We investigate the infrastructure behind cybercrime and state-sponsored operations: bulletproof hosting supply chains, phishing campaigns, malware delivery networks. All findings are based on publicly available data and original research.
Aggregate activity across the multi-region honeypot network. Figures are anonymised totals from the monthly TLP:CLEAR report — no individual sensor identifiers, addresses, or locations are disclosed.
Notable: a self-propagating Docker-API worm escaping to the host via chroot (Docker traffic up ~28× month-over-month), a captured-malware shift from WannaCry PE binaries to ELF SSH-worms (Panchan / Go SSH-worm / Discord-C2 / Mirai), and internet-wide IEC-104 (ICS/OT) reconnaissance with no attacker-issued control commands. Full analysis — June 2026 Monthly Report.
TLP:CLEAR incident reports and threat analysis, available in English and Russian.
For collaboration, responsible disclosure, abuse reporting, or access to restricted research materials:
infra.observer@proton.me
Aleksei Fokin — Threat Intelligence Analyst