In June 2025, my honeypot network recorded a significant wave of malicious activity originating from the United States. This post documents the findings, supported by clear visual evidence from my monitoring dashboards.

Country Distribution

The United States accounted for 668,497 hits, making it the top source of observed malicious traffic by a large margin. This is over double the volume from Switzerland (321,822) and significantly higher than China, France, Japan, and other countries in the top 10.

Timeline of Activity

The activity spanned from June 1st to June 30th, 2025, with a massive spike on June 11th, where nearly 40,000 hits were observed within a short window. Smaller peaks occurred around June 19th, indicating repeated scanning and attack attempts, possibly linked to automated botnets or coordinated red team simulations.

ISP Provider Analysis

The malicious traffic was distributed across several ISP providers, with DIGITALOCEAN-ASN being the most prominent, accounting for 59.0% of the observed activity. This suggests that a significant portion of the attacks originated from infrastructure hosted on DigitalOcean. Other notable providers include:

• Datacamp Limited: 18.9%
• VMISS: 7.2%
• COGENT-174: 3.6%
• NL-811-40021: 3.2%
• 3xK Tech GmbH: 1.4%
• AMAZON-AES: 1.3%

The dominance of DIGITALOCEAN-ASN aligns with historical trends where cloud hosting providers are frequently abused for malicious activities due to their ease of access and scalability. The presence of AMAZON-AES (AWS) and other smaller providers indicates a diversified infrastructure, possibly used to evade detection or distribute attack loads.

Subnet Distribution

The traffic was further broken down into specific subnets, revealing concentrated activity from certain IP ranges:

• 157.230.4.0: 59.4%
  This subnet alone accounted for the majority of the traffic, reinforcing the dominance of DIGITALOCEAN-ASN as the primary source.

Other significant subnets include:

• 38.165.20.0: 7.7%
• 84.239.12.0: 5.0%
• 84.239.48.0: 3.2%
• 91.124.17.0, 84.239.41.0, 84.239.16.0, 84.239.47.0, B4.239.33.0, B4.239.43.0: Each contributing between 1.4% and 1.9%.

The high concentration in 157.230.4.0 suggests a potential botnet or coordinated campaign originating from this range, while the smaller subnets may represent scattered or less organized efforts.

Victim Geo-Location Analysis

The malicious traffic originating from the United States (US) targeted victims across 21 countries, with the highest volume directed at other US-based systems. Below is the breakdown of attacks by victim location:

• United States (US): 557,728 attacks
  The vast majority of these attacks appear to be self-targeted, likely representing internal scans, botnets, or misconfigured systems.
• Serbia (RS): 16,127 attacks
  This is the second-highest count, possibly driven by geopolitical factors or opportunistic scanning activity.
• China (CN): 4,252 attacks
  This volume likely reflects ongoing US-China cyber tensions.

Analysis of Attacker Infrastructure: 156.239.*

As part of a broader wave of cyberattacks recorded by my honeypot network in June 2025, a significant volume of malicious activity originated from IP addresses within the 156.239.* range. All of these addresses were hosted by 3xK Tech GmbH, a lesser-known ISP. This report analyzes the attacker infrastructure, behavior patterns, and potential intent behind the activities.

Attack Types Observed

From the attack telemetry, the following categories were observed:

Most of the activity falls under emerging threat vectors, involving payloads and URLs that had never previously been observed — likely indicating testing of new malware or botnet deployment scripts.

Brute-force Login Attempts

Further investigation revealed that the attacker were engaged in automated brute-force attacks. These attacks consisted of repeated login attempts using common or default credentials in a structured HTTP POST pattern, typical of credential stuffing or weak-password guessing campaigns.

Examples of Attempted Credentials

From the captured traffic, the following username/password combinations were repeatedly attempted:

Final Conclusion

The findings surrounding the 156.239.* subnet—particularly the activity hosted on 3xK Tech GmbH—highlight a highly organized and large-scale attack campaign. One of the most striking aspects of this activity is the sheer volume and diversity of attacking sources: over 9,000 unique attacker IP addresses were recorded.

Such a wide distribution of IPs strongly suggests the use of a coordinated infrastructure, likely involving:

• Botnets leveraging compromised hosts across different networks
• Cloud abuse via rapid deployment of short-lived instances
• Diversified IP rotation to evade blacklists and rate-limiting protections

Coupled with evidence of brute-force login attempts using structured username/password combinations, and novel Baithive payloads never seen before, this campaign demonstrates not only scale, but also intentional design and automation.

This is not opportunistic scanning—it’s a deliberate, sustained effort to compromise targets using a mix of credential attacks, reconnaissance, and malware delivery. The use of a relatively obscure hosting provider (3xK Tech GmbH) may also be a strategic choice to avoid immediate detection and abuse takedowns.