GreyNoise Launches Block: Fully configurable, real-time blocklists
.png){kind=spacer}
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
Analysis Period: February 2–9, 2026
Ivanti Connect Secure exploitation from three independent operators—Netherlands malware delivery, Russian OAST testing with 352 callback domains, and US infrastructure co-located with active Cobalt Strike C2. Combined with a 113% RDP surge and coordinated n8n exploitation, attackers are building target lists across enterprise infrastructure.
29.9 million password-guessing attempts against Remote Desktop—up 113% from 14 million last week. One IP generated 6.75 million sessions alone. Exposed RDP remains the #1 ransomware entry point.
Three independent campaigns targeting CVE-2026-1281: Netherlands malware delivery, Russian blind testing (352 OAST domains), and US scanning co-located with active Cobalt Strike on port 34473.
83,334 attempts against CVE-2026-21858 from a single /24 block (AS211590). Workflow automation platforms hold API keys and credentials to everything. 33 days from disclosure to mass exploitation.
44,763 sessions from the Rondodox botnet using the same JA4T fingerprint as December's IAB campaign. When botnets adopt a CVE, exploitation scales. 1.88M total React sessions.
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
Analysis Period: February 2–9, 2026
Ivanti Connect Secure exploitation from three independent operators—Netherlands malware delivery, Russian OAST testing with 352 callback domains, and US infrastructure co-located with active Cobalt Strike C2. Combined with a 113% RDP surge and coordinated n8n exploitation, attackers are building target lists across enterprise infrastructure.
29.9 million password-guessing attempts against Remote Desktop—up 113% from 14 million last week. One IP generated 6.75 million sessions alone. Exposed RDP remains the #1 ransomware entry point.
Three independent campaigns targeting CVE-2026-1281: Netherlands malware delivery, Russian blind testing (352 OAST domains), and US scanning co-located with active Cobalt Strike on port 34473.
83,334 attempts against CVE-2026-21858 from a single /24 block (AS211590). Workflow automation platforms hold API keys and credentials to everything. 33 days from disclosure to mass exploitation.
44,763 sessions from the Rondodox botnet using the same JA4T fingerprint as December's IAB campaign. When botnets adopt a CVE, exploitation scales. 1.88M total React sessions.
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
