Deceptive Engagements
Captured attacker engagements against the deception fleet. Full forensic transcripts: every count sourced, every request and response confirmed against the sensor that served them. Honeypot personas redacted to preserve operational value.
- TLP:CLEARobserved 2026-06-20
subject MultipleTen Operators, One Ivanti Sentry Command-Injection Endpoint
Within five days of exposing an Ivanti Sentry management surface to the internet, a controlled sensor recorded ten distinct operators attempting to exploit CVE-2026-10520, the CVSS 10.0 pre-authentication command-injection flaw that CISA had added to its Known Exploited Vulnerab…
Multiple
- TLP:CLEARobserved 2026-05-28
subject 45.92.1[.]231Self-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
A single source IP, 45.92.1[.]231 (AS210558 - 1337 Services GmbH, Lelystad, NL), spent four days working an internet-facing Docker Engine API on TCP/2375. The actor moved from version probing on 2026-05-24 to interactive container-escape attempts on 2026-05-25, then came back on…
AS210558 - 1337 Services GmbH (operator commonly known as `FlokiNET`) · Lelystad, The Netherlands · Commercial bulletproof-tolerant hoster; the /16 covering the source IP carries a current Spamhaus DROP listing observed during the engagement window
- TLP:CLEARobserved 2026-05-07
subject 83.21.55[.]65Cross-Service Credential Replay: Operator Targets Hypervisor Using Harvested LLM Endpoint Secrets
A single IP harvested strings from an LLM emulator's responses (`.env`, model list, MCP manifest) and replayed them as Proxmox credentials, chat-completions parameters, and MCP tool-call names against the same host — a token-reuse feedback loop, not blind brute-force. 22 of 24 credential pairs are byte-for-byte traceable to served response bodies.
AS5617, Orange Polska Spółka Akcyjna · Gdańsk, Poland · Residential broadband. ISP space is consistent with end-customer use; can also host or proxy traffic from elsewhere.