Just Released! The Invisible Army: Residential Proxy Abuse in Internet-Scale Attack Traffic
.png){kind=spacer}
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
Analysis Period: March 30 - April 06, 2026
The broadest single-week botnet recruitment expansion since January 2026 coincided with surging RDP brute-force activity, credential harvesting at scale, and coordinated targeting of ICS/SCADA and AI infrastructure — with botnet, OT, and AI campaigns converging into a unified threat pipeline.
Twenty new exploitation tags appeared simultaneously targeting end-of-life routers, DVRs, and ICS platforms — including FUXA HMI, bridging botnet recruitment and OT compromise. ADB Check surged 577.7% (note: partially amplified by new protocol dissectors — directional trend confirmed) and Mirai more than doubled.
RDP Bruteforce Attempt surged 340.7% to 940,019 sessions — the highest level since February 2026 (note: protocol-specific sensor deployments may contribute — operational pattern confirmed). SS-Net infrastructure scanned 2,740 ports to locate hidden RDP instances.
Path Traversal surged 312.5% to 3.26M sessions. Feroxbuster appeared at 845.9% above prior-week levels (detected via user agent — spoofable signal), systematically extracting credentials and cloud secrets.
Seven ICS protocol scanners accelerated for a third week alongside Ollama AI scanning (+583.6%). Same infrastructure conducting IoT exploitation is probing ICS and AI endpoints — a unified operational pipeline.
.png)
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
Analysis Period: March 30 - April 06, 2026
The broadest single-week botnet recruitment expansion since January 2026 coincided with surging RDP brute-force activity, credential harvesting at scale, and coordinated targeting of ICS/SCADA and AI infrastructure — with botnet, OT, and AI campaigns converging into a unified threat pipeline.
Twenty new exploitation tags appeared simultaneously targeting end-of-life routers, DVRs, and ICS platforms — including FUXA HMI, bridging botnet recruitment and OT compromise. ADB Check surged 577.7% (note: partially amplified by new protocol dissectors — directional trend confirmed) and Mirai more than doubled.
RDP Bruteforce Attempt surged 340.7% to 940,019 sessions — the highest level since February 2026 (note: protocol-specific sensor deployments may contribute — operational pattern confirmed). SS-Net infrastructure scanned 2,740 ports to locate hidden RDP instances.
Path Traversal surged 312.5% to 3.26M sessions. Feroxbuster appeared at 845.9% above prior-week levels (detected via user agent — spoofable signal), systematically extracting credentials and cloud secrets.
Seven ICS protocol scanners accelerated for a third week alongside Ollama AI scanning (+583.6%). Same infrastructure conducting IoT exploitation is probing ICS and AI endpoints — a unified operational pipeline.
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
Request a demo to learn more about GreyNoise's data and intelligence.
