Headline numbers
The fleet recorded 200,000 events from 931 distinct IPs across the seven-day window ending 2026-06-15. That event-to-IP ratio — roughly 215 events per source — is driven almost entirely by a small number of high-frequency senders rather than broad population growth. Of the 931 active IPs, 3,205 were flagged as novel (first-seen) during the period, suggesting the active set turned over substantially relative to the IPs that generated bulk volume.
Dropper delivery was attempted 18 times. Of 97 unique samples observed, 2 were confirmed malicious by community AV engines; 83 distinct dropper URLs or delivery mechanisms were catalogued. The low confirmation rate (roughly 2%) likely reflects either very fresh samples not yet indexed by community signatures or deliberate obfuscation.
Edge-device targets
Edge-device targeting was sparse this week. The leaderboard shows only two vendor categories each receiving a single event from a single source: soho-router and jira. Neither constitutes a campaign-level signal on its own, but both are perennially abused target classes worth continued tracking. The near-absence of edge-device probing in this window is itself notable — it may indicate the scanning infrastructure observed here is oriented toward bulk port enumeration rather than targeted exploitation of specific appliance classes.
On the CVE side, cve-2022-22947 (Spring Cloud Gateway SPEL RCE) appeared 4 times from a single source, and cve-2013-5122 appeared once. The Spring Gateway probe is a well-documented post-authentication code execution path that continues to see opportunistic probing years after patching advisories were published; any internet-exposed Spring Cloud Gateway instance that has not been patched should be treated as compromised. The 2013 CVE appearing in fresh scanning traffic is a reminder that ancient vulnerability checks persist in commodity scanner toolkits indefinitely.
Probe families
syn-only probes dominated the week at 165,628 events — 82.8% of total volume — sourced from 420 distinct IPs. This family represents pure TCP SYN packets that never complete a handshake, consistent with large-scale port enumeration or availability mapping rather than active exploitation. It is the structural noise floor against which all other signal should be read.
The second-largest family, unknown (9,243 events, 205 IPs), covers payloads that did not match any classified signature. This is a useful catch-all but warrants closer inspection: 205 source IPs generating novel or unclassified payloads is a non-trivial research surface.
rdp probes (788 events, 47 IPs) ranked third, continuing the chronic background pressure against exposed Remote Desktop endpoints. Database reconnaissance was split across postgres (292 events, 27 IPs), mongodb (225 events, 41 IPs), and mssql (123 events, 69 IPs). The mssql family is notable for its relatively high distinct-IP count (69) versus event count (123), suggesting a wide but shallow scan — many sources each making only one or two probes, which is characteristic of distributed internet-wide scanning tooling.
tls-on-nontls (154 events, 98 IPs) and http-on-nonstd (120 events, 75 IPs) both show high IP diversity relative to event count, consistent with scanners probing for misconfigured or protocol-confused services. memcached probes (19 events, 16 IPs) remain a low-volume but persistent fixture, likely opportunistic checks for unauthenticated cache instances usable for amplification or data theft.
Geographic hotspots
US-registered infrastructure generated 171,938 events from 343 IPs — 86% of total volume. AS14061 (DigitalOcean) alone accounts for 172,316 events from just 76 IPs, meaning fewer than 8% of US-origin IPs drove essentially all US-origin volume. This extreme concentration in a single commercial cloud ASN is a recurring pattern; cloud infrastructure offers cheap, ephemeral addressing well-suited to sustained high-rate scanning.
China-registered addresses (CN + HK combined: 10,063 events, 140 IPs) form the second-largest cluster. AS134420 (China Telecom Chongqing IDC) contributed 4,085 events from a single IP, and AS4812 (China Telecom Group Shanghai) added 2,169 events from 3 IPs — both high per-IP rates. Singapore (SG, 5,119 events, 29 IPs) continues to appear as a regional transit and hosting hub for scanning traffic. Russia (RU, 1,788 events, 18 IPs) and Iran (IR, 1,037 events, 17 IPs) round out the top tier. Bolivia (BO, 1,436 events, 1 IP) and Guatemala (GT, 1,026 events, 1 IP) each contributed via a single high-volume source — likely compromised or rented infrastructure within AS25620 (COTAS LTDA.) and AS14754 (TELECOMUNICACIONES DE GUATEMALA) respectively.
Malware corpus
97 samples were collected during the window. Community AV engines flagged 2 as malicious. 83 distinct dropper mechanisms were observed across 18 delivery attempts, implying that most delivery attempts used unique or lightly varied staging infrastructure — a common anti-detection practice. The gap between dropper attempts (18) and distinct droppers (83) suggests some delivery chains staged multiple payloads or used redirect chains before reaching a terminal binary. Defenders should prioritise detection of the delivery mechanism rather than relying on hash-based matching for samples in this corpus.