Blog

Threat/Vulnerability News

All Product Updates Technical Articles Threat/Vulnerability News

ELLIO threat intelligence dashboard showing IP 178.16.53.51 flagged as malicious Mirai botnet from Amsterdam, with timeline of exploit attempts and port scanning activity detected between March 22-24, 2026.

[watchdog]: Inside a Mirai variant with six-layer persistence

An open directory is serving a Mirai variant across 14 CPU architectures - all updated yesterday. It kills competitors by SHA256 hash, persists through six layers, and hides as a kernel thread. Here's what's inside.

ELLIO Threat Research Lab · Mar 31, 2026

Screenshot of ELLIO threat intelligence interface showing malicious Docker API exploits from IPs 45.156.87.4 and 187.86.243.141, with security indicators and threat classification tags

#CVE #Scanning

Threat/Vulnerability News

What Gets Deployed via Exposed Docker APIs

Over 1,000 unique IPs scan for exposed Docker APIs every day. A fraction go further. We captured every container creation payload and classified them by monetization strategy.

ELLIO Threat Research Lab · Mar 26, 2026

ELLIO threat intelligence dashboard showing React2Shell activity across ports, countries, and time from Dec 2025 to Mar 2026 with color-coded heatmap visualization

#CVE

Threat/Vulnerability News

React2Shell Update: Custom Go L7 DDoS Botnet

A single delivery IP has been exploiting React2Shell to distribute malware from an open directory. 31 binaries including a custom Go L7 DDoS botnet with Cloudflare token forgery, two Mirai variants across 13 CPU architectures, and a C2 server.

ELLIO Threat Research Lab · Mar 19, 2026

ELLIO threat intelligence dashboard showing IP 93.123.109.205 from Amsterdam marked as malicious, with MITRE ATT&CK tactics, CVE vulnerabilities, and various exploit detectors including Setup.php, Jenkins, and SQL injection

#Network Fingerprints #Scanning #IP Blocking

Threat/Vulnerability News

Analyze everything or move straight to network-level blocking?

One IP. Four days. Nearly 900 user agents. Over 3,000 probes. Sometimes a single IP address tells you everything you need to know about how industrialized internet scanning has become.

ELLIO Community Team · Mar 16, 2026

Infographic showing February 2026 credential-stuffing attack on Palo Alto GlobalProtect: 8,575 unique IPs, 3 attack waves, 48-hour duration. ELLIO branding at bottom.

#CVE #Network Fingerprints

Threat/Vulnerability News

Coordinated Credential-Stuffing Campaign Targets Palo Alto GlobalProtect Portals

A coordinated credential-stuffing campaign hit GlobalProtect VPN portals with 8,575 IPs in 48 hours. Three attack waves, 78 targeted usernames, one password. Our team breaks down the timeline, infrastructure, fingerprints, and what defenders can do.

ELLIO Threat Research Lab · Feb 26, 2026

Line chart showing SSH brute force attack trends from Jan 12 - Feb 11, 2026, tracking unique attacking IPs per credential for usernames "root" (blue), "admin" (yellow), and "n8n" (red). Shows "n8n" surpassing "admin" as second most targeted.

Threat/Vulnerability News

"n8n" is the new "admin."

On February 10, 2026, our deception network recorded "n8n" overtaking "admin" as the #2 most brute-forced SSH username. The campaign scaled from a handful of probing IPs to hundreds of unique sources in under a week, with attackers rapidly iterating through password variants.

Vlad Iliushin · Feb 11, 2026

#CVE

Threat/Vulnerability News

React2Shell in the Wild: Payload Analysis, Active Campaigns, and IoCs

The ELLIO sensor network has been tracking active exploitation of CVE-2025-55182 (React2Shell) in the wild. Here’s what we’re seeing.

ELLIO Threat Research Lab · Dec 5, 2025

#CVE

Threat/Vulnerability News

From Scan to Exploit: Inside the Latest Cisco ASA/FTD Campaign

From reconnaissance to exploitation in just 48 hours. See how 75 IPs executed surgical, one-hit attacks on Cisco ASA/FTD devices - and how to disappear from target lists.

ELLIO Threat Research Lab · Nov 26, 2025