GreyNoise
@greynoise.io
GreyNoise analyzes Internet background noise. Use GreyNoise to remove pointless security alerts, find compromised devices, or identify emerging threats.
It took less than a day. A PoC for BeyondTrust CVE-2026-1731 hit GitHub, and GreyNoise immediately started seeing reconnaissance from multi-exploit actors hiding behind VPNs + custom tooling. See what our data reveals about who’s mapping targets + how.
Reconnaissance Has Begun for the New BeyondTrust RCE (CVE-2026-1731): Here's What We See So Far
A PoC for CVE-2026-1731 hit GitHub on Feb 10. Within 24 hours, GreyNoise observed reconnaissance probing for vulnerable BeyondTrust instances.
www.greynoise.io
February 12, 2026 at 6:13 PM
It took less than a day. A PoC for BeyondTrust CVE-2026-1731 hit GitHub, and GreyNoise immediately started seeing reconnaissance from multi-exploit actors hiding behind VPNs + custom tooling. See what our data reveals about who’s mapping targets + how.
Three campaigns. One has Cobalt Strike ready.
RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.
A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.
RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.
A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.
February 11, 2026 at 9:25 PM
Three campaigns. One has Cobalt Strike ready.
RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.
A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.
RDP nearly quadrupled. A botnet picked up a new CVE. And someone built a Kubernetes cluster just to exploit n8n.
A preview of what GreyNoise customers get every week. Full brief has the IOCs, attribution, and analysis.
We observed a 65% drop in global telnet traffic in 1 hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
2026-01-14: The Day the telnet Died – GreyNoise Labs
On January 14, 2026, global telnet traffic observed by GreyNoise sensors fell off a cliff. A 59% sustained reduction, eighteen ASNs going completely silent, five countries vanishing from our data enti...
www.labs.greynoise.io
February 10, 2026 at 8:44 PM
We observed a 65% drop in global telnet traffic in 1 hour on Jan 14, settling into a sustained 59% reduction. 18 ASNs went silent, 5 countries disappeared, but cloud providers were unaffected.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
Our analysis of 51.2M sessions points to backbone-level port 23 filtering by a Tier 1 transit provider.
83% of observed Ivanti EPMM exploitation (CVE-2026-1281) traces to one bulletproof IP that isn't on any published IOC list. The IPs that are? VPN exits with zero Ivanti activity. We broke down who's actually doing this ⬇️
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere
The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletp...
www.greynoise.io
February 10, 2026 at 7:17 PM
83% of observed Ivanti EPMM exploitation (CVE-2026-1281) traces to one bulletproof IP that isn't on any published IOC list. The IPs that are? VPN exits with zero Ivanti activity. We broke down who's actually doing this ⬇️
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
#Ivanti #ThreatIntel #CVE20261281 #InfoSec
Attackers are operating at machine speed + so should defenders. 🤖
Check out the Government Technology Insider article, where our Principal Intelligence Liaison, Shawn Smagh, shares what we’re seeing in the data and 4️⃣ steps to get to active defense at machine speed.
Check out the Government Technology Insider article, where our Principal Intelligence Liaison, Shawn Smagh, shares what we’re seeing in the data and 4️⃣ steps to get to active defense at machine speed.
The AI-Accelerated Threat Landscape: Four Steps Toward Active Defense at Machine Speed - Government Technology Insider
If you’ve been following breaking news in cybersecurity, it will come as no surprise to you that AI is allowing attackers to move faster and at a greater scale than traditional defenses can keep up wi...
governmenttechnologyinsider.com
February 10, 2026 at 4:25 PM
Attackers are operating at machine speed + so should defenders. 🤖
Check out the Government Technology Insider article, where our Principal Intelligence Liaison, Shawn Smagh, shares what we’re seeing in the data and 4️⃣ steps to get to active defense at machine speed.
Check out the Government Technology Insider article, where our Principal Intelligence Liaison, Shawn Smagh, shares what we’re seeing in the data and 4️⃣ steps to get to active defense at machine speed.
Check out this month's NoiseLetter for the latest on Ghostie + all things GreyNoise!
🗞️ www.greynoise.io/resources/no...
🗞️ www.greynoise.io/resources/no...
February 4, 2026 at 10:35 PM
Check out this month's NoiseLetter for the latest on Ghostie + all things GreyNoise!
🗞️ www.greynoise.io/resources/no...
🗞️ www.greynoise.io/resources/no...
Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
React Server Components Exploitation Consolidates as Two IPs Generate Majority of Attack Traffic
Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly.
www.greynoise.io
February 3, 2026 at 9:04 PM
Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
One deploys cryptominers. The other opens reverse shells.
We dug into the infrastructure. What we found goes back to 2020.
In 2025, 59 CVEs quietly flipped to “known ransomware use” in CISA’s KEV...no alerts, no fanfare. 🧐
We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.
Read the blog + grab the feed 🗞️
We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.
Read the blog + grab the feed 🗞️
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
In 2025, 59 KEV entries silently flipped to “known ransomware use.” GreyNoise uncovers the hidden flips, why they matter, and a new feed to track them.
www.greynoise.io
February 2, 2026 at 7:32 PM
In 2025, 59 CVEs quietly flipped to “known ransomware use” in CISA’s KEV...no alerts, no fanfare. 🧐
We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.
Read the blog + grab the feed 🗞️
We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.
Read the blog + grab the feed 🗞️
👀 Seeing who’s poking Ivanti Connect Secure?
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure? – GreyNoise Labs
GreyNoise detected a 100x surge in Ivanti Connect Secure reconnaissance targeting CVE-2025-0282 (EPSS 93%). Analysis reveals two distinct campaigns: an aggressive AS213790-based operation generating 3...
www.labs.greynoise.io
January 29, 2026 at 5:26 PM
👀 Seeing who’s poking Ivanti Connect Secure?
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.
We broke down the infra + what defenders should do next. 👇
Join us tomorrow at 12 ET for 2026's first GreyNoise University LIVE! With a new co-host, David! Looking forward to seeing you there. 🪩
GreyNoise University LIVE
www.greynoise.io
January 28, 2026 at 9:28 PM
Join us tomorrow at 12 ET for 2026's first GreyNoise University LIVE! With a new co-host, David! Looking forward to seeing you there. 🪩
Most attacker behavior only makes sense over time. 🕰️
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
GreyNoise Introduces Recall: Time-Series Intelligence for GreyNoise Query Language
Recall is a time-series capability that enables customers to query GreyNoise data over specific historical ranges. Instead of a static summary of current IP behavior, Recall allows you to see exactly ...
www.greynoise.io
January 28, 2026 at 7:02 PM
Most attacker behavior only makes sense over time. 🕰️
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern.
Three campaigns. One fingerprint.
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
January 27, 2026 at 10:33 PM
Three campaigns. One fingerprint.
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: greynoise.io/contact
Check out @hrbrmstr.dev today on @huntress.com's Tradecraft Tuesday at 1pm ET to chat about all things #React2Shell. 🤘
🔗 www.huntress.com/upcoming-web...
🔗 www.huntress.com/upcoming-web...
January 13, 2026 at 4:31 PM
Check out @hrbrmstr.dev today on @huntress.com's Tradecraft Tuesday at 1pm ET to chat about all things #React2Shell. 🤘
🔗 www.huntress.com/upcoming-web...
🔗 www.huntress.com/upcoming-web...
New on the GreyNoise blog: We borrow from some unexpected fields, enzyme kinetics, species biodiversity models, astrophotography, to understand internet-wide scanning activity and measure what we might be missing.
#GreyNoise #Cybersecurity
#GreyNoise #Cybersecurity
Filtering Noise in (Cyber)Space
Dive into the scientific methods GreyNoise uses to separate internet noise from real threats, providing defenders a clearer, more accurate view of malicious activity.
www.greynoise.io
January 12, 2026 at 9:14 PM
New on the GreyNoise blog: We borrow from some unexpected fields, enzyme kinetics, species biodiversity models, astrophotography, to understand internet-wide scanning activity and measure what we might be missing.
#GreyNoise #Cybersecurity
#GreyNoise #Cybersecurity
🚨 We are hiring across sales, alliances, and customer experience for our US + EMEA teams 🌍
See a role you'd crush? We would love to hear from you!
👉 Apply now: greynoise.io/careers
#hiring #cybersecuritycareers
See a role you'd crush? We would love to hear from you!
👉 Apply now: greynoise.io/careers
#hiring #cybersecuritycareers
January 12, 2026 at 3:59 PM
🚨 We are hiring across sales, alliances, and customer experience for our US + EMEA teams 🌍
See a role you'd crush? We would love to hear from you!
👉 Apply now: greynoise.io/careers
#hiring #cybersecuritycareers
See a role you'd crush? We would love to hear from you!
👉 Apply now: greynoise.io/careers
#hiring #cybersecuritycareers
GreyNoise analyzed activity targeting exposed Ollama and LLM infrastructure, identifying SSRF abuse attempts and large-scale probing of LLM model endpoints.
#GreyNoise #ThreatIntelligence #LLMSecurity
#GreyNoise #ThreatIntelligence #LLMSecurity
Threat Actors Actively Targeting LLMs
Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically m...
www.greynoise.io
January 8, 2026 at 7:58 PM
GreyNoise analyzed activity targeting exposed Ollama and LLM infrastructure, identifying SSRF abuse attempts and large-scale probing of LLM model endpoints.
#GreyNoise #ThreatIntelligence #LLMSecurity
#GreyNoise #ThreatIntelligence #LLMSecurity
Reposted by GreyNoise
All internet traffic from Iran ceased in @greynoise.io one hour ago. Tier 1 dropped off two hours ago.
January 8, 2026 at 7:56 PM
All internet traffic from Iran ceased in @greynoise.io one hour ago. Tier 1 dropped off two hours ago.
Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️♀️
#GreyNoise #Ransomware #InitialAccess #IAB #Recon
#GreyNoise #Ransomware #InitialAccess #IAB #Recon
The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacks
Over four days in December, one operator scanned the internet with 240+ exploits, logging confirmed vulnerabilities that could power targeted intrusions in 2026.
www.greynoise.io
January 8, 2026 at 3:03 PM
Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️♀️
#GreyNoise #Ransomware #InitialAccess #IAB #Recon
#GreyNoise #Ransomware #InitialAccess #IAB #Recon
Back from the holidays and afraid to open your inbox? Same. Open the latest NoiseLetter instead.
NoiseLetter December 2025
Get GreyNoise updates! Read the December 2025 NoiseLetter for product news, key resources, the latest tags and vulnerabilities, and more.
www.greynoise.io
January 7, 2026 at 5:01 PM
Back from the holidays and afraid to open your inbox? Same. Open the latest NoiseLetter instead.
New year, new opportunities? Check out our current openings for a new start in the new year! 🪩🎉
🔗 greynoise.io/careers
🔗 greynoise.io/careers
December 31, 2025 at 5:48 PM
New year, new opportunities? Check out our current openings for a new start in the new year! 🪩🎉
🔗 greynoise.io/careers
🔗 greynoise.io/careers
See ya'll in 10 ⏳
See you all TOMORROW at 12ET for our last GreyNoise University LIVE of the year! ✨
GreyNoise University LIVE
www.greynoise.io
December 18, 2025 at 4:51 PM
See ya'll in 10 ⏳
GreyNoise is tracking a coordinated credential-based campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect.
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gateways
GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, with activity observed against Cisco SSL VPN and Palo Alto Networks Glo...
greynoise.io
December 17, 2025 at 8:01 PM
GreyNoise is tracking a coordinated credential-based campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect.
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
#Cisco #PaloAltoNetworks #GreyNoise #VPN #CiscoSSLVPN #GlobalProtect #ThreatIntel
See you all TOMORROW at 12ET for our last GreyNoise University LIVE of the year! ✨
GreyNoise University LIVE
www.greynoise.io
December 17, 2025 at 6:38 PM
See you all TOMORROW at 12ET for our last GreyNoise University LIVE of the year! ✨
Update: Analyzing React2Shell payloads. Full breakdown from @hrbrmstr.dev 👇
#React2Shell #Nextjs #CVE202555182
#React2Shell #Nextjs #CVE202555182
React2Shell Payload Analysis: A Look at Selected Opportunistic and Possibly AI-
Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these att...
www.greynoise.io
December 17, 2025 at 4:36 PM
Update: Analyzing React2Shell payloads. Full breakdown from @hrbrmstr.dev 👇
#React2Shell #Nextjs #CVE202555182
#React2Shell #Nextjs #CVE202555182