ELLIO Blog https://ellio.tech/en/blog/ Threat research on reconnaissance and mass exploitation activity from ELLIO. Read the latest threat news and defense analysis. en-us Fri, 29 May 2026 08:30:24 GMT https://ellio.tech/logo/ELLIO_logo_white_selection.svg ELLIO Blog https://ellio.tech/en/blog/ Sanctioned, Seized, Still Scanning: Inside a Russian Bulletproof Hosting Network Targeting the EU https://ellio.tech/en/blog/sanctioned-seized-still-scanning-inside-a-russian-bulletproof-hosting-network-targeting-the-eu/ https://ellio.tech/en/blog/sanctioned-seized-still-scanning-inside-a-russian-bulletproof-hosting-network-targeting-the-eu/ On 18 May 2026, Dutch investigators seized more than 800 servers and broke up a hosting operation that prosecutors say powered Russian cyberattacks across the EU. We had spent the previous year watching the same network from the other side. After the seizure, the scanning did not stop. Wed, 27 May 2026 10:22:37 GMT ELLIO Threat Research Lab Digital network visualization with glowing blue and red connections overlaid with text "Sanctioned, Seized, Still Scanning - Inside a Russian Bulletproof Hosting Network Targeting the EU"

Read the full article

]]> New Integrations for Microsoft Sentinel and MISP https://ellio.tech/en/blog/new-integrations-for-microsoft-sentinel-and-misp/ https://ellio.tech/en/blog/new-integrations-for-microsoft-sentinel-and-misp/ ELLIO is expanding its threat intelligence ecosystem with two new integrations designed for SOC, detection engineering, and threat intelligence workflows: Microsoft Sentinel via TAXII 2.1 and a native MISP integration. Thu, 14 May 2026 07:57:55 GMT ELLIO Product Team ELLIO new integrations announcement featuring Microsoft Sentinel and MISP Threat Sharing logos on blue gradient background

Read the full article

]]> ELLIO expands with 10 new recon and scanner IP feeds https://ellio.tech/en/blog/ellio-expands-with-10-new-recon-and-scanner-ip-feeds/ https://ellio.tech/en/blog/ellio-expands-with-10-new-recon-and-scanner-ip-feeds/ ELLIO Threat Intelligence & Blocklist Automation has been updated with 10 new scanner and recon IP address feeds. This improves detection and control of scanning activity at the network perimeter, enabling more accurate allow and block rules without manual IP range management. Wed, 06 May 2026 08:51:26 GMT ELLIO Product Team ELLIO RECON IP Lists dashboard showing scanner IP counts from various security tools including Censys (600,784), Cortex Xpanse (4,611), BinaryEdge (2,279), and others with trend visualizations

Read the full article

]]> [watchdog]: Inside a Mirai variant with six-layer persistence https://ellio.tech/en/blog/watchdog-inside-a-mirai-variant-with-six-layer-persistence/ https://ellio.tech/en/blog/watchdog-inside-a-mirai-variant-with-six-layer-persistence/ An open directory is serving a Mirai variant across 14 CPU architectures - all updated yesterday. It kills competitors by SHA256 hash, persists through six layers, and hides as a kernel thread. Here's what's inside. Tue, 31 Mar 2026 11:00:00 GMT ELLIO Threat Research Lab ELLIO threat intelligence dashboard showing IP 178.16.53.51 flagged as malicious Mirai botnet from Amsterdam, with timeline of exploit attempts and port scanning activity detected between March 22-24, 2026.

Read the full article

]]> What Gets Deployed via Exposed Docker APIs https://ellio.tech/en/blog/what-gets-deployed-on-exposed-docker-apis/ https://ellio.tech/en/blog/what-gets-deployed-on-exposed-docker-apis/ Over 1,000 unique IPs scan for exposed Docker APIs every day. A fraction go further. We captured every container creation payload and classified them by monetization strategy. Thu, 26 Mar 2026 11:09:38 GMT ELLIO Threat Research Lab Screenshot of ELLIO threat intelligence interface showing malicious Docker API exploits from IPs 45.156.87.4 and 187.86.243.141, with security indicators and threat classification tags

Read the full article

]]> React2Shell Update: Custom Go L7 DDoS Botnet https://ellio.tech/en/blog/react2shell-update-custom-go-l7-ddos-botnet/ https://ellio.tech/en/blog/react2shell-update-custom-go-l7-ddos-botnet/ A single delivery IP has been exploiting React2Shell to distribute malware from an open directory. 31 binaries including a custom Go L7 DDoS botnet with Cloudflare token forgery, two Mirai variants across 13 CPU architectures, and a C2 server. Thu, 19 Mar 2026 13:18:56 GMT ELLIO Threat Research Lab ELLIO threat intelligence dashboard showing React2Shell activity across ports, countries, and time from Dec 2025 to Mar 2026 with color-coded heatmap visualization

Read the full article

]]> Analyze everything or move straight to network-level blocking? https://ellio.tech/en/blog/analyze-everything-or-move-straight-to-network-level-blocking/ https://ellio.tech/en/blog/analyze-everything-or-move-straight-to-network-level-blocking/ One IP. Four days. Nearly 900 user agents. Over 3,000 probes. Sometimes a single IP address tells you everything you need to know about how industrialized internet scanning has become. Mon, 16 Mar 2026 18:53:24 GMT ELLIO Community Team ELLIO threat intelligence dashboard showing IP 93.123.109.205 from Amsterdam marked as malicious, with MITRE ATT&CK tactics, CVE vulnerabilities, and various exploit detectors including Setup.php, Jenkins, and SQL injection

Read the full article

]]> Coordinated Credential-Stuffing Campaign Targets Palo Alto GlobalProtect Portals https://ellio.tech/en/blog/coordinated-credential-stuffing-campaign-targets-palo-alto-globalprotect-portals/ https://ellio.tech/en/blog/coordinated-credential-stuffing-campaign-targets-palo-alto-globalprotect-portals/ A coordinated credential-stuffing campaign hit GlobalProtect VPN portals with 8,575 IPs in 48 hours. Three attack waves, 78 targeted usernames, one password. Our team breaks down the timeline, infrastructure, fingerprints, and what defenders can do. Thu, 26 Feb 2026 22:00:00 GMT ELLIO Threat Research Lab Infographic showing February 2026 credential-stuffing attack on Palo Alto GlobalProtect: 8,575 unique IPs, 3 attack waves, 48-hour duration. ELLIO branding at bottom.

Read the full article

]]> "n8n" is the new "admin." https://ellio.tech/en/blog/n8n-is-the-new-admin/ https://ellio.tech/en/blog/n8n-is-the-new-admin/ On February 10, 2026, our deception network recorded "n8n" overtaking "admin" as the #2 most brute-forced SSH username. The campaign scaled from a handful of probing IPs to hundreds of unique sources in under a week, with attackers rapidly iterating through password variants. Wed, 11 Feb 2026 13:37:07 GMT Vlad Iliushin Line chart showing SSH brute force attack trends from Jan 12 - Feb 11, 2026, tracking unique attacking IPs per credential for usernames "root" (blue), "admin" (yellow), and "n8n" (red). Shows "n8n" surpassing "admin" as second most targeted.

Read the full article

]]> New Historical IP Timeline is live https://ellio.tech/en/blog/unveiling-the-new-historical-ip-timeline/ https://ellio.tech/en/blog/unveiling-the-new-historical-ip-timeline/ ELLIO Threat Intelligence Platform expands its capabilities with an interactive Historical IP Timeline, giving teams deep visibility into historical IP activity with flexible filtering and report-ready exports. Wed, 04 Feb 2026 08:00:00 GMT ELLIO Product Team Network security timeline dashboard showing activity patterns across countries from Oct 29 to Jan 28, with color-coded threat data by geography, fingerprints, HTTP paths and user agents

Read the full article

]]> React2Shell in the Wild: Payload Analysis, Active Campaigns, and IoCs https://ellio.tech/en/blog/react2shell-in-the-wild/ https://ellio.tech/en/blog/react2shell-in-the-wild/ The ELLIO sensor network has been tracking active exploitation of CVE-2025-55182 (React2Shell) in the wild. Here’s what we’re seeing. Fri, 05 Dec 2025 14:41:24 GMT ELLIO Threat Research Lab React2Shell vulnerability illustration

Read the full article

]]> From Scan to Exploit: Inside the Latest Cisco ASA/FTD Campaign https://ellio.tech/en/blog/from-scan-to-exploit-inside-the-latest-cisco-asa-ftd-campaign/ https://ellio.tech/en/blog/from-scan-to-exploit-inside-the-latest-cisco-asa-ftd-campaign/ From reconnaissance to exploitation in just 48 hours. See how 75 IPs executed surgical, one-hit attacks on Cisco ASA/FTD devices - and how to disappear from target lists. Wed, 26 Nov 2025 14:14:23 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> Every packet tells a story: The evolution of fingerprinting and netsec https://ellio.tech/en/blog/every-packet-tells-a-story-the-evolution-of-fingerprinting-and-netsec/ https://ellio.tech/en/blog/every-packet-tells-a-story-the-evolution-of-fingerprinting-and-netsec/ The journey began in 1969, when the very first RFC - Request for Comments - was published. Explore key milestones that shaped network security and the practice of network fingerprinting. Fri, 29 Aug 2025 10:26:11 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> Video: How to capture real value from network fingerprinting in practice https://ellio.tech/en/blog/video-how-to-capture-real-value-from-network-fingerprinting-in-practice/ https://ellio.tech/en/blog/video-how-to-capture-real-value-from-network-fingerprinting-in-practice/ Learn practical tips for deploying JA4, JA3, and MuonFP fingerprints in your security operations. Get expert insights from Vlad Iliushin and discover how to unlock their full defensive value. Mon, 16 Jun 2025 17:20:51 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> MITRE ATT&CK® framework now integrated into ELLIO Threat Platform https://ellio.tech/en/blog/platform-update-2025-06/ https://ellio.tech/en/blog/platform-update-2025-06/ Transform your threat investigations with the ELLIO Threat Intelligence Platform. Now with MITRE ATT&CK threat mapping and advanced fingerprint analysis. Wed, 11 Jun 2025 15:00:09 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> IP Blockling on FortiGate 7.2.0/7.4.0 using ELLIO https://ellio.tech/en/blog/ip-blockling-on-fortigate-7-2-0-7-4-0-using-ellio-2/ https://ellio.tech/en/blog/ip-blockling-on-fortigate-7-2-0-7-4-0-using-ellio-2/ This article gives you a simple, step-by-step guide to set up an external IP blocklist and firewall rules on FortiGate 7.2.0/7.4.0. Discover why adding advanced ELLIO Blocklists to your FortiGate v. 7.2.0/7.4.0 is a great way to boost its protection, and how easy it is to set up. Wed, 04 Dec 2024 15:36:31 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> IP Blocking vs TCP Fingerprint Blocking: How to Use and Combine Them https://ellio.tech/en/blog/ip-blocking-vs-tcp-fingerprint-blocking-how-to-use-and-combine-them/ https://ellio.tech/en/blog/ip-blocking-vs-tcp-fingerprint-blocking-how-to-use-and-combine-them/ Learn how combining Threat Intelligence-based IP blocking and TCP fingerprinting enhances network security by disrupting attacker reconnaissance. Mon, 14 Oct 2024 15:10:30 GMT Vlad Iliushin ELLIO Threat Research Lab Hero image

Read the full article

]]> Managing blocklists using a central platform (part 3) https://ellio.tech/en/blog/managing-blocklists-using-a-central-platform-part-3/ https://ellio.tech/en/blog/managing-blocklists-using-a-central-platform-part-3/ Learn how SOCs, NOCs and MSSPs are leveraging centralized blocklist management to reduce false positives and simplify security management. Wed, 09 Oct 2024 07:23:03 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> Managing blocklists using a central platform (part 2) https://ellio.tech/en/blog/managing-blocklists-using-a-central-platform-part-2/ https://ellio.tech/en/blog/managing-blocklists-using-a-central-platform-part-2/ Explore 8 essential steps for building and deploying effective IP blocklists with the Blocklist Management Platform. Mon, 07 Oct 2024 06:56:56 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> Managing blocklists using a central platform (part 1) https://ellio.tech/en/blog/managing-blocklists-using-a-central-platform-part-1/ https://ellio.tech/en/blog/managing-blocklists-using-a-central-platform-part-1/ Learn how blocklist management platforms empower SOCs and NOCs. Streamline processes, minimize errors, and enhance network security. Thu, 03 Oct 2024 18:22:45 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> ELLIO IP Blocklist for Check Point NGFW: 3 million unwanted connections blocked in 45 days  https://ellio.tech/en/blog/ellio-blocklist-for-check-point-ngfw-3-million-unwanted-connections-blocked-in-45-days/ https://ellio.tech/en/blog/ellio-blocklist-for-check-point-ngfw-3-million-unwanted-connections-blocked-in-45-days/ Follow this step-by-step guide to set up IP blocking on Check Point firewalls using ELLIO Blocklists, enhancing your network protection. This tutorial provides a quick and easy way to get ELLIO up and running on your Check Point NGFW within minutes, including how to test it using free trial ... Thu, 19 Sep 2024 13:41:34 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> ELLIO for IP blocking on OPNsense https://ellio.tech/en/blog/ellio-for-ip-blocking-on-opnsense/ https://ellio.tech/en/blog/ellio-for-ip-blocking-on-opnsense/ A practical guide how to quickly set up IP blocking on OPNsense firewall by using advanced ELLIO IP blocklists for filtering active malicious IP addresses. Fri, 02 Aug 2024 13:13:36 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]> IP blocking on pfSense using ELLIO  https://ellio.tech/en/blog/ip-blocking-on-pfsense-using-ellio/ https://ellio.tech/en/blog/ip-blocking-on-pfsense-using-ellio/ Explore how to set up IP filtering on pfSense, an open-source firewall/router solution, in just a few minutes, and discover why you should use advanced IP blocklists from ELLIO for this purpose. Thu, 25 Jul 2024 14:44:30 GMT ELLIO Threat Research Lab Hero image

Read the full article

]]>