<— Back to Blog
// Blog

Understanding Honeypot Attack Patterns in 2026

| threat.gg
threat-intelligence analysis

The Landscape

After monitoring millions of attack attempts across our global honeypot network, clear patterns emerge in how attackers probe and exploit internet-facing services. Understanding these patterns is critical for building effective defenses.

SSH: Still the Top Target

SSH remains the most heavily targeted protocol. The majority of attacks are automated credential-stuffing bots cycling through default username and password combinations. The top credentials we observe are predictable — root:root, admin:admin, root:123456 — but we also see targeted wordlists tailored to specific platforms and cloud providers.

Once authenticated, attackers typically execute a standard playbook: download a cryptominer or botnet agent via curl or wget, set up persistence through cron jobs, and attempt lateral movement by scanning internal network ranges.

HTTP: Scanning for Known Vulnerabilities

HTTP honeypots see constant automated scanning for known CVEs, exposed admin panels, and misconfigured services. Common patterns include:

  • Path traversal attempts targeting /etc/passwd and environment files
  • WordPress exploitation — plugin vulnerabilities, xmlrpc.php abuse, and wp-login.php brute forcing
  • Kubernetes API probes — requests to /api/v1/pods, /version, and other cluster endpoints
  • Log4Shell and Spring4Shell payloads still appearing regularly in 2026

Database Honeypots: Data Exfiltration Attempts

PostgreSQL and MySQL honeypots reveal attackers attempting to enumerate databases, dump credentials, and execute system commands through database-specific features like COPY TO PROGRAM in PostgreSQL or INTO OUTFILE in MySQL.

What This Means for Defenders

These patterns reinforce fundamentals: disable password authentication where possible, patch aggressively, and monitor for the specific indicators of compromise that honeypots reveal. The value of a honeypot isn’t just detecting attacks — it’s understanding attacker behavior so you can harden the services that matter.

Deploy your own honeypots with threat.gg and see what’s targeting your infrastructure.