Resources
>
At The Edge

At The Edge Clear: Jan 19–23, 2026

January 27, 2026
Check it outRead the case studyListen to the podcastView the webinarWatch the video
Table of Contents
Loading nav...
DOWNLOAD PDF

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

Three Campaigns. One Fingerprint.

Analysis Period: January 19–23, 2026

React exploitation, VPN brute forcing, and router scanning all traced back to the same network signature. What looked like separate campaigns was coordinated infrastructure.

By The Numbers:

  • 1.7M React Attacks
  • 506K VPN Targets
  • 1.8M Router Attempts
  • 3 IPs behind 99%

Preview Findings:

1.7 million React exploitation attempts

CVE-2025-55182 with CVSS 10.0. 179,000 sessions included actual command injection. Metasploit module available. One hosting provider generated 57% of traffic.

Enterprise VPNs under sustained pressure

Fortinet SSL VPN and Palo Alto GlobalProtect both targeted. 506,000 combined sessions. Fortinet attacks up 25% from baseline. VPN credentials remain ransomware's front door.

Three IPs generated 1.8 million router attacks

MikroTik RouterOS brute force campaign with a 64,000:1session-to-IP ratio. Compromised routers become pivot points for lateral movement and botnet recruitment.

Same fingerprint across all three campaigns

JA4T signature linked React RCE, VPN brute force, and ENV crawling to shared infrastructure. Organized operations, not opportunistic scanning.

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

Request a demo to learn more about GreyNoise's data and intelligence.

Read the transcript

Summary

DOWNLOAD PDF

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

Three Campaigns. One Fingerprint.

Analysis Period: January 19–23, 2026

React exploitation, VPN brute forcing, and router scanning all traced back to the same network signature. What looked like separate campaigns was coordinated infrastructure.

By The Numbers:

  • 1.7M React Attacks
  • 506K VPN Targets
  • 1.8M Router Attempts
  • 3 IPs behind 99%

Preview Findings:

1.7 million React exploitation attempts

CVE-2025-55182 with CVSS 10.0. 179,000 sessions included actual command injection. Metasploit module available. One hosting provider generated 57% of traffic.

Enterprise VPNs under sustained pressure

Fortinet SSL VPN and Palo Alto GlobalProtect both targeted. 506,000 combined sessions. Fortinet attacks up 25% from baseline. VPN credentials remain ransomware's front door.

Three IPs generated 1.8 million router attacks

MikroTik RouterOS brute force campaign with a 64,000:1session-to-IP ratio. Compromised routers become pivot points for lateral movement and botnet recruitment.

Same fingerprint across all three campaigns

JA4T signature linked React RCE, VPN brute force, and ENV crawling to shared infrastructure. Organized operations, not opportunistic scanning.

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

Request a demo to learn more about GreyNoise's data and intelligence.

Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it