Headline numbers
BoarNet sensors recorded 200,000 events across the fleet during the seven-day window ending 2026-07-06, sourced from 973 distinct IPs. A separate novel_ip_count of 1,373 indicates that the set of first-time-seen addresses actually exceeds the distinct-IP count for the week — a bookkeeping artefact that reflects how novel-IP accounting spans a longer historical baseline than the single-week distinct-IP deduplication window. The practical implication is that the majority of active senders this week had not appeared in prior fleet memory.
The most striking structural feature of the week is extreme AS-level concentration. AS14061 (DIGITALOCEAN-ASN) produced 162,412 events — 81.2% of all traffic — from only 79 distinct IPs, giving a per-IP average of roughly 2,056 events. That ratio is consistent with a small number of high-rate scanning hosts rather than a broad distributed sweep. No prior-week baseline is available for comparison, but the magnitude warrants monitoring for persistence into next week.
Edge-device targets
Edge-device targeting was minimal this week. The soho-router vendor tag attracted just 3 events from 3 distinct IPs, and the CVE leaderboard shows only two entries: CVE-2018-10561 and CVE-2013-5122, each touched by a single IP generating a single event. CVE-2018-10561 is a well-documented authentication-bypass affecting certain GPON home routers; CVE-2013-5122 targets an older embedded-device management interface. The fact that both appear at floor-level volume (1 event each) suggests opportunistic one-off probes rather than coordinated exploitation campaigns. There is no evidence this week of sustained edge-device exploitation pressure.
Probe families
The syn-only family dominates the session-layer breakdown at 161,603 events across 406 IPs, representing 80.8% of total events. These are SYN packets that never complete a handshake — consistent with port-availability surveys, reflector discovery, or load-balanced amplification target enumeration. The unknown family follows at 9,966 events from 230 IPs; these are sessions that completed a handshake but sent payloads the classifier could not match to a known protocol fingerprint.
Among identified application-layer families, rdp leads at 1,240 events from 67 IPs, consistent with persistent background RDP credential-stuffing activity seen across the industry. Database-service probing is spread across multiple families: mongodb (223 events, 48 IPs), postgres (129 events, 28 IPs), mssql (109 events, 67 IPs), and memcached (25 events, 21 IPs). The tls-on-nontls family — TLS ClientHello sent to non-TLS ports — recorded 209 events from 138 IPs, the widest per-family IP spread after syn-only and unknown, suggesting broad automated tooling that blindly wraps connections in TLS regardless of destination port. http-on-nonstd showed 161 events from 96 IPs with a similarly wide IP distribution.
Geographic hotspots
US-geolocated sources account for 166,608 events from 331 IPs — 83.3% of total volume — largely driven by the AS14061 concentration noted above. US cloud-provider ASNs are the dominant origin because they offer cheap, disposable compute with minimal egress friction.
Beyond the US, CN-geolocated sources generated 6,191 events from 80 IPs across several ASNs including AS4134 (CHINANET-BACKBONE, 1,303 events, 21 IPs). GB and SG follow at 5,255 and 4,731 events respectively. Two single-IP, single-ASN sources stand out for their event intensity relative to IP count: AS137535 (JTIP-AS-AP, SG, 5,227 events from 1 IP) and AS211590 (BUCKLOG, 3,000 events from 1 IP). EG sources produced 3,609 events from only 4 IPs, heavily influenced by AS8452 (TE-AS, 3,608 events, 3 IPs). TN contributed 2,016 events from 1 IP, entirely attributable to AS327934 (Tunisie-Telecom). High per-IP event rates from single addresses in multiple ASNs are consistent with scripted scanning tools running to completion rather than rate-limited crawls.
Malware corpus
The dropper pipeline processed 28 attempted dropper fetches this week. Of those, 4 unique samples were recovered and submitted for community AV evaluation; all 4 were flagged as malicious by community AV engines. The 4 samples came from 2 distinct dropper infrastructure hosts, suggesting at least two independent delivery chains active during the window. Sample volume is low in absolute terms but the 100% malicious-confirmation rate on recovered artifacts indicates the pipeline is not picking up false-positive noise. Defenders operating edge devices or internet-facing Linux hosts should ensure outbound fetch restrictions (curl, wget, tftp) are in place to interrupt stage-two retrieval, as dropper attempts remain a consistent if low-volume presence across BoarNet collection windows.