February was anything but quiet at GreyNoise, from our 2026 State of the Edge Report to new edge attack research, Ivanti + BeyondTrust deep dives, and a packed March of events, check it all out in this month's Noiseletter! π
GreyNoise is now integrated across CrowdStrike Falcon. π
Falcon users can bring GreyNoise IP classification into Next-Gen SIEM searches, Fusion SOAR playbooks, and Charlotte AI workflows to triage faster, cut background noise + prioritize real threats.
A GreyNoise Intelligence Weekly Intelligence Brief cover page titled βWeekly Intelligence Briefβ with the subhead βThe Scanning Landscape Collapsed. Enterprise Campaigns Intensified.β The design features large bold statistics across the center, including β268M sessions observed,β β435% Sophos surge,β β9.1M RDP sessions,β and βWeek 6 VPN siege.β Supporting text summarizes key findings about collapsing global scanning volume, intensified Sophos firewall exploitation, massive RDP scanning from two IPs, and ongoing VPN credential campaigns targeting enterprise perimeter infrastructure. The footer includes a call to action to contact GreyNoise for the full brief, the GreyNoise logo, and the company website and social handle on a clean, professional white background with branded typography.
Here's a taste of what GreyNoise customers got in this week's At The Edge intelligence brief.
268M sessions. 540K unique IPs. Four findings that matter.
Full brief: IOCs, attribution, recommendations.
π www.greynoise.io/resources/at...
greynoise.io/contact
Noise: analyzed.
Security: certified.
GreyNoise is now ISO 27001 certified π
We spend our days tracking internet background noise and we hold ourselves to the same high security standards we expect from the ecosystem.
GreyNoise observed a coordinated campaign probing SonicWall firewalls to identify which devices have SSL VPN enabled β the prerequisite step before credential attacks. 4οΈβ£ infrastructure clusters, a commercial proxy service rotating thousands of IPs, and near-zero exploitation. This is target mapping.
π΅ What started as a simple "Hey, I keep seeing this string. Any ideas?" message kicked off an investigation finding a cryptostealing and database wiping operation.
Follow the string in the latest GreyNoise Labs post: www.labs.greynoise.io/grimoire/202...
Join us today at 12pm ET for Februaryβs GreyNoise University LIVE session, where youβll get an overview of whatβs new at GreyNoise, plus a live demo of our tools and latest product releases.
52% of RCE attempts came from IPs with no prior GreyNoise history. New research on where edge defenses fall short + what to do about it.
#ThreatIntel #Cybersecurity #GreyNoise
A GreyNoise Intelligence weekly brief cover page titled βWeekly Intelligence Briefβ for February 9β16, 2026, using a clean corporate layout with the GreyNoise logo at the top. Large headline text reads βIoT, Edge, Credentials. All Surging at Once.β followed by a short summary paragraph describing rising IoT botnet recruitment, Fortinet VPN brute-forcing, and credential harvesting. Four bold numeric callouts highlight β91% IoT default password surge,β β98% increase Fortinet VPN brute-force,β β8.28M credential harvesting sessions,β and β84 days of crypto C2 beaconing.β Below, four brief section teasers describe IoT botnet activity, enterprise edge credential attacks, broad credential harvesting, and an 84-day crypto exchange C2 operation. The footer includes a βWant the full brief?β marketing call-to-action with the GreyNoise contact URL and social handle, plus a βTLP: CLEARβ label indicating public sharing is allowed.
This week's At the Edge: CLEAR is out β a preview of the intel brief GreyNoise customers get every week.
π www.greynoise.io/resources/at...
That's just the preview. greynoise.io/contact
#ThreatIntel #CyberSecurity #GreyNoise
It took less than a day. A PoC for BeyondTrust CVE-2026-1731 hit GitHub, and GreyNoise immediately started seeing reconnaissance from multi-exploit actors hiding behind VPNs + custom tooling. See what our data reveals about whoβs mapping targets + how.
A dark-themed βWeekly Intelligence Briefβ report from GreyNoise covering February 2β9, 2026, summarizing global malicious scanning activity. Large headline text highlights a 113% weekβoverβweek surge in Remote Desktop Protocol (RDP) attacks, with 29.9 million RDP attempts, 83,000 N8N exploits, and 352 callback domains associated with OAST. Below, the layout is divided into four sections: one explaining that RDP attacks more than doubled in a week driven by a single noisy IP; one titled βIvanti βThreeβHeaded Hydraββ describing three independent campaigns abusing CVEβ2022β1281 with Cobalt Strike; one on N8N exploitation describing 83,334 attempts against CVEβ2022β21858 from a specific IP range and warning about exposed API keys; and one on the Rondodx botnet summarizing high session counts and links to previous activity. A footer invites readers to contact GreyNoise for the full brief and includes a link to the company website.
Three campaigns. One has Cobalt Strike ready.
RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.
A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.
We observed a 65% drop in global telnet traffic in 1 hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
83% of observed Ivanti EPMM exploitation (CVE-2026-1281) traces to one bulletproof IP that isn't on any published IOC list. The IPs that are? VPN exits with zero Ivanti activity. We broke down who's actually doing this β¬οΈ
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
Attackers are operating at machine speed + so should defenders. π€
Check out the Government Technology Insider article, where our Principal Intelligence Liaison, Shawn Smagh, shares what weβre seeing in the data and 4οΈβ£ steps to get to active defense at machine speed.
Check out this month's NoiseLetter for the latest on Ghostie + all things GreyNoise!
ποΈ www.greynoise.io/resources/no...
Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
In 2025, 59 CVEs quietly flipped to βknown ransomware useβ in CISAβs KEV...no alerts, no fanfare. π§
We dug through a year of JSON to catch every silent flip and built an RSS feed so you donβt miss the next one.
Read the blog + grab the feed ποΈ
π Seeing whoβs poking Ivanti Connect Secure?
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. π
Join us tomorrow at 12 ET for 2026's first GreyNoise University LIVE! With a new co-host, David! Looking forward to seeing you there. πͺ©
Most attacker behavior only makes sense over time. π°οΈ
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
A digital intelligence brief from GreyNoise titled βAT THE EDGE,β dated January 19β23, 2026, summarizing three coordinated cyber campaigns under the headline βThree Campaigns. One Fingerprint.β The top of the graphic highlights key statistics in large text: 1.7M React attacks, 506K VPN targets, 1.8M router attempts, and a note that 3 IPs are responsible for 99% of observed activity. Below, four text blocks describe: (1) React exploitation attempts related to CVE-2025-55182, including real command injection, a Metasploit module, and one hosting provider generating 57% of traffic; (2) sustained attacks on enterprise VPNs (Fortinet SSL VPN and Palo Alto GlobalProtect) with 506K sessions, a 25% increase over baseline for Fortinet, and emphasis that VPN credentials are valuable for ransomware; (3) router attacks where three IPs drive 1.8M attempts, focusing on a MikroTik RouterOS brute-force campaign with a 64,000:1 session-to-IP ratio and noting compromised routers as pivot points and botnet nodes; and (4) an explanation that a shared JA1T network fingerprint links the React RCE, VPN brute force, and environment crawling to common infrastructure, suggesting organized operations rather than random scanning. The bottom banner invites GreyNoise customers to access the full brief, mentioning complete IOCs, attribution, detection guidance, and weekly role-based recommendations, with a contact URL βgreynoise.io/contactβ and a small 2026 GreyNoise, Inc. copyright notice.
Three campaigns. One fingerprint.
React RCE, VPN brute forcing, and router scanningβall linked to the same infrastructure.β 1.7M React attacks
β 506K VPN targets
β 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
Check out @hrbrmstr.dev today on @huntress.com's Tradecraft Tuesday at 1pm ET to chat about all things #React2Shell. π€
π www.huntress.com/upcoming-web...
New on the GreyNoise blog: We borrow from some unexpected fields, enzyme kinetics, species biodiversity models, astrophotography, to understand internet-wide scanning activity and measure what we might be missing.
#GreyNoise #Cybersecurity
Black GreyNoise hiring graphic with bold text reading βWe Are Hiring!β followed by a list of open roles: Director of Strategic Alliances; Regional Sales Manager β US DoD + IC; Sales Engineer β US DoD + IC; Regional Sales Manager β US Federal Civilian; Sales Development Representative β EMEA; and Customer Experience Specialist β EMEA. The design features teal wave lines and the GreyNoise logo, with a call to action to apply at greynoise.io/careers.
π¨ We are hiring across sales, alliances, and customer experience for our US + EMEA teams π
See a role you'd crush? We would love to hear from you!
π Apply now: greynoise.io/careers
#hiring #cybersecuritycareers
GreyNoise analyzed activity targeting exposed Ollama and LLM infrastructure, identifying SSRF abuse attempts and large-scale probing of LLM model endpoints.
#GreyNoise #ThreatIntelligence #LLMSecurity
All internet traffic from Iran ceased in @greynoise.io one hour ago. Tier 1 dropped off two hours ago.
Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. π΅οΈββοΈ
#GreyNoise #Ransomware #InitialAccess #IAB #Recon
Back from the holidays and afraid to open your inbox? Same. Open the latest NoiseLetter instead.
React2Shell Update β 7 January 2026
Full update & analysis β¬οΈ
#GreyNoise #React2Shell
New year, new opportunities? Check out our current openings for a new start in the new year! πͺ©π
π greynoise.io/careers
