You would probably want a honeypot to lure them in. But I wouldn't expect the output to go through an LLM, although I wouldn't be surprised if I was wrong.

This stuff is just low level automated scanning looking for well known, easy exploits. Default credentials and stuff like that. A lot of it is trying to recruit hosts for illegal VPNs / proxies, DDOS service, and more scanning / propagation. My advice is to block it (maybe with an expiration time on the block), log it, and ignore it. But it can be fun to see what they do with a honeypot.