At The Edge Clear: June 29 - July 06, 2026

Table of Contents
Loading nav...

‍

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

‍

A Dormant Palo Alto GlobalProtect RCE Returned to Active Exploitation

Analysis Period: June 29 to July 06, 2026

GreyNoise recorded a sharp resurgence in exploitation attempts against Palo Alto GlobalProtect CVE-2019-1579 (CISA KEV, unauthenticated RCE): only isolated activity through late June, then more than 120 malicious hosts on the evening of 06 July, almost all from a single hosting network. Separately, two coordinated hosting fleets ran the week's highest-volume web exploitation.

‍

By The Numbers:

  • GlobalProtect β€” Palo Alto KEV RCE (CVE-2019-1579) went from dormant to 120+ malicious hosts on 06 July.
  • CISA KEV β€” The resurgent GlobalProtect flaw is an unauthenticated RCE with public exploit code.
  • 100+ Hosts β€” Two coordinated hosting fleets ran the week's highest-volume web exploitation.
  • Credentials β€” The fleets' objective: harvesting exposed .env, Git, and cloud-config files.

‍

Preview Findings:

1. A Palo Alto GlobalProtect KEV flaw returned to active exploitation

CVE-2019-1579 (unauthenticated RCE, CISA KEV) drew more than 120 malicious hosts on 06 July after only isolated activity in late June, almost all from a single hosting network. Any internet-facing GlobalProtect portal on vulnerable firmware is in scope.
‍

2. Two coordinated hosting fleets ran the highest-volume activity

TECHOFF (AS48090, Netherlands) and Bucklog SARL (AS211590, France) together ran roughly 7.5 million connection attempts on a shared web-exploitation and credential-harvesting toolkit, with 129 hosts classified malicious and 30 suspicious. The CVEs are commodity; the coordination runs at provider scale.
‍

3. Credential harvesting was the fleets' objective

ENV Crawler, the automated hunt for exposed .env files, logged 4.76 million requests across the sensor network, with Git, cloud-config, and PHP-info file requests close behind. A config file that returns content yields working credentials with no exploitation required.
‍

4. Detection is behavioral

Across all of this week's activity, the source addresses rotate but the exploitation patterns and client fingerprints do not. Patch the GlobalProtect flaw, block the fleets at the network-block level, and detect on behavior rather than a static IP list.

‍

‍

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

‍Request a demo to learn more about GreyNoise's data and intelligence.

‍

‍

‍

‍

‍

‍

‍

Read the transcript

‍

At The Edge is GreyNoise's weekly intelligence brief produced exclusively for customers incorporating complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations. At The Edge Clear is a preview highlighting a couple insights and is available to the public.

‍

A Dormant Palo Alto GlobalProtect RCE Returned to Active Exploitation

Analysis Period: June 29 to July 06, 2026

GreyNoise recorded a sharp resurgence in exploitation attempts against Palo Alto GlobalProtect CVE-2019-1579 (CISA KEV, unauthenticated RCE): only isolated activity through late June, then more than 120 malicious hosts on the evening of 06 July, almost all from a single hosting network. Separately, two coordinated hosting fleets ran the week's highest-volume web exploitation.

‍

By The Numbers:

  • GlobalProtect β€” Palo Alto KEV RCE (CVE-2019-1579) went from dormant to 120+ malicious hosts on 06 July.
  • CISA KEV β€” The resurgent GlobalProtect flaw is an unauthenticated RCE with public exploit code.
  • 100+ Hosts β€” Two coordinated hosting fleets ran the week's highest-volume web exploitation.
  • Credentials β€” The fleets' objective: harvesting exposed .env, Git, and cloud-config files.

‍

Preview Findings:

1. A Palo Alto GlobalProtect KEV flaw returned to active exploitation

CVE-2019-1579 (unauthenticated RCE, CISA KEV) drew more than 120 malicious hosts on 06 July after only isolated activity in late June, almost all from a single hosting network. Any internet-facing GlobalProtect portal on vulnerable firmware is in scope.
‍

2. Two coordinated hosting fleets ran the highest-volume activity

TECHOFF (AS48090, Netherlands) and Bucklog SARL (AS211590, France) together ran roughly 7.5 million connection attempts on a shared web-exploitation and credential-harvesting toolkit, with 129 hosts classified malicious and 30 suspicious. The CVEs are commodity; the coordination runs at provider scale.
‍

3. Credential harvesting was the fleets' objective

ENV Crawler, the automated hunt for exposed .env files, logged 4.76 million requests across the sensor network, with Git, cloud-config, and PHP-info file requests close behind. A config file that returns content yields working credentials with no exploitation required.
‍

4. Detection is behavioral

Across all of this week's activity, the source addresses rotate but the exploitation patterns and client fingerprints do not. Patch the GlobalProtect flaw, block the fleets at the network-block level, and detect on behavior rather than a static IP list.

‍

‍

Want the full brief?

GreyNoise customers get detailed briefs with complete IOCs, infrastructure attribution, detection guidance, and role-based recommendations every week.

‍Request a demo to learn more about GreyNoise's data and intelligence.

‍

‍

‍

‍

‍

‍

‍