Incident & Breach Response
,
Security Operations
Honeypots Reveal Automated Bots’ ‘Attack Intensity’ Surged Over Christmastime 2025
Attack intensity surged over the Western winter holiday period, a trend consistent with hackers’ propensity for probing defenses and striking during off hours to maximize dwell time before being discovered.
See Also: Securing Patient Data: Shared Responsibility in Action
This well-known phenomenon has obvious implications for how organizations monitor networks and ensure they have sufficiently robust coverage, experts said.
“While humans were away, bots were at their most active,” said Milivoj Rajić, head of threat intelligence at cybersecurity firm DynaRisk, drawing on honeypot data gathered from Dec. 19 through the first 10 days of this year.
Bot activity surged over those three weeks and it hit and maintained a peak last month from Dec. 25 through Dec. 31, he told Information Security Media Group. That’s based on honeypots deployed across the United States, United Kingdom, Germany, the Netherlands and Serbia.
Over the three-week period, the number of IP addresses tied to malicious activity didn’t change. Rather, “attack intensity per IP spiked during holidays, even as overall volume stayed flat,” he said.
Attack activity appeared to be highly automated. “Bots consistently targeted the same exposed services: SSH, RDP, web ports and routers,” looking for a way in, he said. The activity reflects how many attacks, and especially ransomware hits, remain highly opportunistic.
“Financially motivated ransomware operations are almost entirely opportunistic and based on available access,” said cybersecurity firm Sophos in a recent report.
“This access may have been obtained via malware delivered in phishing campaigns, credentials captured by infostealers or the exploitation of vulnerabilities in internet-facing services. Whatever the method, the approach is random and untargeted,” it said.
Rajić’s honeypots showed the top 10 targeted ports over the holidays were for HTTPS, HTTP and Telnet, followed by port 8728 used by Mikrotik devices, SSH, HTTP proxy port 8080, remote desktop protocol, DNS and Kerberos. Attack volume typically peaked around midnight.
One truism with honeypots is they only ever see part of the picture. Regional variations can be common.
Over the same time period, a different set of honeypots run by The Shadowserver Foundation, a nonprofit security organization that combats malware, botnets and fraud, detected “a lull in terms of unique attacking sources,” except for a surge around Dec. 24, the nonprofit’s CEO, Piotr Kijewski, told ISMG.
That finding doesn’t conflict with Rajić’s data, he said, although one question is whether the perceived increase in attacks per IP address might be “coincidental or not.”
Multiple experts said it’s likely intentional.
“Over my entire career, nearly all significant incidents occurred over the weekend, often starting late Friday night, to maximize the time a malicious actor has before detection,” said Scotland-based cybersecurity consultant David Stubley.
“While organizations often become aware of incidents during the start of the working week, when we build the timeline of events as part of our investigations, the initial compromise is in those early hours. This is more true of ransomware, where the actor looks to quickly move from initial compromise to the final drop of the encryptor,” Stubley said.
High-profile hits against the likes of Bangladesh Bank in 2016, the Scottish Environmental Protection Agency in 2020 and British high-street retailer Marks & Spencer in 2025 all followed this pattern.
In the Bangladesh Bank incident, attackers struck on a Friday, which is a Muslim day of prayer. At SEPA, the agency said Russia’s Conti ransomware-wielding gang began crypto-locking its systems “at one minute past midnight on Christmas Eve.” And M&S discovered the first signs of Scattered Spider’s ransomware attack against it at the start of the April Easter holiday as celebrated by non-Orthodox religions, when point-of-sale and online systems began to glitch.
Attackers have a well-demonstrated propensity to hit targets over holidays, weekends or nights. One more recent challenge is that they’ve been tapping more automation and “AI-assisted scanning” tools, allowing them to move faster and at greater scale, Rajić said.
“Large portions of reconnaissance and vulnerability discovery are fully automated. When an AI system detects something promising, it may exploit it automatically and if the case is more complex, that’s when a human attacker steps in to validate and further weaponize the vulnerability,” he said.
With this being attackers’ direction of travel, experts said a key takeaway for defenders is factoring this into their monitoring levels, incident response plans and tabletop exercises.
The Shadowserver Foundation’s Kijewski said that organizations closely monitoring their networks over holidays, nights and weekends could actually find it easier to spot attacker. “Attacks may be more visible due to less user activity in general, so it may be easier to spot anomalies,” he said.
Many organizations, whether due to cost-cutting purposes or excessive optimism, don’t have enough staff on hand over holidays. They may not understand the risk they’re courting. Attackers “deliberately choose moments when defenders are least prepared to respond,” Rajić said.
“Just as important as having on-call teams is the quality of those teams. Holiday coverage shouldn’t mean reduced expertise – clear rules, procedures, escalation paths and indicators of compromise must be defined in advance and consistently followed by on-duty staff,” he said.