to tell them apart.
The username flip
Here is the detail that most rewards month-over-month tracking. June’s RDP username distribution:
| Username | Attempts |
|---|---|
admin | 2,492,722 |
Administrator | 22,690 |
Admin | 15,237 |
test | 11,884 |
NCRACK_USER | 11,048 |
Enterprise | 10,740 |
administrator | 6,082 |
WIN-6740D, WIN-73168, WIN-20706 (leaked hostnames) | ~8,700 |
In May, administrator led with 2,061,576 attempts and admin trailed at 845,712. In June that ratio inverted completely: admin now accounts for 2.49 million attempts and administrator has collapsed to 6,082.
The operator swapped its primary username. That is a wordlist edit — a deliberate configuration change between campaigns, not drift. Someone looked at April and May’s results, concluded administrator was not paying out, and re-pointed the whole operation at admin. The infrastructure is static; the targeting is being tuned.
NCRACK_USER persists at 11,048 attempts — the default probe identity baked into Ncrack, the Nmap project’s authentication cracker, still fingerprinting the exact tool in use. The WIN-* strings are leaked Windows machine names bleeding into the username field from credential lists scraped off previously-compromised hosts.
The geolocation mirage, for the third month running
Because GeoIP labels all five IPs as Israel, Israel is once again June’s #1 source country with 2,487,298 attacks — of which 2,486,870, or 99.98%, came from those five addresses.
Four hundred and twenty-eight attacks out of nearly 2.5 million actually came from anywhere else in the country. We have now published this same correction three months in a row: a Warsaw reseller on US backbone transit, with stale GeoIP papering over the reassignment, is single-handedly manufacturing “Israel” as the world’s top attack origin. Country-level attack statistics, at this scale, measure where IP space is cheap to rent — nothing more.
Jenkins Hits an All-Time High — and Its Operator Rotates Too
Jenkins reached 1,276,519 probes in June, up 36% and the highest we have ever recorded. Unlike RDP, this is not a four-day burst; it is a relentless daily grind of 30,000 to 90,000 probes, every day, all month.
And its lead operator behaves like a smaller cousin of the RDP campaign:
| Source IP | Probes | Active Window |
|---|---|---|
141.98.11.59 | 494,070 | Jun 11 → Jun 25 |
185.226.93.242 | 179,080 | all month |
94.156.152.234 (Bulgaria) | 120,039 | all month |
141.98.11.50 | 60,756 | Jun 1 → Jun 9 |
141.98.11.50 was May’s Jenkins leader with 400,509 probes. In June it ran until the 9th, stopped, and on the 11th 141.98.11.59 — the same 141.98.11.0/24 — picked up the work and ran it to 494,070. A clean baton pass between two addresses in a block the operator controls.
So in the same month we have one operator that stopped rotating within its /19 and another that did rotate within its /24. Both patterns point at the same underlying fact: these are not infections spreading opportunistically across the internet. They are tenants with address space, choosing when to change IPs the way you would choose when to redeploy a service.
The credential pattern confirms what Jenkins attackers are actually hunting:
| Username | Password | Attempts |
|---|---|---|
| (empty) | (empty) | 198,484 |
admin | 102030 | 2,045 |
admin | admin | 2,026 |
admin | 123456 | 1,827 |
admin | 12345678 | 1,676 |
198,484 probes arrived with no credentials at all — more than double May’s 90,456 — and they dwarf every actual password guess by two orders of magnitude. These are not brute-force attempts. They are checking whether your /script console answers without authentication. The brute-force wordlist is a rounding error; the real play is finding the Jenkins that was never locked down in the first place.
The Telnet Flood Vanishes — but the Wordlist Is Immortal
Telnet fell from 4,766,141 attempts to 654,791 — an 86% collapse. May’s three-million-hit flood, and the Contabo host that drove it, are simply gone. June’s top telnet source (69.6.249.0, 68,416 attempts) does about a fifth of what May’s leader did.
But look at what did not change:
| Username | Password | June Attempts |
|---|---|---|
root | xc3511 | 38,536 |
root | vizxv | 35,153 |
root | admin | 31,443 |
admin | admin | 30,929 |
root | 888888 | 22,917 |
root | juantech | 19,618 |
support | support | 19,575 |
root | xmhdipc | 19,568 |
That is May’s telnet credential table, in the same rank order, at roughly one-seventh the scale. xc3511, vizxv, juantech, xmhdipc — the original Mirai source-code pairs, leaked in 2016, still leading the wordlist a decade later.
The lesson is worth stating plainly: the wordlist is a constant. Only the botnet’s activity level varies. When telnet volume swings 7x between months, that tells you how many devices happen to be awake and scanning — it tells you nothing about what they are trying, because what they are trying has not meaningfully changed since 2016. A telnet volume drop is not good news. It is a botnet taking a breath.
The Real Story: Attackers Are Moving to Developer Infrastructure
Beneath the two headline campaigns, the most durable trend in this month’s data is a pivot in what attackers consider a target.
Group the five protocols that represent modern developer and container infrastructure — Jenkins, Docker, etcd, Kafka, and Elasticsearch:
| Protocol | June | vs. May |
|---|---|---|
| Jenkins | 1,276,519 | ⬆ 36% |
| Docker API | 99,976 | ⬆ 71% |
| Elasticsearch | 95,963 | ⬆ 44% |
| etcd | 10,476 | ⬆ 181% |
| Kafka | 7,425 | ⬆ 409% |
| Combined | 1,490,359 | ⬆ 40% |
That group is now 29.3% of all traffic on the network — up 40% month over month, while total traffic fell 45%. Every single one of these protocols set a record in June.
And crucially, the operators behind them are the same operators. 45.198.224.5 (South Africa) ran 69,014 Docker probes and 28,942 Jenkins probes — every day, all month, both protocols from one host. It is, on its own, responsible for 69% of all Docker traffic we saw.
The Spanish farm at 185.177.72.0/24 — the block that drove April’s 13x Elasticsearch surge and that we flagged in May as “repurposing itself toward CI/CD targeting” — has now completed that pivot:
| Protocol | Attacks | Distinct IPs in block |
|---|---|---|
| Jenkins | 92,984 | 21 |
| Elasticsearch | 72,080 | 14 |
| Docker API | 2,998 | 1 |
Twenty-one IPs on Jenkins, fourteen on Elasticsearch, running in parallel out of one /24. And its Elasticsearch workers do not spread randomly either — they come in quantized tiers:
| Per-worker volume | Workers |
|---|---|
| ~3,000 (six at exactly 3,000, one at 3,006) | 7 |
| ~6,000 (five at exactly 6,015, one at 6,000) | 6 |
| 14,999 | 1 |
Seven workers at roughly 3,000 requests, six at roughly 6,000, one at just under 15,000 — that is 1x, 2x, and 5x a ~3,000-request unit. This is the same fixed-quota scheduling fingerprint as the RDP campaign, from an entirely unrelated operator: a scheduler handing out work in fixed-size chunks rather than letting each host run free. The technique is converging even where the operators are not.
Meanwhile etcd’s top sources are all 34.x addresses — Google Cloud — probing for exposed clusters from which to dump Kubernetes secrets, at suspiciously uniform counts (563, 427, 427, 427).
The strategic shift here is from “brute-force a login” to “find the endpoint that never had one.” An exposed Jenkins /script console, an open Docker daemon on 2375, an unauthenticated etcd — each is a single API call from full host or cluster compromise, with no password to guess. The 198,484 empty-credential Jenkins probes and the 69,014 Docker probes from a single host are the same bet: that somewhere in your estate, a piece of build or container infrastructure got stood up without auth and never got audited. They are probably right.
SSH: The Go Monoculture Reaches 91%
SSH rose modestly to 219,542 attempts, and the client-banner distribution completed its consolidation:
| Client banner | Count | Share |
|---|---|---|
SSH-2.0-Go | 200,596 | 91.4% |
SSH-2.0-libssh_0.9.6 | 10,744 | 4.9% |
SSH-2.0-libssh2_1.8.1 | 2,055 | 0.9% |
SSH-2.0-AsyncSSH_2.1.0 | 1,050 | 0.5% |
SSH-2.0-OpenSSH_7.4 | 996 | 0.5% |
The trend across three months is unambiguous: 81% → 85.5% → 91.4%. Nine in ten SSH attacks now come from scanners built on Go’s golang.org/x/crypto/ssh. Go compiles to a single static binary with no runtime dependencies, drops trivially onto any compromised cloud host, and ships with the concurrency primitives that make spraying thousands of credentials per second effortless. The libssh generation of tooling is effectively extinct. If you are writing SSH detection signatures, SSH-2.0-Go is now very nearly the only client banner that matters.
The credentials are the familiar crowd, with the crypto-validator hunt still going strong:
| Username | Password | Attempts |
|---|---|---|
345gs5662d34 | 345gs5662d34 | 3,786 |
0 | 0 | 2,892 |
admin | admin | 2,763 |
root | 3245gs5662d34 | 1,336 |
support | support | 1,155 |
ubuntu | ubuntu | 849 |
solana | solana | 797 |
sol | sol | 702 |
solana and sol persist — attackers continue to tailor SSH wordlists to Solana validator hosts, which hold hot wallet keys and run 24/7 on well-provisioned hardware.
Source Country Distribution
| Country | Total Attacks | Notes |
|---|---|---|
| Israel | 2,487,298 | 99.98% from the five 149.50.x RDP IPs — actually a Warsaw reseller on Cogent transit |
| United States | 845,964 | Cloud scan infrastructure; also all top etcd sources (Google Cloud) |
| (unattributed) | 743,601 | No resolved GeoIP — includes the 141.98.11.x Jenkins operator |
| Germany | 195,794 | Budget hosting, Jenkins-heavy |
| Spain | 187,674 | The 185.177.72.0/24 farm — now Jenkins + Elasticsearch |
| Bulgaria | 154,786 | Single dominant Jenkins source |
| South Africa | 111,534 | Effectively one host: 45.198.224.5 (Docker + Jenkins) |
| Iran | 49,510 | Jenkins |
| China | 39,696 | Redis, Docker |
| Singapore | 34,185 | Telnet |
Every entry in the top seven is explained by one operator or one block, not by a national population of attackers. That is the whole point. The flag on the map is an artifact of an invoice.
Conclusion
June looked like a 45% decline. It was not. It was a botnet going quiet while every professional operator on the network got better at its job.
The five 149.50 addresses did not bother to rotate, tightened their work distribution to within half a percent, ran a perfectly flat 24-hour line at ~58,000 attempts an hour, swapped their primary username from administrator to admin on the basis of what was presumably a results review, and produced nearly half of everything we saw all month. The Jenkins operator passed the baton between two IPs in a block it owns without dropping a beat. The Spanish farm finished converting itself from an Elasticsearch scanner into a general-purpose CI/CD hunter. And the fastest-growing category of attack on the internet, by a wide margin, is now the one aimed at the infrastructure your engineers use to ship software.
The old model — that internet background radiation is a vast, undifferentiated swarm of infected machines — keeps getting less true. What we actually observe is a small number of well-run, rate-limited, budget-conscious operations renting address space, tuning wordlists between campaigns, dividing work with a scheduler, and steadily moving their aim from your login prompts toward your build servers. The swarm still exists — it is the telnet noise, and it is still trying xc3511 — but it is no longer where the interesting volume is.
For defenders, June’s data argues for a specific reprioritization:
Audit for missing authentication before you audit for weak passwords. The single largest signal in this report is 198,484 Jenkins probes with empty credentials and 69,014 Docker probes from one host. They are not guessing passwords; they are looking for services that never had any. Inventory every Jenkins, Docker daemon, etcd, Kafka broker, and Elasticsearch node you run and confirm each one requires auth — that closes a larger attack surface than any password policy will.
RDP does not belong on the public internet. Put it behind a VPN or a zero-trust gateway, enforce account lockout, and rename or disable the built-in administrator account — though note that this operator has already moved on to admin, so lockout matters more than renaming.
Key-only SSH authentication defeats every credential in this report at once, including all of the Go-scanner traffic and the Solana validator wordlists.
Telnet should not exist on a public interface in 2026. Its volume fell 86% this month and that changes nothing: the same Mirai credentials from 2016 still lead the list, and they will be back at full volume the moment the botnet wakes up.
The scanning will not stop. The job is to make sure that when the next campaign spends four days at 58,000 attempts an hour, it is spending them against something that cannot be opened.
Deploy honeypots with threat.gg to see exactly what is targeting your infrastructure. Our platform captures every connection attempt across 18+ protocols and surfaces it through a real-time dashboard, REST API, and MCP integration for AI-powered analysis.
Data collected from the threat.gg global honeypot network, June 2026. All IP addresses referenced are from attacks against honeypot infrastructure and are presented for threat intelligence purposes.