Resources
>
At The Edge

At The Edge Clear: June 01 - 08, 2026

June 10, 2026
Check it outRead the case studyListen to the podcastView the webinarWatch the video
Table of Contents
Loading nav...
DOWNLOAD PDF

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

The Pressure Was on Remote Access.

Analysis Period: June 01 – June 08, 2026

This week's highest-intent activity targeted the login surfaces of remote access — RDP, enterprise SSL VPN, and router management — not any new vulnerability. A single host produced more than a quarter of all RDP-crawling traffic GreyNoise observed: 4.18 million sessions in a 48-hour burst, then silence. Enterprise SSL VPN portals from every major vendor drew six-figure credential pressure, and a MikroTik RouterOS brute-force campaign ran for a third straight week. The actionable intelligence is the specific IPs, ASNs, and behavioral tags to hunt — not another hardening checklist.

By The Numbers:

  • 25% Of all RDP-crawling traffic this week came from a single host (4.18M sessions).
  • 6 Enterprise SSL VPN surfaces under six-figure credential and scanning pressure.
  • 1.5M MikroTik RouterOS brute-force sessions from two IPs, third week running.
  • 317M Total sessions across 1.55M source IPs, within the normal weekly range.

Preview Findings:

1. One Host, a Quarter of All RDP Crawling

94.102.49.82 (AS202425, Netherlands, malicious) generated 4,180,759 sessions — RDP Crawler 3.13M plus RDP Bruteforce 280K — more than a quarter of all RDP-crawling traffic GreyNoise recorded this week, across a wide port range, concentrated in a 48-hour burst then silent.

2. Enterprise SSL VPN Portals Under Credential Pressure

Fortinet (686K) and Cisco (401K) drew six-figure SSL VPN bruteforcing; SonicWall (325K login / 331K API), Cisco ASA (264K), and Palo Alto (255K) drew six-figure login and API scanning of the same portals. Apply GreyNoise dynamic blocklists for the Fortinet, Cisco, SonicWall, and Palo Alto login-scanner tags — the distributed source pattern makes tag-based blocking the primary lever.

3. MikroTik RouterOS Brute-Force — Third Week

Two hosts (45.198.224.18 NL, 45.205.1.5 BR) on TCP/8728 accounted for nearly all of the dataset's RouterOS brute-force sessions this week.

4. Rented Hosting Out-Rotates Reputation Feeds

Eight of the ten busiest sources are classified malicious and a ninth suspicious; all sit on rented hosting, mostly in the Netherlands. Apply GreyNoise dynamic blocklists for the relevant tags — the IPs rotate, the tag-based coverage does not.

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

Request a demo to learn more about GreyNoise's data and intelligence.

Read the transcript
DOWNLOAD PDF

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

The Pressure Was on Remote Access.

Analysis Period: June 01 – June 08, 2026

This week's highest-intent activity targeted the login surfaces of remote access — RDP, enterprise SSL VPN, and router management — not any new vulnerability. A single host produced more than a quarter of all RDP-crawling traffic GreyNoise observed: 4.18 million sessions in a 48-hour burst, then silence. Enterprise SSL VPN portals from every major vendor drew six-figure credential pressure, and a MikroTik RouterOS brute-force campaign ran for a third straight week. The actionable intelligence is the specific IPs, ASNs, and behavioral tags to hunt — not another hardening checklist.

By The Numbers:

  • 25% Of all RDP-crawling traffic this week came from a single host (4.18M sessions).
  • 6 Enterprise SSL VPN surfaces under six-figure credential and scanning pressure.
  • 1.5M MikroTik RouterOS brute-force sessions from two IPs, third week running.
  • 317M Total sessions across 1.55M source IPs, within the normal weekly range.

Preview Findings:

1. One Host, a Quarter of All RDP Crawling

94.102.49.82 (AS202425, Netherlands, malicious) generated 4,180,759 sessions — RDP Crawler 3.13M plus RDP Bruteforce 280K — more than a quarter of all RDP-crawling traffic GreyNoise recorded this week, across a wide port range, concentrated in a 48-hour burst then silent.

2. Enterprise SSL VPN Portals Under Credential Pressure

Fortinet (686K) and Cisco (401K) drew six-figure SSL VPN bruteforcing; SonicWall (325K login / 331K API), Cisco ASA (264K), and Palo Alto (255K) drew six-figure login and API scanning of the same portals. Apply GreyNoise dynamic blocklists for the Fortinet, Cisco, SonicWall, and Palo Alto login-scanner tags — the distributed source pattern makes tag-based blocking the primary lever.

3. MikroTik RouterOS Brute-Force — Third Week

Two hosts (45.198.224.18 NL, 45.205.1.5 BR) on TCP/8728 accounted for nearly all of the dataset's RouterOS brute-force sessions this week.

4. Rented Hosting Out-Rotates Reputation Feeds

Eight of the ten busiest sources are classified malicious and a ninth suspicious; all sit on rented hosting, mostly in the Netherlands. Apply GreyNoise dynamic blocklists for the relevant tags — the IPs rotate, the tag-based coverage does not.

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

Request a demo to learn more about GreyNoise's data and intelligence.

Products
Partners
Resources
Company
©
2026
GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo
Cookie Settings
We use cookies to ensure you get the best experience on our website. Learn more
Got it