21 IPs generated nearly half of all RDP scanning on the internet in 48 hours. Then vanished — for the second time in 30 days.
🔗 www.greynoise.io/blog/ip-addr...
#ThreatIntel #RDP #CyberSecurity #InfoSec #ThreatHunting
🚨We just shipped C2 Detection.
Compromised edge devices call home to attacker infrastructure. The evidence is in your outbound logs...most teams just can’t see it.
Now they can. 👀
Learn more ⬇
GreyNoise is on the move 🌍
Next up: CrowdTours (8 cities), Glasgow + Tampa
It’s all in the March Noiseletter 🗞️ + fresh research (more coming soon 👀)
New GreyNoise Report: 39% of unique IPs targeting the edge come from home internet connections. They are everywhere, briefly — 78% appear at most twice before rotating. The rotation rate makes feed-based IP reputation structurally ineffective against this traffic.
🔗 www.greynoise.io/resources/in...
GreyNoise is headed to 🇸🇪 Stockholm for CrowdStrike #CrowdTour2026 on 🗓️ April 15th.
Attending the event or local to the area? We’d love to connect.
🔗 Book a dedicated time to meet with our team here: lnkd.in/e4_FA-7h
#CyberSecurity #CrowdStrike #GreyNoise #ThreatIntel #Stockholm
NEW: GreyNoise At The Edge Intel Brief (March 23-30)
187,998,900 sessions. 100 top source IPs. Daily volumes surged 4x mid-week as at least 4 new scanning operations activated simultaneously.
Here's what we found: 🔗 www.greynoise.io/resources/at...
GreyNoise is proud to be sponsoring the CrowdStrike CrowdTour across 8 cities! 🌏
We’re excited to highlight how our integration with Falcon Next-Gen SIEM helps SOC teams stop chasing ghosts and start catching real threats.
👇Book a meeting with us here:
info.greynoise.io/crowdtour-20...
Last week, half of all new scanning IPs observed by GreyNoise geolocated to Hong Kong.
A quarter-million never completed a TCP handshake.
The ones that did were scanning MySQL, SSH, SMB, and RDP across 20+ countries. One of these is the signal. The other is noise.
www.greynoise.io/blog/ghost-f...
NEW: GreyNoise At The Edge Intel Brief (Mar 16–23)
200,886,675 sessions. 101 unique source IPs.
Here's what we found: www.greynoise.io/resources/at...
Dark-themed GreyNoise Intelligence summary slide titled ‘The Scanning Landscape Is Reorganizing’ for March 9–16, 2026, showing total scanning stats and brief blurbs on uCloud’s 578% surge, escalating edge device exploits, fast‑rotating RDP operators, and a renewed React2Shell campaign, with a call to action to get the full report.
New GreyNoise At The Edge brief: The internet's scanning infrastructure is reorganizing.
UCLOUD (HK) surged +578% to become the #1 scanning ASN, now 15.6% of all observed traffic. Western providers declining simultaneously.
301.8M sessions. 439K IPs. Here's what we found.
Starting at the top of the hour! 🚨
Hope to see you there to break down all things State of the Edge with @andrewmorr.is, @hrbrmstr.dev + Shawn!
There's still time to register 👉 info.greynoise.io/webinar/stat...
TOMORROW! 🚨 Join us for a fast-paced dive into the 2026 GreyNoise State of the Edge Report...from rogue residential botnets to 26-year-old CVEs still getting hammered. Save your spot and see what’s actually hitting the edge.
🚀 New GreyNoise + Google SecOps integrations are live. See which IPs scan everyone vs just you, now directly inside Google SecOps.
🧩 SIEM: Standardized ingestion, dashboards, YARA-L rules, and saved searches
⚡️ SOAR: v7.0 actions, webhooks, and playbooks to automate triage
Hey London! We are closing down day 1 at #ecrimecongress today + cant wait to see you tomorrow! If you're around, say hi to the team, watch a demo, and grab some great swag! 🔥
Edge attacks are evolving faster than your playbook. Join @andrewmorr.is, @hrbrmstr.dev + Shawn Smagh next Tuesday for a live breakdown of where edge targeting is concentrating, where defenses are failing, + what 162 days of internet-scale data says about your real exposure.
February was anything but quiet at GreyNoise, from our 2026 State of the Edge Report to new edge attack research, Ivanti + BeyondTrust deep dives, and a packed March of events, check it all out in this month's Noiseletter! 🚀
GreyNoise is now integrated across CrowdStrike Falcon. 🚀
Falcon users can bring GreyNoise IP classification into Next-Gen SIEM searches, Fusion SOAR playbooks, and Charlotte AI workflows to triage faster, cut background noise + prioritize real threats.
A GreyNoise Intelligence Weekly Intelligence Brief cover page titled “Weekly Intelligence Brief” with the subhead “The Scanning Landscape Collapsed. Enterprise Campaigns Intensified.” The design features large bold statistics across the center, including “268M sessions observed,” “435% Sophos surge,” “9.1M RDP sessions,” and “Week 6 VPN siege.” Supporting text summarizes key findings about collapsing global scanning volume, intensified Sophos firewall exploitation, massive RDP scanning from two IPs, and ongoing VPN credential campaigns targeting enterprise perimeter infrastructure. The footer includes a call to action to contact GreyNoise for the full brief, the GreyNoise logo, and the company website and social handle on a clean, professional white background with branded typography.
Here's a taste of what GreyNoise customers got in this week's At The Edge intelligence brief.
268M sessions. 540K unique IPs. Four findings that matter.
Full brief: IOCs, attribution, recommendations.
🔗 www.greynoise.io/resources/at...
greynoise.io/contact
Noise: analyzed.
Security: certified.
GreyNoise is now ISO 27001 certified 🔐
We spend our days tracking internet background noise and we hold ourselves to the same high security standards we expect from the ecosystem.
GreyNoise observed a coordinated campaign probing SonicWall firewalls to identify which devices have SSL VPN enabled — the prerequisite step before credential attacks. 4️⃣ infrastructure clusters, a commercial proxy service rotating thousands of IPs, and near-zero exploitation. This is target mapping.
🕵 What started as a simple "Hey, I keep seeing this string. Any ideas?" message kicked off an investigation finding a cryptostealing and database wiping operation.
Follow the string in the latest GreyNoise Labs post: www.labs.greynoise.io/grimoire/202...
Join us today at 12pm ET for February’s GreyNoise University LIVE session, where you’ll get an overview of what’s new at GreyNoise, plus a live demo of our tools and latest product releases.
52% of RCE attempts came from IPs with no prior GreyNoise history. New research on where edge defenses fall short + what to do about it.
#ThreatIntel #Cybersecurity #GreyNoise
A GreyNoise Intelligence weekly brief cover page titled “Weekly Intelligence Brief” for February 9–16, 2026, using a clean corporate layout with the GreyNoise logo at the top. Large headline text reads “IoT, Edge, Credentials. All Surging at Once.” followed by a short summary paragraph describing rising IoT botnet recruitment, Fortinet VPN brute-forcing, and credential harvesting. Four bold numeric callouts highlight “91% IoT default password surge,” “98% increase Fortinet VPN brute-force,” “8.28M credential harvesting sessions,” and “84 days of crypto C2 beaconing.” Below, four brief section teasers describe IoT botnet activity, enterprise edge credential attacks, broad credential harvesting, and an 84-day crypto exchange C2 operation. The footer includes a “Want the full brief?” marketing call-to-action with the GreyNoise contact URL and social handle, plus a “TLP: CLEAR” label indicating public sharing is allowed.
This week's At the Edge: CLEAR is out — a preview of the intel brief GreyNoise customers get every week.
🔗 www.greynoise.io/resources/at...
That's just the preview. greynoise.io/contact
#ThreatIntel #CyberSecurity #GreyNoise
It took less than a day. A PoC for BeyondTrust CVE-2026-1731 hit GitHub, and GreyNoise immediately started seeing reconnaissance from multi-exploit actors hiding behind VPNs + custom tooling. See what our data reveals about who’s mapping targets + how.
A dark-themed “Weekly Intelligence Brief” report from GreyNoise covering February 2–9, 2026, summarizing global malicious scanning activity. Large headline text highlights a 113% week‑over‑week surge in Remote Desktop Protocol (RDP) attacks, with 29.9 million RDP attempts, 83,000 N8N exploits, and 352 callback domains associated with OAST. Below, the layout is divided into four sections: one explaining that RDP attacks more than doubled in a week driven by a single noisy IP; one titled “Ivanti ‘Three‑Headed Hydra’” describing three independent campaigns abusing CVE‑2022‑1281 with Cobalt Strike; one on N8N exploitation describing 83,334 attempts against CVE‑2022‑21858 from a specific IP range and warning about exposed API keys; and one on the Rondodx botnet summarizing high session counts and links to previous activity. A footer invites readers to contact GreyNoise for the full brief and includes a link to the company website.
Three campaigns. One has Cobalt Strike ready.
RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.
A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.
We observed a 65% drop in global telnet traffic in 1 hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
83% of observed Ivanti EPMM exploitation (CVE-2026-1281) traces to one bulletproof IP that isn't on any published IOC list. The IPs that are? VPN exits with zero Ivanti activity. We broke down who's actually doing this ⬇️
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
