GreyNoise is proud to be sponsoring the CrowdStrike CrowdTour across 8 cities! We’re excited to highlight how our integration with Falcon Next-Gen SIEM helps SOC teams stop chasing ghosts and start catching real threats.

If you’re attending a tour stop or local to the area, let’s connect to chat about:
- Validating your perimeter in real time.
- Protecting the identity layer from brute-force scanners.
- Filtering out background noise to focus on high-fidelity alerts.

👇Book a meeting with us here:
https://info.greynoise.io/crowdtour-2026-meet

Last week, half of all new scanning IPs observed by GreyNoise geolocated to Hong Kong.

A quarter-million of them never completed a TCP handshake.

The ones that did were scanning MySQL, SSH, SMB, and RDP across 20+ countries.

One of these is the signal. The other is noise.
🔗 https://www.greynoise.io/blog/ghost-fleet-half-new-scanning-ips-geolocated-to-hong-kong

200,886,675 sessions. 101 unique source IPs. March 16–23, 2026.

GreyNoise At The Edge intelligence brief highlights:

1. The MEVSPACE RDP brute-force operator returned after a 99.8% infrastructure collapse — single IP generated 7,975,241 sessions before deliberately withdrawing after 4 days. GreyNoise has tracked a surge-withdraw-reconstitute cycle since January 2026, reinforcing that well-resourced operators can reconstitute capacity within days.

2. Two coordinated campaigns emerged: VPSVAULT.HOST (IoT worm weaponizing 21+ CVEs against 12+ manufacturers) and Omegatech (TLS fingerprint randomization with 5,854 unique JA3s per node).

3. Sophos CVE-2022-1040 exploitation stabilized at 638,654 sessions in its fifth consecutive week. Enterprise VPN credential pressure reached week 9 across five vendors with 2.9M+ combined sessions.

4. n8n CVE-2026-21858 (CVSS 10.0) reached 118,086 sessions with links to MuddyWater and ZeroBot. ICS/SCADA reconnaissance expanded with new HMI and PLC vulnerabilities trending.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-032326

#ThreatIntel #CyberSecurity #InfoSec #GreyNoise

New GreyNoise At The Edge brief: The internet's scanning infrastructure is reorganizing.

UCLOUD (HK) surged +578% to become the #1 scanning ASN — now 15.6% of all observed traffic. Western providers declining simultaneously.

301.8M sessions. 439K IPs. Here's what we found.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-031626

Starting at the top of the hour! 🚨

Hope to see you there to break down all things State of the Edge with @morris @hrbrmstr + Nishawn!

There's still time to register 👉 https://info.greynoise.io/webinar/state-of-the-edge-2026

Here's a taste of what GreyNoise customers got in this week's At The Edge intelligence brief.

268M sessions. 540K unique IPs. Four findings that matter.

→ Sophos CVE-2022-1040 surged 435% — second consecutive week
→ 9.1M RDP sessions from two IPs, one JA4T fingerprint
→ VPN siege Week 6 — vendors rotating after our published analysis
→ Scanning landscape collapsed. Enterprise campaigns didn't.

Full brief: IOCs, attribution, recommendations.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-030226

greynoise.io/contact

GreyNoise observed a coordinated campaign probing SonicWall firewalls to identify which devices have SSL VPN enabled — the prerequisite step before credential attacks. Four infrastructure clusters, a commercial proxy service rotating thousands of IPs, and near-zero exploitation. This is target mapping.

🔗 https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicwall-firewalls-through-commercial-proxy-infrastructure

This week's At the Edge: CLEAR is out — a preview of the intel brief GreyNoise customers get every week.

🔗 https://www.greynoise.io/resources/at-the-edge-clear-021626

That's just the preview. greynoise.io/contact

#ThreatIntel #CyberSecurity #GreyNoise