<— Back to Blog
// Blog

May 2026 Threat Landscape: A Record 9.3M Attacks, the 149.50 RDP Operator Returns at 5x Scale, and a 3-Million-Hit Telnet Flood

| threat.gg
threat-intelligence analysis rdp telnet mirai ncrack go-scanners

In May 2026, the threat.gg honeypot network — 8 active nodes spread across multiple hosting providers — captured 9,256,807 attack sessions across 18 emulated protocols. That is 2.7x the volume we observed in April and the single largest month in the network’s history. It is also one of the cleanest illustrations we have ever recorded of how a handful of operators, not millions of attackers, drive the shape of internet background radiation.

The month was bookended by two distinct mega-campaigns. The first three days were a telnet flood — 3.04 million attempts, 64% of the month’s entire telnet volume, mostly on May 1. The last week was an RDP campaign — 2.89 million attempts from five sequential cloud IPs, all in the same sub-allocation we traced to a Warsaw reseller in April’s report. Between them, the steady daily grind of Jenkins, SSH, and the long tail continued unabated.

This report walks through both campaigns, the credential patterns behind them, and what the infrastructure tells us about who is actually doing the scanning.

By the Numbers

ProtocolMay Volumevs. April
Telnet4,766,141⬆ 3.8x
RDP3,164,118⬆ 4.7x
Jenkins935,739⬇ 0.9x
SSH188,238⬆ 1.2x
Elasticsearch66,794⬇ 0.5x
Docker API58,306
PostgreSQL20,452⬆ 1.5x
Redis20,145⬆ 1.3x
SMTP14,997⬇ 0.9x
FTP5,746⬆ 1.4x
OpenClaw4,765
etcd3,726⬆ 1.3x
VNC1,777⬆ 1.1x
MQTT1,742⬆ 1.1x
Kafka1,459⬇ 0.9x
MySQL1,277⬆ 2.6x
LDAP1,247⬆ 1.1x
SMB138⬇ 0.3x

Two protocols — telnet and RDP — account for 7.93 million of the 9.26 million attacks this month, or 86% of all traffic. Everything else, including the perennially noisy Jenkins, is rounding error by comparison. When two protocols swing by 3.8x and 4.7x in the same month, you are not looking at a broad shift in attacker behavior; you are looking at two specific operators turning on the firehose.

The 149.50 Operator Returns: 2.89M RDP Attempts From Five IPs

The headline event of May was the return — at nearly five times the scale — of an operator we first documented in April.

In April, a coordinated RDP campaign fired 606,792 attempts from three sequential IPs in 149.50.122.0/24 over 48 hours. We traced that block through its registration chain: ARIN assigns 149.50.0.0/16 to Cogent Communications (a US backbone provider), Cogent sub-allocates 149.50.96.0/19 to Meverywhere sp. z o.o. (a reseller registered to a generic business address in Warsaw, Poland), and MaxMind’s GeoIP database — not having caught up to the reassignment — still labels the whole range as Israel.

In May, the same operator came back. Different IPs, same /19:

Source IPGeoIP SaysRDP AttemptsActive Window (UTC)
149.50.116.96Israel615,223May 26 17:08 → May 30 09:19
149.50.116.119Israel598,450May 26 16:36 → May 30 09:15
149.50.116.42Israel594,154May 26 17:13 → May 30 09:21
149.50.116.115Israel593,972May 26 17:07 → May 30 09:17
149.50.101.134Israel490,282May 26 16:29 → May 29 19:03

These five IPs fired 2,892,086 RDP connection attempts between May 26 and May 30 — 91% of the entire month’s RDP volume, from a single sub-allocation, in roughly four days. Every one of them lives inside 149.50.96.0/19: the same Cogent-transit block registered to the same Warsaw reseller we identified in April. The operator simply rotated to fresh addresses in the range it already controls and ran a campaign 4.8x larger than April’s.

The work is distributed almost perfectly evenly — 490K to 615K attempts per IP, all five booting within 44 minutes of each other on May 26 — which is the fingerprint of one operator running five parallel scan workers behind sequentially-allocated cloud IPs, not five independent infections.

The flat line that gives it away

The most telling signal is the shape of the traffic. Here is the hour-by-hour RDP volume for May 28, the campaign’s peak day (924,687 attempts):

UTC HourAttemptsUTC HourAttempts
00:0037,96912:0035,571
04:0038,57714:0051,560
06:0039,02016:0044,695
08:0035,33420:0040,631
10:0049,23722:0043,257

That is a dead-flat line at roughly 38,000–44,000 attempts per hour, around the clock, with no diurnal curve whatsoever. This is what an automated, rate-limited credential-stuffing operation looks like: it does not sleep, it does not follow business hours, and it does not ramp with regional ISP traffic. Contrast it with the telnet flood below — a choppy, spiky curve that betrays a botnet of thousands of independently-scheduled infected devices. Same honeypot, same month, two completely different threat shapes, and the hourly distribution alone tells you which is which.

The username field tells you the tooling

The campaign captured almost exclusively two usernames:

UsernameAttempts
administrator2,061,576
admin845,712
Administr / Administrator (variants)100,256
NCRACK_USER20,090
WIN-264DF, WIDLE.WIN (leaked hostnames)19,047

administrator and admin together make up 92% of all RDP attempts — this is reconnaissance-by-exhaustion against the default Windows admin account. But the smaller entries are the interesting ones. NCRACK_USER is the default probe identity baked into Ncrack, the Nmap project’s network authentication cracker — its presence fingerprints the exact tool in use. WIN-264DF and WIDLE.WIN are leaked Windows machine names that bled into the username field, an artifact of mis-scoped credential lists scraped from previously-compromised hosts.

(RDP’s password column is empty across the board: our honeypot captures the username offered during the NLA negotiation, before the password exchange completes, so the value of this protocol is in the who and how, not the specific passwords tried.)

The geolocation mirage, again

Because GeoIP labels all five IPs as Israel, Israel became the #1 source country for May with 2,907,163 attacks — and 99.5% of that total came from these five addresses. Israel is not a hotbed of RDP brute-forcing. A Polish reseller on US backbone transit, with stale GeoIP data papering over the reassignment, made it look that way for the second month running. If you take one thing from this report, take this: country-level attack statistics, at this scale, measure where IP space is cheap to rent, not where attackers live.

After May 30, the campaign went silent. We will be watching 149.50.96.0/19 for the June installment.

The Telnet Flood: 3 Million Attempts in 72 Hours

If RDP owned the end of the month, telnet owned the start. The first three days produced 3,039,698 telnet attempts — 64% of the month’s entire telnet volume — with the bulk of it on May 1 alone: 1,684,997 attempts, the single busiest day for any protocol we have ever recorded.

Unlike the RDP campaign, this was not five tidy IPs. The telnet load was spread across hundreds of sources, with the leaders distributed globally:

Source IPCountryTelnet Attempts
209.126.1.71United States (Contabo)304,286
188.42.42.122Luxembourg115,776
69.6.210.126United States85,699
66.223.49.88United States72,565
146.190.164.28United States71,533
139.59.236.63Singapore66,904
212.64.216.24Turkey65,287
91.109.114.227United Kingdom65,193

The top source, 209.126.1.71, resolves to m24671.contaboserver.net — a Contabo node, US-hosted but on a German budget-hosting provider’s range. It alone accounted for 304K attempts and reappeared as the dominant source during a secondary telnet bump on May 20 (297,943 attempts that day), suggesting a single rented host running sustained campaigns across the month.

The hour-by-hour shape of May 1 is the opposite of the RDP campaign’s flat line — it lurches between 15,728 and 151,901 attempts per hour with no clean pattern, the classic signature of a botnet whose member devices wake, scan, and sleep on thousands of independent schedules.

And the credentials? A museum tour of consumer-IoT defaults that has not changed in a decade:

UsernamePasswordAttempts
rootxc3511355,914
rootvizxv320,473
rootadmin283,339
adminadmin251,049
root888888211,774
rootjuantech178,954
rootdefault178,726
supportsupport177,167
root123456176,367
rootxmhdipc176,135
root54321175,949
rootanko143,285
adminsmcadmin108,452

xc3511, vizxv, juantech, xmhdipc, anko — these are the original Mirai source-code credential pairs, leaked publicly in 2016. They are still the top of the telnet wordlist nearly a decade later, sprayed at a rate of over a million attempts per day, because the world’s supply of unpatched DVRs, IP cameras, and budget routers that accept them is, apparently, inexhaustible.

Jenkins: The Daily Grind Continues

Jenkins targeting held steady at 935,739 attempts — a slight decline from April, but still a constant daily presence rather than a campaign. The largest source was a familiar face:

  • 141.98.11.50 — 400,509 Jenkins probes (43% of the month), up from 225,335 in April
  • 185.226.93.242 — 105,950 probes
  • 176.65.139.177 (Germany) — 73,326 probes

141.98.11.50 is the same IP that led Jenkins targeting in April; it has nearly doubled its output and now generates almost half of all Jenkins traffic on its own. One detail worth flagging: 185.177.72.24 — part of the Spanish 185.177.72.0/24 farm that drove April’s 13x Elasticsearch surge — now appears in the Jenkins top sources (16,341 probes). The Elasticsearch farm cooled off this month (ES dropped from 130K to 67K), and at least part of that infrastructure appears to have repurposed itself toward CI/CD targeting.

The Jenkins credential pattern is unchanged: 90,456 attempts arrived with empty username and password — anonymous-access probes hunting for unauthenticated /script consoles and build queues — followed by the usual numeric wordlist (admin:123456, admin:102030, admin:12345678, jenkins:jenkins).

SSH: Go Tooling Tightens Its Grip

SSH volume rose modestly to 188,238 attempts, but the client-version distribution continued its march toward a monoculture:

Client bannerCountShare
SSH-2.0-Go160,96885.5%
SSH-2.0-libssh_0.9.610,2315.4%
SSH-2.0-libssh_0.12.03,6862.0%
SSH-2.0-OpenSSH_7.42,4261.3%
SSH-2.0-libssh2_1.8.12,0241.1%

85.5% of all SSH attack traffic now comes from clients reporting SSH-2.0-Go — scanners written in Go using the standard library’s golang.org/x/crypto/ssh package — up from 81% in April. The libssh-based generation of tooling continues to lose ground. Go scanners compile to a single static binary with no runtime dependencies, drop trivially onto compromised cloud hosts, and ship with the concurrency primitives that make spraying thousands of credentials per second effortless. This is now the default toolchain for SSH brute-forcing on the open internet.

The credential patterns are the same crowd as ever. The 345gs5662d34:345gs5662d34 botnet marker still leads (4,841 sessions), and the crypto-validator hunting that emerged earlier this year is still going strong:

UsernamePasswordAttempts
345gs5662d34345gs5662d344,841
003,064
adminadmin2,714
root3245gs5662d342,384
solanasolana1,688
solsol1,371
nodenode478
validatorvalidator462
solvsolv354
firedancerfiredancer300

solana, sol, solv, validator, firedancer, node — these target Solana validator nodes and the Firedancer client specifically. Attackers know that crypto-validator hosts are high-value (they hold hot wallet keys and run 24/7 on beefy hardware) and are increasingly tailoring SSH wordlists to them.

The Long Tail

The expansion to 18 active protocols keeps surfacing attacks against services that traditional threat feeds rarely cover:

  • Docker API (port 2375) — 58,306 probes, flat month over month, still systematically hunting unauthenticated Docker daemons that grant container escape and host RCE in a single API call.
  • Redis (port 6379) — 20,145 attacks, up 30%, mostly the classic unauthenticated CONFIG SET dir /root/.ssh chain to write SSH keys.
  • MySQL — 1,277 probes, up 2.6x, the largest proportional jump in the long tail.
  • etcd (port 2379) — 3,726 probes attempting to dump Kubernetes cluster secrets from exposed clusters.

Source Country Distribution

CountryTotal AttacksNotes
Israel2,907,16399.5% from the five 149.50.x RDP IPs — actually a Warsaw reseller on Cogent transit
United States2,767,121Cloud-hosted scan infrastructure (Contabo, DigitalOcean, etc.)
(unattributed)949,043IPs without resolved GeoIP — heavy telnet
Germany450,570Bulletproof / budget hosting, Jenkins-heavy
United Kingdom274,776Telnet and shell-company NL infrastructure
France148,966Mixed
Singapore141,758Telnet botnet nodes
Spain117,630The 185.177.72.0/24 farm, now pivoting to Jenkins
Luxembourg115,841Single dominant telnet source
Russia104,977Distributed RDP and telnet

As with every month, the “country of origin” lens is fundamentally misleading. Israel and the US top this list not because of organic malicious activity from those geographies, but because two operators chose to rent IP space there — one a Polish reseller on Cogent, the other a sprawl of US-hosted cloud nodes.

Conclusion

May 2026 was a record month, but the record is almost entirely the work of two operators. One ran a telnet botnet that dumped three million decade-old Mirai credential attempts into the first 72 hours of the month. The other rotated to fresh IPs in a Polish reseller’s /19, spun up five parallel RDP workers, and ran them flat-out for four days — 2.89 million attempts, 91% of the month’s RDP, nearly five times the scale of the same operator’s April campaign, and enough to make “Israel” the single largest source country on the planet according to every GeoIP database that has not yet caught up.

The lesson that keeps repeating: the public internet has reached a steady state where every exposed service is exhaustively probed, with credential lists recycled for nearly a decade, by tooling that increasingly compiles to a single static Go binary — and the country of origin of an attack now means almost nothing. The shape of the traffic, the username artifacts, and the registration chain of the IP block tell you far more than the flag on the map ever will.

Defenders cannot stop the scanning — that ship has sailed — but they can stop being the easy answer. Telnet should not exist on the public internet in 2026, full stop; if you run IoT or embedded gear, put it behind a firewall and change the defaults. RDP belongs behind a VPN or zero-trust gateway, never directly exposed, with account lockout and administrator renamed or disabled. Key-only SSH authentication defeats every credential in this report at once. SSO in front of Jenkins closes the anonymous-probe vector. None of the protocols in this report belong on the open internet. The job is to make sure none of your equipment is what shows up in next month’s report.

Deploy honeypots with threat.gg to see exactly what is targeting your infrastructure. Our platform captures every connection attempt across 18+ protocols and surfaces it through a real-time dashboard, REST API, and MCP integration for AI-powered analysis.


Data collected from the threat.gg global honeypot network, May 2026. All IP addresses referenced are from attacks against honeypot infrastructure and are presented for threat intelligence purposes.