Last week, the GreyNoise Observation Grid (GOG) observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days — nearly half of all new scanning IPs observed by GreyNoise that week. And 99.7% of them never completed a single TCP connection.

These IPs are ghosts — they appeared in GreyNoise data but never proved they were real. Because they never completed a TCP handshake, GreyNoise cannot verify that the traffic actually originated from those addresses. They carried no payloads, triggered no detection signatures, and performed no exploitation. All they left behind were a quarter-million unverified IP addresses now sitting in observation datasets.

Geographic references throughout this post describe where IPs are registered, not where the traffic necessarily originated or where operators are located.

Here's why that matters: any detection system that observed this traffic and doesn't distinguish between verified and unverified source addresses just absorbed a quarter-million ghost IPs into its dataset. Meanwhile, the 702 IPs geolocating to Hong Kong that actually completed connections — the ones observed scanning MySQL, SSH, SMB, and RDP, hitting GOG sensors in 20+ countries — could easily get lost in the noise. One provider alone, UCLOUD, surged 472% in session volume to become the largest ASN by session volume in GreyNoise data, with 38% of its IPs classified malicious. That's the signal. The other 242,000 IPs are the noise.

On top of that, the entire scanning landscape reshuffled last week. A top ASN disappeared overnight. Traffic from IPs geolocating to Australia dropped 72%. New infrastructure geolocating to Poland and Germany appeared. The scanning sources that dominated the prior week were not the same ones that dominated last week.

Key Findings

  • 242,666 new IPs geolocating to Hong Kong — 48.9% of all new scanning IPs observed by GreyNoise last week. 99.7% never completed a TCP handshake.
  • One organization, GNET INC., contributed 143,340 IPs — 28.9% of all new IPs observed by GreyNoise. Zero were classified malicious.
  • Only 702 IPs geolocating to Hong Kong (0.3%) completed TCP handshakes. Of those, 362 are classified malicious.
  • UCLOUD (AS135377) surged +472% in session volume, becoming the top ASN by session volume in GreyNoise data — with only 1,746 IPs but 38% classified malicious.
  • The scanning landscape rotated: a top ASN from the prior week disappeared entirely, traffic from IPs geolocating to Australia dropped 72%, and new infrastructure geolocating to Poland and Germany appeared.

The Ghost Fleet

Between March 12 and 18, GreyNoise observed 242,666 new IPs geolocating to Hong Kong — nearly equal to the rest of the world combined (253,646). Six hosting providers account for 93.3%:

Organization ASN New IPs Spoofable Malicious Tags
GNET INC. AS9294 143,340 99.998% 0 Virtually none
Yancy Limited AS138415 34,051 99.998% 1 Virtually none
Cloudie Limited AS55933 20,517 99.91% 45 Minimal
Zillion Network Inc. AS54801 10,329
LARUS Limited AS17561 9,433 100% 0 None
Netsec Limited AS45753 8,759 99.96% 1 Minimal

Figure 1: New IPs geolocating to Hong Kong, by organization. GNET INC. alone contributed 28.9% of all new IPs observed by GreyNoise.

When GreyNoise labels an IP "spoofable," it means the IP was observed sending traffic but never completed a TCP three-way handshake — the source address is unverified. Of these 242,666 IPs, 241,964 are spoofable. They are classified "unknown," categorized as "hosting" infrastructure (92.3%), and carry almost no GreyNoise tags.

One Organization, 143,340 IPs, Zero Malicious

GNET INC. (AS9294) is the single largest contributor — one organization that added 28.9% of all new IPs observed by GreyNoise in a single week:

Metric Value
Total active IPs (including pre-existing) 163,051
Spoofable 99.998% (only 3 completed TCP handshakes)
Classification 100% unknown
Malicious IPs 0
GOG sensor countries reached Primarily United States
Tags QUIC Protocol on 30 IPs. Nothing else.

No exploitation. No brute-force activity. No web crawling. Incomplete connections only.

Names That Don't Match Registration Geography

Several ghost fleet entities are registered under names that don't align with where their IPs geolocate:

Entity ASN Total IPs Discrepancy
LUOGELANG (FRANCE) LIMITED AS135097 62,617 "France" in name — 0% of IPs geolocate to France (62% HK, 38% US)
LARUS Limited AS17561 19,687 Split between Hong Kong (9,832) and Russia (8,751)
Taiwan Li Run Ltd AS131147 5,119 "Taiwan" in name — 4,096 IPs geolocate to mainland China, 1,023 to Hong Kong

The Signal Behind the Noise: UCLOUD

The ghost fleet is the noise. The signal is UCLOUD (AS135377).

Spoofable vs. non-spoofable IPs geolocating to Hong Kong — 242,000 IPs that did not complete TCP handshakes vs. 702 that did.

UCLOUD contributes just 1,746 IPs — 0.4% of the active IPs geolocating to Hong Kong in GreyNoise data. But it accounts for an outsized share of observed scanning and exploitation attempts:

Metric UCLOUD (AS135377) Spoofable Fleet Average
New IPs 1,746 8,759 to 143,340 per ASN
Malicious classification 38% (663 IPs) <0.1%
Spoofable 43.5% >99.9%
GOG sensor countries reached 20+ Primarily 1 (US, 99.8%)
Unique protocol tags 14+ active tags 0-2 tags

Figure 3: UCLOUD multi-protocol scanning activity observed by GreyNoise, spanning 14+ protocols.

The contrast is stark. The entity generating 82x more IPs (GNET INC.) has zero classified malicious. The entity generating 82x fewer IPs (UCLOUD) has 663 — observed scanning MySQL, SSH, SMB, and RDP, with traffic reaching GOG sensors in more than 20 countries.

The Volume Surge

UCLOUD's session volume went from 9.7 million to 55.4 million in one week — displacing DigitalOcean as the top ASN by session volume in GreyNoise data:

Week UCLOUD Sessions DigitalOcean Sessions UCLOUD Rank
Mar 5-11 9,679,761 31,361,945 #3
Mar 12-18 55,384,799 22,709,383 #1
Change +472% -27.6%

Figure 4: Daily session counts showing UCLOUD overtaking DigitalOcean as the top ASN by session volume in GreyNoise data.

The Rotation: Everything Shifted in Seven Days

The ghost fleet wasn't the only change. The entire scanning landscape observed by GreyNoise reshuffled. AS213438, a top ASN the prior week with 10.7 million sessions, disappeared entirely — an abrupt shutoff consistent with infrastructure being decommissioned or rotated.

What declined (source refers to IP geolocation; destination refers to GOG sensor location):

Source (by IP geolocation) Mar 5-11 Mar 12-18 Change
Australia to US 4,109,617 sessions 1,153,593 -71.9%
Netherlands to US 17,886,273 12,952,923 -27.6%
Netherlands to Spain 5,540,230 3,112,579 -43.8%
Canada to US 3,649,150 2,454,528 -32.7%

What appeared (source refers to IP geolocation; destination refers to GOG sensor location):

Source (by IP geolocation) Mar 5-11 Mar 12-18 Change
Hong Kong to US 4,744,912 15,427,214 +225%
Poland to Spain 312,708 8,325,850 +2,563%
Hong Kong to Spain 1,410,537 7,117,338 +405%
Thailand to US 966,313 5,468,241 +466%
Nigeria to US 559,975 2,863,781 +411%
Lithuania to US 1,523,952 5,300,605 +248%
Bulgaria to US 1,496,734 3,444,281 +130%

Figure 5: Week-over-week changes in scanning traffic by source-destination pair, as observed by GreyNoise.

Under the Hood

Cross-referencing GreyNoise observations with Censys internet-wide scan data and VirusTotal reputation data reveals infrastructure patterns not visible from any single source.

Templated deployment across borders.

A cluster on infrastructure geolocating to Germany, registered to a Seychelles entity, shows configurations consistent with deployment from a single VM image. A separate Windows VPS cluster uses IPs geolocating to Bulgaria, Romania, and France across three ASNs with an identical service configuration on each node — scanning infrastructure deployed from a common template.

UCLOUD relay infrastructure.

Censys data reveals purpose-built traffic relay and tunneling software deployed across UCLOUD at a density not typical of legitimate hosting. Repeating non-standard port configurations appear identically across multiple subnets — the signature of a single VM template deployed at scale.

Low reputation detection.

The top scanning IPs are barely flagged:

IP Provider Vendor Detections Notable
109.205.211[.]101 MEVSPACE / Colocatel Inc. (AS201814) 2 of 94 Zero communicating files. 7.97M sessions/week. IPs geolocate to Poland; registered to Colocatel Inc. (Seychelles).
79.124.58[.]146 Tamatiya EOOD (AS50360) 5 of 94 IPs geolocate to Bulgaria. Self-signed SSL cert: localhost.localdomain by "VMware Installer"
91.238.181[.]10 Fbw Networks SAS (AS49434) 7 of 94 IPs geolocate to France. Communicating file: mssecsvr.exe (Win32, first seen 2018). Malicious history predating current activity.

What We Don't Know

GreyNoise cannot determine the purpose of the ghost fleet from GreyNoise data alone. Censys confirms these ASNs are active hosting ecosystems — the spoofable traffic uses source addresses in IP ranges distinct from the legitimate hosted infrastructure. What we can say: 242,666 IPs appeared, almost none completed connections, and the source addresses are unverified.

What Defenders Should Do

  • Detection stacks that don't distinguish spoofable IPs from confirmed scanners may be affected. 242,666 unverified source addresses now exist in observation datasets. Systems that weight activity by IP count without verifying connections should be reviewed.
  • Update blocklists. The sources that dominated scanning the prior week declined or disappeared, replaced by infrastructure geolocating to Hong Kong, Poland, and Germany — all within seven days.
  • Monitor UCLOUD (AS135377). GreyNoise observed multi-protocol scanning activity targeting MySQL (3306), SSH (22), SMB (445), and RDP (3389).
  • Track the ghost fleet ASNs for behavioral changes: AS9294, AS138415, AS55933, AS135097, AS17561, AS45753. If these IPs begin completing TCP handshakes and deploying payloads, the assessment changes.

GreyNoise is not attributing this activity to a named threat actor or state sponsor. The geographic references in this post describe where IPs are registered, not necessarily where the operators are located. Hosting infrastructure is routinely used by actors with no geographic connection to the provider's registration.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account