Just Released! Β Β The Invisible Army: Residential Proxy Abuse in Internet-Scale Attack Traffic
.png){kind=spacer}
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: April 06 -13, 2026
This week's intelligence highlights a shift from opportunistic scanning to coordinated, targeted exploitation of enterprise perimeter devices and IoT infrastructure, with adversaries operationalizing prior reconnaissance at scale.
β
β
Six AWS-hosted nodes sharing a single JA3 fingerprint systematically probed Fortinet, Palo Alto, Sophos, Ivanti, Citrix, ConnectWise, and F5 appliances β covering the full enterprise perimeter stack in one coordinated operation active since January. Fortinet FortiClient EMS API Auth Bypass Check >
β
FortiClient EMS authentication bypass (CVE-2026-35616, CVSS 9.1, CISA KEV) generated 1,535,690 sessions while SSL VPN brute-forcing trended upward β creating a dual-vector attack posture against the most targeted perimeter vendor. Fortinet SSL VPN Bruteforcer >
β
Mirai activity increased 76.9% while overall volume fell 28.3%. The VPSVAULT cluster weaponized 16+ CVEs across cameras, routers, DVRs, and NAS devices with 2,732,814 combined sessions. Mirai >
β
Ollama API endpoint scanning grew 93.6% for the second consecutive week β a thirteenfold increase over three weeks β as threat actors build inventories of exposed AI inference infrastructure. Ollama API Endpoint Crawler >
β
.png)
β
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
β
At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.
β
Analysis Period: April 06 -13, 2026
This week's intelligence highlights a shift from opportunistic scanning to coordinated, targeted exploitation of enterprise perimeter devices and IoT infrastructure, with adversaries operationalizing prior reconnaissance at scale.
β
β
Six AWS-hosted nodes sharing a single JA3 fingerprint systematically probed Fortinet, Palo Alto, Sophos, Ivanti, Citrix, ConnectWise, and F5 appliances β covering the full enterprise perimeter stack in one coordinated operation active since January. Fortinet FortiClient EMS API Auth Bypass Check >
β
FortiClient EMS authentication bypass (CVE-2026-35616, CVSS 9.1, CISA KEV) generated 1,535,690 sessions while SSL VPN brute-forcing trended upward β creating a dual-vector attack posture against the most targeted perimeter vendor. Fortinet SSL VPN Bruteforcer >
β
Mirai activity increased 76.9% while overall volume fell 28.3%. The VPSVAULT cluster weaponized 16+ CVEs across cameras, routers, DVRs, and NAS devices with 2,732,814 combined sessions. Mirai >
β
Ollama API endpoint scanning grew 93.6% for the second consecutive week β a thirteenfold increase over three weeks β as threat actors build inventories of exposed AI inference infrastructure. Ollama API Endpoint Crawler >
β
β
GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.
βRequest a demo to learn more about GreyNoise's data and intelligence.
β
