Lmst

Check out this month's NoiseLetter for the latest on Ghostie + all things GreyNoise!
🗞️https://www.greynoise.io/resources/noiseletter-january-2026

Two IPs now generate 56% of all CVE-2025-55182 exploitation traffic.

One deploys cryptominers. The other opens reverse shells.

We dug into the infrastructure. What we found goes back to 2020.

https://www.greynoise.io/blog/react2shell-exploitation-consolidates

In 2025, 59 CVEs quietly flipped to “known ransomware use” in CISA’s KEV...no alerts, no fanfare. 🧐

We dug through a year of JSON to catch every silent flip and built an RSS feed so you don’t miss the next one.

Read the blog + grab the feed 🗞️

https://www.greynoise.io/blog/unmasking-cisas-hidden-kev-ransomware-updates

👀 Seeing who’s poking Ivanti Connect Secure?

GreyNoise just caught a ~100x spike in recon on CVE-2025-0282 featuring one loud AS213790 campaign and one sneaky botnet spread across 6K IPs.

We broke down the infra + what defenders should do next. 👇
https://www.labs.greynoise.io/grimoire/2026-01-29-inside-the-infrastructure-whos-scanning-for-ivanti-connect-secure/

Join us tomorrow at 12 ET for 2026's first GreyNoise University LIVE! With a new co-host, David! Looking forward to seeing you there. 🪩https://www.greynoise.io/events/greynoise-university-live

Most attacker behavior only makes sense over time. 🕰️
Recall brings time-series analysis to GNQL so you can see how scanning and exploitation evolved.
See the timeline. Find the pattern. https://www.greynoise.io/blog/recall-time-series-intelligence

Three campaigns. One fingerprint.
React RCE, VPN brute forcing, and router scanning—all linked to the same infrastructure.→ 1.7M React attacks
→ 506K VPN targets
→ 3 IPs behind 1.8M router attempts
This week's At The Edge preview: http://greynoise.io/contact

A digital intelligence brief from GreyNoise titled “AT THE EDGE,” dated January 19–23, 2026, summarizing three coordinated cyber campaigns under the headline “Three Campaigns. One Fingerprint.” The top of the graphic highlights key statistics in large text: 1.7M React attacks, 506K VPN targets, 1.8M router attempts, and a note that 3 IPs are responsible for 99% of observed activity. Below, four text blocks describe: (1) React exploitation attempts related to CVE-2025-55182, including real command injection, a Metasploit module, and one hosting provider generating 57% of traffic; (2) sustained attacks on enterprise VPNs (Fortinet SSL VPN and Palo Alto GlobalProtect) with 506K sessions, a 25% increase over baseline for Fortinet, and emphasis that VPN credentials are valuable for ransomware; (3) router attacks where three IPs drive 1.8M attempts, focusing on a MikroTik RouterOS brute-force campaign with a 64,000:1 session-to-IP ratio and noting compromised routers as pivot points and botnet nodes; and (4) an explanation that a shared JA1T network fingerprint links the React RCE, VPN brute force, and environment crawling to common infrastructure, suggesting organized operations rather than random scanning. The bottom banner invites GreyNoise customers to access the full brief, mentioning complete IOCs, attribution, detection guidance, and weekly role-based recommendations, with a contact URL “greynoise.io/contact” and a small 2026 GreyNoise, Inc. copyright notice.

GreyNoise boosted:

The first runZero Hour of 2026 is almost here! 🚀

Join hosts Rob King and @todb on January 21 as they talk all things OT security with guest Brianna Cluck from @greynoise.

🛠️ Brianna will provide the blueprint to set up your own ICS home lab.

🔎 Rob will share his insights from the freshest OT research.

🚨 And of course, no episode would be complete without a Rapid Response Roundup, dissecting this month's notable vulnerabilities.

🔗 Register now: https://www.runzero.com/research/runzero-hour/

Check out @hrbrmstr today on @huntress's Tradecraft Tuesday at 1pm ET to chat about all things #React2Shell. 🤘

🔗 https://www.huntress.com/upcoming-webinars/tradecraft-tuesday-jan-2026?utm_source=webinar&utm_medium=social&utm_campaign=cy26-q1-0113-web-brand-na-broad-all-x-programmatic-tradecraft&hnt=x62ng2jijcd1

GreyNoise boosted:

Later today the epic @huntress team lets me crash the party to talk all things React2Shell.

Still time to reg!

Rly looking fwd to it. Tis not often one gets to meet ones heroes!

https://www.huntress.com/upcoming-webinars/tradecraft-tuesday-jan-2026?utm_source=webinar&utm_medium=social&utm_campaign=cy26-q1-0113-web-brand-na-broad-all-x-programmatic-tradecraft&hnt=x62ng2jijcd1

New on the GreyNoise blog: We borrow from some unexpected fields, enzyme kinetics, species biodiversity models, astrophotography, to understand internet-wide scanning activity and measure what we might be missing.

https://www.greynoise.io/blog/filtering-noise-cyber-space

#GreyNoise #Cybersecurity

🚨 We are hiring across sales, alliances, and customer experience for our US + EMEA teams 🌍

See a role you'd crush? We would love to hear from you!

👉 Apply now: greynoise.io/careers

#hiring #cybersecuritycareers

GreyNoise analyzed activity targeting exposed Ollama and LLM infrastructure, identifying SSRF abuse attempts and large-scale probing of LLM model endpoints.
Analysis: https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
#GreyNoise #ThreatIntelligence #LLMSecurity

Ransomware starts with reconnaissance: we observed a recent large-scale scanning campaign validating exploitable systems, data that feeds the initial access market and shows up later in real attacks. 🕵️‍♀️

https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks

#GreyNoise #Ransomware #InitialAccess #IAB #Recon

Back from the holidays and afraid to open your inbox? Same. Open the latest NoiseLetter instead.
https://www.greynoise.io/resources/noiseletter-december-2025

React2Shell Update – 7 January 2026
Full update & analysis: https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far

#GreyNoise #React2Shell