GreyNoise
@greynoise.io
GreyNoise analyzes Internet background noise. Use GreyNoise to remove pointless security alerts, find compromised devices, or identify emerging threats.
See ya'll in 10 ⏳
See you all TOMORROW at 12ET for our last GreyNoise University LIVE of the year! ✨
GreyNoise University LIVE
www.greynoise.io
December 18, 2025 at 4:51 PM
See ya'll in 10 ⏳
GreyNoise is tracking a coordinated credential-based campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect.
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gateways
GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, with activity observed against Cisco SSL VPN and Palo Alto Networks Glo...
greynoise.io
December 17, 2025 at 8:01 PM
GreyNoise is tracking a coordinated credential-based campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect.
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
See you all TOMORROW at 12ET for our last GreyNoise University LIVE of the year! ✨
GreyNoise University LIVE
www.greynoise.io
December 17, 2025 at 6:38 PM
See you all TOMORROW at 12ET for our last GreyNoise University LIVE of the year! ✨
Update: Analyzing React2Shell payloads. Full breakdown from @hrbrmstr.dev 👇
#React2Shell #Nextjs #CVE202555182
#React2Shell #Nextjs #CVE202555182
React2Shell Payload Analysis: A Look at Selected Opportunistic and Possibly AI-
Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these att...
www.greynoise.io
December 17, 2025 at 4:36 PM
Update: Analyzing React2Shell payloads. Full breakdown from @hrbrmstr.dev 👇
#React2Shell #Nextjs #CVE202555182
#React2Shell #Nextjs #CVE202555182
Just in: Watch #React2Shell exploitation unfold over time in the map below (geo of source IPs attempting to exploit CVE-2025-55182).
#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity
#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity
December 11, 2025 at 3:51 PM
Just in: Watch #React2Shell exploitation unfold over time in the map below (geo of source IPs attempting to exploit CVE-2025-55182).
#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity
#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity
Reposted by GreyNoise
Ron & my talk from SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
Presented at SuriCon 2025 by Ron Bowes and Glenn Thorpe
Network protocols are messy! Sure, there are standards — RFCs, IEEEs, you name it — but there are also multiple ways to do basically everything. If you’re relying on network IDS/IPS tools like Suricata, I have bad news — a sufficiently cl
www.youtube.com
December 9, 2025 at 10:41 PM
Ron & my talk from SuriCon 2025 | Abusing HTTP Quirks to Evade Detection
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
I think it turned out pretty well; pardon the disco effect where a stage light was failing :)
www.youtube.com/watc...
CC: @iagox86.bsky.social @greynoise.io
Reposted by GreyNoise
Lots of React4Shell in @greynoise.io. Visualization a la @hrbrmstr.dev
December 9, 2025 at 8:18 PM
Lots of React4Shell in @greynoise.io. Visualization a la @hrbrmstr.dev
Going LIVE in 30 to talk all things React2Shell with the Storm ⚡️ Watch crew!
www.linkedin.com/events/storm...
www.linkedin.com/events/storm...
December 9, 2025 at 7:33 PM
Going LIVE in 30 to talk all things React2Shell with the Storm ⚡️ Watch crew!
www.linkedin.com/events/storm...
www.linkedin.com/events/storm...
👀 React2Shell attacker profiles fresh from GreyNoise telemetry: info.greynoise.io/hubfs/PDFs-S..., don't miss the latest contribution from GreyNoise Labs on React2Shell: www.labs.greynoise.io/grimoire/202...
#React2Shell #Nextjs #CVE202555182 #CVE #GreyNoise
#React2Shell #Nextjs #CVE202555182 #CVE #GreyNoise
December 9, 2025 at 6:59 PM
👀 React2Shell attacker profiles fresh from GreyNoise telemetry: info.greynoise.io/hubfs/PDFs-S..., don't miss the latest contribution from GreyNoise Labs on React2Shell: www.labs.greynoise.io/grimoire/202...
#React2Shell #Nextjs #CVE202555182 #CVE #GreyNoise
#React2Shell #Nextjs #CVE202555182 #CVE #GreyNoise
React2Shell blog update 🚨 compromised Next.js nodes are rapidly being enlisted into botnets; threat actor activity reaches ~80 source countries; and more.
#React2Shell #Nextjs #GreyNoise #ThreatIntel
#React2Shell #Nextjs #GreyNoise #ThreatIntel
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far
GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as...
www.greynoise.io
December 9, 2025 at 4:51 PM
React2Shell blog update 🚨 compromised Next.js nodes are rapidly being enlisted into botnets; threat actor activity reaches ~80 source countries; and more.
#React2Shell #Nextjs #GreyNoise #ThreatIntel
#React2Shell #Nextjs #GreyNoise #ThreatIntel
London, we are headed your way THIS week! See you there!
Headed to BlackHat EU? 🇬🇧
Swing by the @corelight-inc.bsky.social + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!
Swing by the @corelight-inc.bsky.social + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!
GreyNoise - Happy Hour at BlackHat Europe
Had a full day at BlackHat? Come put your feet up with GreyNoise and Corelight for a laid-back evening with complimentary drinks, nibbles, and great conversations.
info.greynoise.io
December 8, 2025 at 4:14 PM
London, we are headed your way THIS week! See you there!
Reposted by GreyNoise
React Server CVE-2025-55182 popping off in @greynoise.io right now. Blog from @hrbrmstr.dev up:
www.greynoise.io/blog/cve-202...
www.greynoise.io/blog/cve-202...
December 5, 2025 at 4:55 PM
React Server CVE-2025-55182 popping off in @greynoise.io right now. Blog from @hrbrmstr.dev up:
www.greynoise.io/blog/cve-202...
www.greynoise.io/blog/cve-202...
CVE-2025-55182 (React2Shell) attacks have begun.
We are seeing broad automated exploitation, PoE math probes, encoded PS stagers, and AMSI bypass attempts, with botnets already adding the vuln.
Patch fast. Watch your logs.
We are seeing broad automated exploitation, PoE math probes, encoded PS stagers, and AMSI bypass attempts, with botnets already adding the vuln.
Patch fast. Watch your logs.
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far
GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as...
www.greynoise.io
December 5, 2025 at 3:09 PM
CVE-2025-55182 (React2Shell) attacks have begun.
We are seeing broad automated exploitation, PoE math probes, encoded PS stagers, and AMSI bypass attempts, with botnets already adding the vuln.
Patch fast. Watch your logs.
We are seeing broad automated exploitation, PoE math probes, encoded PS stagers, and AMSI bypass attempts, with botnets already adding the vuln.
Patch fast. Watch your logs.
Palo + SonicWall campaign uncovered. We dug into a spike of GlobalProtect login attempts earlier this week and found something unexpected.
Full analysis: www.greynoise.io/blog/hidden-...
#Palo #SonicWall #Cybersecurity
Full analysis: www.greynoise.io/blog/hidden-...
#Palo #SonicWall #Cybersecurity
www.greynoise.io
December 4, 2025 at 10:31 PM
Palo + SonicWall campaign uncovered. We dug into a spike of GlobalProtect login attempts earlier this week and found something unexpected.
Full analysis: www.greynoise.io/blog/hidden-...
#Palo #SonicWall #Cybersecurity
Full analysis: www.greynoise.io/blog/hidden-...
#Palo #SonicWall #Cybersecurity
Headed to BlackHat EU? 🇬🇧
Swing by the @corelight-inc.bsky.social + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!
Swing by the @corelight-inc.bsky.social + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!
GreyNoise - Happy Hour at BlackHat Europe
Had a full day at BlackHat? Come put your feet up with GreyNoise and Corelight for a laid-back evening with complimentary drinks, nibbles, and great conversations.
info.greynoise.io
December 4, 2025 at 3:07 PM
Headed to BlackHat EU? 🇬🇧
Swing by the @corelight-inc.bsky.social + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!
Swing by the @corelight-inc.bsky.social + GreyNoise booth for a chat and then grab drinks with the team after the con on Wednesday, Dec 10th. Sign up today to reserve your spot!
The holiday season brings travel, warm drinks, and... serving as the family IT help desk. Check it all out in November's NoiseLetter ❄️
NoiseLetter November 2025
Get GreyNoise updates! Read the November 2025 NoiseLetter for product news, key resources, the latest tags and vulnerabilities, and more.
www.greynoise.io
December 2, 2025 at 6:51 PM
The holiday season brings travel, warm drinks, and... serving as the family IT help desk. Check it all out in November's NoiseLetter ❄️
Check out @hrbrmstr.dev's convo with @npr.org about the spike in inventive holiday cyber scams, from fake shipping alerts to bogus charity requests. ’Tis the season for scammers, so slow down, double-check links, + stay safe out there. 🎁🔒
Holiday cyber scams are getting more inventive
Hackers are hoping to take advantage of the holiday season, and they're not just stealing money or data.
www.npr.org
December 1, 2025 at 7:34 PM
Check out @hrbrmstr.dev's convo with @npr.org about the spike in inventive holiday cyber scams, from fake shipping alerts to bogus charity requests. ’Tis the season for scammers, so slow down, double-check links, + stay safe out there. 🎁🔒
This holiday season, run our IP Check at your family’s house, a free tool that answers a question we hear constantly: "How do I know if my home network has been compromised?"
www.greynoise.io/blog/your-ip...
www.greynoise.io/blog/your-ip...
Your IP Address Might Be Someone Else's Problem (And Here's How to Find Out)
Your home network might be part of someone else’s attack. GreyNoise IP Check shows if your IP’s been caught scanning the internet—free and private.
www.greynoise.io
November 25, 2025 at 8:25 PM
This holiday season, run our IP Check at your family’s house, a free tool that answers a question we hear constantly: "How do I know if my home network has been compromised?"
www.greynoise.io/blog/your-ip...
www.greynoise.io/blog/your-ip...
LIVE in 8! 🚨
Looking forward to seeing folks this Thursday at 12 ET for another GreyNoise University LIVE. Join Michael + @itsjordyn.bsky.social for a fun and informative demo + walkthrough of all things GreyNoise. ✨
GreyNoise University LIVE
www.greynoise.io
November 20, 2025 at 4:52 PM
LIVE in 8! 🚨
🚨 Palo Alto GlobalProtect scanning surged 40X in 24hrs...a 90-day high.
2.3M login attempts from concentrated infrastructure (AS200373/AS208885).
Block these IPs now ⬇️
2.3M login attempts from concentrated infrastructure (AS200373/AS208885).
Block these IPs now ⬇️
Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day High
GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in ...
www.greynoise.io
November 19, 2025 at 9:05 PM
🚨 Palo Alto GlobalProtect scanning surged 40X in 24hrs...a 90-day high.
2.3M login attempts from concentrated infrastructure (AS200373/AS208885).
Block these IPs now ⬇️
2.3M login attempts from concentrated infrastructure (AS200373/AS208885).
Block these IPs now ⬇️
Attackers move fast, so your blocklists should too. GreyNoise now lets you convert any query into a real-time blocklist that updates automatically as attacker infrastructure changes. Start using it today on the GreyNoise platform.
Introducing Query-Based Blocklists: Fully Configurable, Real-Time Threat Blocking in the GreyNoise Platform
GreyNoise customers can turn any GreyNoise query in the platform directly into a real-time blocklist for their firewall, SOAR, or other enforcement points.
www.greynoise.io
November 19, 2025 at 5:31 PM
Attackers move fast, so your blocklists should too. GreyNoise now lets you convert any query into a real-time blocklist that updates automatically as attacker infrastructure changes. Start using it today on the GreyNoise platform.
Looking forward to seeing folks this Thursday at 12 ET for another GreyNoise University LIVE. Join Michael + @itsjordyn.bsky.social for a fun and informative demo + walkthrough of all things GreyNoise. ✨
GreyNoise University LIVE
www.greynoise.io
November 18, 2025 at 9:43 PM
Looking forward to seeing folks this Thursday at 12 ET for another GreyNoise University LIVE. Join Michael + @itsjordyn.bsky.social for a fun and informative demo + walkthrough of all things GreyNoise. ✨
Reposted by GreyNoise
We've hired Colonel Shawn Smagh to up our @greynoise.io intel reporting game and we've started producing weekly intelligence briefs. This week's is a banger.
November 18, 2025 at 7:38 PM
We've hired Colonel Shawn Smagh to up our @greynoise.io intel reporting game and we've started producing weekly intelligence briefs. This week's is a banger.
Reposted by GreyNoise
Who's in Montreal for #Suricon? I'm there speaking and representing @greynoise.io! Come say hi!
We also have a very limited special giveaway. Pro tip: if people ask me for it then I don't have to work to give them away, so if you want a cool prototype thing then just ask!
We also have a very limited special giveaway. Pro tip: if people ask me for it then I don't have to work to give them away, so if you want a cool prototype thing then just ask!
November 18, 2025 at 6:39 PM
Who's in Montreal for #Suricon? I'm there speaking and representing @greynoise.io! Come say hi!
We also have a very limited special giveaway. Pro tip: if people ask me for it then I don't have to work to give them away, so if you want a cool prototype thing then just ask!
We also have a very limited special giveaway. Pro tip: if people ask me for it then I don't have to work to give them away, so if you want a cool prototype thing then just ask!
EU sanctioned Stark Industries in May. Leaked docs gave them 12 days warning.
Result: ASN shuffle, rebrand to THE.Hosting. Corporate shells changed, network behavior didn't.
We tracked it: AS44477→AS209847. Packets don't lie.
Result: ASN shuffle, rebrand to THE.Hosting. Corporate shells changed, network behavior didn't.
We tracked it: AS44477→AS209847. Packets don't lie.
The Stark Industries Shell Game - When Bulletproof Hosting Proves Bulletproof
EU sanctions hit Stark Industries in May 2025. GreyNoise data shows how the group quietly rebranded to THE.Hosting and kept its malicious infrastructure running.
www.greynoise.io
November 17, 2025 at 8:56 PM
EU sanctioned Stark Industries in May. Leaked docs gave them 12 days warning.
Result: ASN shuffle, rebrand to THE.Hosting. Corporate shells changed, network behavior didn't.
We tracked it: AS44477→AS209847. Packets don't lie.
Result: ASN shuffle, rebrand to THE.Hosting. Corporate shells changed, network behavior didn't.
We tracked it: AS44477→AS209847. Packets don't lie.