March 2026 Threat Landscape: RDP Brute-Force Surge, Jenkins Targeting, and Botnet Credential Patterns
Over the past 30 days, the threat.gg honeypot network — spanning 9 nodes across 5 hosting providers — captured over 1.5 million attack sessions across 20 emulated protocols. This report breaks down the most significant trends, attacker behaviors, and credential patterns we observed.
By the Numbers
| Protocol | 30-Day Volume | Trend |
|---|---|---|
| RDP | ~1,200,000 | Massive spike mid-March |
| Jenkins | ~400,000 | Sustained high volume |
| SSH | ~350,000 | Steady baseline |
| Telnet | ~40,000 | IoT botnet activity |
| Docker API | ~10,000 | Container escape attempts |
| Elasticsearch | ~10,000 | Data exfiltration probes |
| PostgreSQL | ~12,000 | Credential stuffing |
| SMTP | ~2,100 | Relay abuse |
| Redis | ~3,000 | Unauthenticated access |
The RDP Explosion: 319K Attacks in a Single Day
The most dramatic event this month was an enormous spike in RDP brute-force activity between March 14-17. On March 17 alone, we recorded 319,274 RDP connection attempts — a 150x increase over the typical daily baseline of ~2,000.
The attack pattern suggests a coordinated campaign:
- Randomized usernames like
jqZnID,fSuwxfoVi, andxkMPeffrom IPs in the147.185.132.xand198.235.24.xranges (US/Canada) — likely reconnaissance probes testing whether RDP is exposed - Persistent brute-forcing of
Administratorfrom80.94.95.xand80.66.83.x(Germany/Russia) — bulletproof hosting providers known for harboring malicious infrastructure - NTLM credential harvesting attempts, where attackers send partial authentication handshakes to extract server configuration data without completing login
The timing correlates with several RDP-related CVE disclosures in early March 2026, suggesting automated exploit tooling was deployed at scale against internet-facing Windows systems.
Defender takeaway: If you have RDP exposed to the internet — even with NLA enabled — you are being hammered. Move it behind a VPN or zero-trust proxy immediately.
Jenkins: The CI/CD Gold Rush
Jenkins remained the second-most-targeted protocol throughout March, with a peak of 78,760 attacks on March 11. Nearly all Jenkins traffic originated from a small cluster of dedicated scanning IPs, with 45.156.87.91 being the most prolific — spraying hundreds of credential combinations per minute.
The credential patterns reveal an attacker who understands Jenkins deployments:
jenkins:jenkins
jenkins:jenkins123
jenkins:jenkins2024
admin:admin@2024
admin:Admin2024@
admin:root2024
admin:user2024Year-suffixed passwords (2024, 2023) dominate the wordlists, reflecting a well-known pattern where organizations rotate passwords by appending the current year. The attacker is literally betting that your Jenkins admin password is admin2024 — and based on breach data, they’re right more often than you’d think.
Defender takeaway: Jenkins instances should never be internet-facing. If they must be, enforce SSO/SAML authentication and disable the built-in user database entirely.
SSH: Botnets, Crypto Hunters, and the “345gs5662d34” Signature
SSH remains the constant background radiation of the internet. The most notable pattern this month is the “345gs5662d34” botnet — a credential pair (345gs5662d34:345gs5662d34) that appeared in over 9,100 unique attack sessions, making it the single most-used SSH credential we observed.
This signature is associated with an IoT/Linux botnet that:
- First authenticates with
345gs5662d34:345gs5662d34(the “marker” credential) - Then attempts a secondary login with a targeted username and
3245gs5662d34as the password - Uses
libssh_0.11.1as its SSH client — a non-interactive library, confirming automated operation - Attacks from globally distributed source IPs (Vietnam, Indonesia, UK, Africa) — indicating compromised hosts acting as scan nodes
We also tracked a persistent campaign from the DMZHOST/TECHOFF network (80.94.92.x, AS35478), a bulletproof hosting provider registered to a London address. These IPs rotate through cryptocurrency-themed usernames — solana, sol, agave, minima — suggesting the attacker is specifically hunting for crypto validator nodes and wallets running on cloud servers.
Top SSH Credentials (30 days)
| Username | Password | Count |
|---|---|---|
345gs5662d34 | 345gs5662d34 | 9,164 |
admin | admin | 4,821 |
0 | 0 | 4,662 |
solana | solana | 3,782 |
root | 3245gs5662d34 | 3,590 |
ubuntu | ubuntu | 3,316 |
sol | sol | 3,300 |
root | password | 1,991 |
root | 123456 | 1,922 |
root | root | 1,887 |
Telnet: IoT Botnets Still Thriving
Telnet attacks paint a clear picture of IoT botnet recruitment. The credentials we captured read like a catalog of default passwords for consumer routers, IP cameras, and embedded devices:
e8ehome:e8ehome— Chinese DVR/NVR systemsroot:xmhdipc— Dahua IP camerasroot:telecomadmin— Huawei home gatewayssupportadmin:supportadmin— Various ISP-provided routersroot:1001chin— Chinese OEM IoT devicesadmin:smcadmin— SMC Networks routersservice:ipdongle— 4G/LTE donglesdefault:S2fGqNFs— Zhejiang Dahua DVR firmware default
Mirai-derived botnets continue to dominate this space, systematically scanning for telnet on port 23 across the entire IPv4 address space. We observed attack traffic from Argentina, Morocco, Philippines, China, and Korea — all countries with large populations of vulnerable consumer IoT devices.
Notably, we also caught scanners sending HTTP requests to port 23 (GET / HTTP/1.1), indicating tools that blindly probe ports without protocol awareness.
PostgreSQL: Beyond Default Credentials
PostgreSQL attacks showed an interesting evolution beyond simple postgres:postgres brute-forcing. We captured attempts using:
- MD5 hash passwords like
87e3746c878a26579790d8dde355fa65targeting thepgg_superadminsrole — suggesting attackers who have obtained hashed credentials from a breach and are trying them against other PostgreSQL instances - Provocative passwords (
killallwogs123132) — likely from a botnet operator embedding personal messages in their wordlists - Empty password attempts — testing for PostgreSQL instances configured with
trustauthentication
Infrastructure: Who’s Behind the Attacks?
Cross-referencing attacker IPs against WHOIS data and abuse databases reveals familiar infrastructure:
| Network | ASN | Description |
|---|---|---|
80.94.92.0/24 | AS35478 | DMZHOST/TECHOFF — bulletproof hosting, London-registered, NL-based |
80.94.95.0/24 | AS35478 | Same operator, consistent RDP + SSH scanning |
80.66.83.0/24 | — | Russian IP space, persistent RDP brute-force |
45.156.87.0/24 | — | Jenkins-focused scanning infrastructure |
185.156.73.0/24 | — | Russian SSH scanning, libssh_0.10.5 client |
147.185.132.0/24 | — | US-based, RDP reconnaissance with randomized usernames |
The DMZHOST network is particularly noteworthy. Despite being registered in the UK, its IP space consistently appears in honeypot and abuse databases globally. Multiple IPs from this range (80.94.92.167, 80.94.92.171, 80.94.92.187, 80.94.95.83, 80.94.95.115, 80.94.95.116, 80.94.95.221) appeared in our data, each running slightly different credential lists but all using Go-based SSH clients — suggesting a single operator managing multiple scan nodes.
What’s New: Emerging Protocols Under Attack
With the expansion of our honeypot network to 20 protocols this month, we’re now capturing attacks against services that rarely appear in traditional threat intelligence:
- Docker API (port 2375) — 10,000+ probes testing for unauthenticated Docker daemon access, which enables full container escape and host compromise
- etcd (port 2379) — Kubernetes key-value store queries attempting to dump cluster secrets
- MQTT (port 1883) — IoT message broker connections, likely attempting to subscribe to all topics for data interception
- Kafka (port 9092) — Message queue enumeration probing for unauthenticated consumer access
- LDAP (port 389) — Including JNDI injection attempts (Log4Shell-derived), still active 4+ years after the original vulnerability
Conclusion
The March 2026 data reinforces a fundamental truth: every port you expose is a port that will be attacked, usually within hours. The RDP surge shows how quickly threat actors can scale campaigns against newly vulnerable services. The Jenkins targeting shows how CI/CD infrastructure is now a first-class target. And the telnet IoT data shows that the Mirai playbook — spray default credentials at scale — remains devastatingly effective against consumer devices.
Deploy honeypots with threat.gg to see exactly what’s targeting your infrastructure. Our platform captures every connection attempt across 20+ protocols and surfaces it through a real-time dashboard, REST API, and MCP integration for AI-powered analysis.
Data collected from the threat.gg global honeypot network, March 2026. All IP addresses referenced are from attacks against honeypot infrastructure and are presented for threat intelligence purposes.