Headline numbers
The fleet recorded exactly 200,000 events from 1,032 distinct IPs during the seven-day window ending 2026-05-04. A separate count of 2,648 novel IPs appearing for the first time this week suggests the broader scanning population is larger than the active-session view implies — many sources fired once and moved on. The ratio of events to distinct IPs (roughly 194:1 on average) is heavily skewed by a handful of infrastructure ASNs pushing repetitive SYN traffic, which is discussed below.
No CVE-specific probes were logged this week, and the edge-device targeting leaderboard registered only minimal activity. The story this week is volume concentration: a small number of hosts generating disproportionate event counts.
Edge-device targets
Edge-device targeting was effectively absent. The leaderboard shows only the soho-router vendor tag, with just 2 events from 2 distinct IPs — noise-floor territory. The absence of CVE entries in top_cves reinforces this: no structured exploitation attempts against named appliance vulnerabilities cleared the logging threshold. Practitioners running Palo Alto GlobalProtect, Ivanti, or similar perimeter products should not read this as a signal of reduced attacker interest; it more likely reflects the specific sink-port composition of the BoarNet fleet this week.
Probe families
The dominant probe family is syn-only at 192,570 events across 770 IPs, representing 96.3% of all traffic. These are TCP SYNs that receive no follow-up after the handshake would complete — classic bulk reachability enumeration or port-sweep activity with no application-layer payload. The remaining 3.7% is where the operational detail lives.
The unknown family accounts for 2,805 events from 113 IPs — payloads that completed a connection but did not match any decoder. This is the highest distinct-IP count among full-session families, suggesting it captures a long tail of bespoke or obfuscated tools rather than a single scanner.
Database surfaces continue to attract consistent interest. postgres logged 162 events from 10 IPs; mongodb logged 97 events from 36 IPs; mssql produced 44 events from 33 IPs. The MongoDB ratio (97 events, 36 IPs) indicates many independent scanners each making a small number of attempts, while the PostgreSQL distribution (162 events, only 10 IPs) suggests more focused or scripted tooling.
rdp registered 231 events from 16 IPs — a relatively high per-IP event rate that is consistent with credential-stuffing rather than one-shot enumeration. adb (Android Debug Bridge) showed 78 events concentrated across just 4 IPs, indicating a small number of tools actively seeking exposed Android devices on the fleet's ADB sink.
http-on-nonstd (159 events, 51 IPs) and tls-on-nontls (111 events, 58 IPs) both show high IP diversity relative to event count, meaning many different sources are probing non-standard ports for HTTP or wrapping TLS where plaintext is expected — a common fingerprinting technique for load balancers, proxies, and misconfigured services.
Geographic hotspots
US-geolocated infrastructure led decisively with 78,652 events from 216 IPs. Germany followed at 32,550 events / 42 IPs, and Great Britain at 19,956 events / 37 IPs. Sweden stands out as an outlier: 11,398 events from only 3 IPs — the highest per-IP event density in the country leaderboard and almost certainly a single hosting cluster.
Singapore shows the opposite pattern: 8,661 events from 150 IPs, a relatively low per-IP rate that aligns with the diverse cloud and VPS market in the APAC region. Vietnam (AS38733, CMC Telecom) contributed 5,689 events from a single IP, pointing to an automated scanner running from a local ISP address rather than a cloud host.
It is worth repeating the standard caveat: geolocation of hosting-ASN addresses reflects the registered location of the infrastructure, not the operator's origin.
ASN concentration
The top-ASN leaderboard reveals pronounced volume concentration with very few IPs. AS14061 (DigitalOcean) generated 36,799 events from 58 IPs — the largest raw event count. AS51167 (Contabo) produced 31,377 events from only 17 IPs, and AS31898 (Oracle Cloud) contributed 12,659 events from just 3 IPs. Most striking is AS204615 (IPFIB-AS), which delivered 11,280 events from a single IP — the highest single-host event count in the dataset and worth flagging to that ASN's abuse contact.
Similarly, AS142594 (SpeedyPage), AS146943 (Tier 4 Cloud), AS51852 (PLI-AS), and AS38733 (CMC Telecom) each produced thousands of events from one IP apiece. This pattern — high-volume, single-IP sources spread across many small hosting providers — is consistent with rented VPS infrastructure used for scanning.
Malware corpus
13 dropper attempts were observed during the week. The malware corpus logged 15 samples with 18 distinct dropper URLs or mechanisms identified. Of the 15 samples, 0 were confirmed malicious by community AV engines — meaning all 15 either failed to execute, were unknown to the AV collective at time of submission, or were benign artifacts caught by heuristic triggers. The discrepancy between 18 distinct droppers and 15 samples suggests some dropper infrastructure was seen attempting delivery without a retrievable payload, or that multiple dropper paths resolved to the same binary. No classification names are reported in accordance with redistribution policy.