Resources
>
At The Edge

At The Edge Clear: March 2 – 9, 2026

March 10, 2026
Check it outRead the case studyListen to the podcastView the webinarWatch the video
Table of Contents
Loading nav...
DOWNLOAD PDF

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

Attackers Found the AI Stack. Everything Else Got Worse.

Analysis Period: March 2 – 9, 2026

AI infrastructure joined the attack surface this week as threat actors systematically mapped Ollama model servers, coding assistant credentials, and notebook environments — while ICS scanning hit three-week highs and legacy protocol worms surged 52.8 million sessions.

By The Numbers:

  • 279.5M Sessions Observed
  • +374% Ollama Model Enum Surge
  • 828K ICS/SCADA Sessions
  • 52.8M Multi-protocol Surge Sessions

Preview Findings:

Threat actors are systematically harvesting AI infrastructure

Ollama model server scanning reached 51,801 sessions (+37.9%), with the /api/tags model enumeration endpoint surging +374%. For the first time, GreyNoise observed scanning for AI coding assistant configuration files — Cline, Aider, and Cursor — targeting API keys, conversation histories, and cloud credentials. Specialized scanning tooling (ollama-audit/1.0) confirmed purpose-built AI reconnaissance.

ICS/SCADA scanning volumes surged — but mostly benign

Combined ICS sessions hit 828,696 (+513%), but the dominant DigitalOcean/Linode cluster (89–99.8% of Cisco Smart Install, Veeder-Root ATG, and iSCSI traffic) is consistent with benign internet scanning platforms. The genuinely malicious development: Chimay Red MikroTik exploitation exploded +1,103% as two command IPs directed 6,046 compromised routers.

Multi-protocol worm activity produced 52.8 million sessions

SMBv1 (+197%), DCERPC (+199%), RFB/VNC (+250%), and Telnet (+207%) surged simultaneously. Thirty-nine of the top 50 source IPs are shared between SMBv1 and DCERPC — self-propagating Windows worm activity from residential ISPs in Vietnam, India, Russia, and Egypt.

Sophos exploitation and VPN credential pressure continue escalating

Sophos CVE-2022-1040 RCE sessions reached 357,762 (+71.2%), marking three consecutive weeks of escalation. Enterprise VPN credential pressure hit 1,527,864 sessions (+28.5%) across five vendors. MEVSPACE — the dominant RDP brute-force operator — collapsed 99.8%.

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

Request a demo to learn more about GreyNoise's data and intelligence.

Read the transcript
DOWNLOAD PDF

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

Attackers Found the AI Stack. Everything Else Got Worse.

Analysis Period: March 2 – 9, 2026

AI infrastructure joined the attack surface this week as threat actors systematically mapped Ollama model servers, coding assistant credentials, and notebook environments — while ICS scanning hit three-week highs and legacy protocol worms surged 52.8 million sessions.

By The Numbers:

  • 279.5M Sessions Observed
  • +374% Ollama Model Enum Surge
  • 828K ICS/SCADA Sessions
  • 52.8M Multi-protocol Surge Sessions

Preview Findings:

Threat actors are systematically harvesting AI infrastructure

Ollama model server scanning reached 51,801 sessions (+37.9%), with the /api/tags model enumeration endpoint surging +374%. For the first time, GreyNoise observed scanning for AI coding assistant configuration files — Cline, Aider, and Cursor — targeting API keys, conversation histories, and cloud credentials. Specialized scanning tooling (ollama-audit/1.0) confirmed purpose-built AI reconnaissance.

ICS/SCADA scanning volumes surged — but mostly benign

Combined ICS sessions hit 828,696 (+513%), but the dominant DigitalOcean/Linode cluster (89–99.8% of Cisco Smart Install, Veeder-Root ATG, and iSCSI traffic) is consistent with benign internet scanning platforms. The genuinely malicious development: Chimay Red MikroTik exploitation exploded +1,103% as two command IPs directed 6,046 compromised routers.

Multi-protocol worm activity produced 52.8 million sessions

SMBv1 (+197%), DCERPC (+199%), RFB/VNC (+250%), and Telnet (+207%) surged simultaneously. Thirty-nine of the top 50 source IPs are shared between SMBv1 and DCERPC — self-propagating Windows worm activity from residential ISPs in Vietnam, India, Russia, and Egypt.

Sophos exploitation and VPN credential pressure continue escalating

Sophos CVE-2022-1040 RCE sessions reached 357,762 (+71.2%), marking three consecutive weeks of escalation. Enterprise VPN credential pressure hit 1,527,864 sessions (+28.5%) across five vendors. MEVSPACE — the dominant RDP brute-force operator — collapsed 99.8%.

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

Request a demo to learn more about GreyNoise's data and intelligence.

Products
Partners
Resources
Company
©
2026
GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it