Captured attacker engagements against the deception fleet. Full forensic transcripts: every count sourced, every request and response confirmed against the sensor that served them. Honeypot personas redacted to preserve operational value.
subject MultipleWithin five days of exposing an Ivanti Sentry management surface to the internet, a controlled sensor recorded ten distinct operators attempting to exploit CVE-2026-10520, the CVSS 10.0 pre-authentication command-injection flaw that CISA had added to its Known Exploited Vulnerab…
Multiple
subject 45.92.1[.]231A single source IP, 45.92.1[.]231 (AS210558 - 1337 Services GmbH, Lelystad, NL), spent four days working an internet-facing Docker Engine API on TCP/2375. The actor moved from version probing on 2026-05-24 to interactive container-escape attempts on 2026-05-25, then came back on…
AS210558 - 1337 Services GmbH (operator commonly known as `FlokiNET`) · Lelystad, The Netherlands · Commercial bulletproof-tolerant hoster; the /16 covering the source IP carries a current Spamhaus DROP listing observed during the engagement window
subject 83.21.55[.]65A single IP harvested strings from an LLM emulator's responses (`.env`, model list, MCP manifest) and replayed them as Proxmox credentials, chat-completions parameters, and MCP tool-call names against the same host — a token-reuse feedback loop, not blind brute-force. 22 of 24 credential pairs are byte-for-byte traceable to served response bodies.
AS5617, Orange Polska Spółka Akcyjna · Gdańsk, Poland · Residential broadband. ISP space is consistent with end-customer use; can also host or proxy traffic from elsewhere.