hrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦ πŸ³οΈβ€πŸŒˆ's Avatar

hrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦ πŸ³οΈβ€πŸŒˆ

@hrbrmstr.dev

a.k.a. boB Rudis β€’ πŸ‡ΊπŸ‡¦ Pampa β€’ Don't look at me…I do what he doesβ€”just slower. #rstats #js #duckdb #goavuncularβ€’πŸ‘¨β€πŸ³β€’βœοΈβ€’ πŸ’€β€’ Varaforseti Γ­ GΓΆgn VΓ­sindi @ GreyNoise β€’ 47-watch.com β€’ https://stormwatch.ing β€’ https://dailydrop.hrbrmstr.dev β€’ Maine🦞

3,152
Followers 747
Following 5,553
Posts 28.06.2023
Joined
Posts Following

Latest posts by hrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦ πŸ³οΈβ€πŸŒˆ @hrbrmstr.dev

(saw this in RSS) I've had various Ollama models write CLAUDE[.]md and skills, and also had minimax m2.1 (which is just amaze) do it and they're all pretty good at it.

05.02.2026 14:01 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

The infrastructure ties back to established CVE exploitation operations.

h/t to Defused for their report as well: xcancel.com/DefusedC...

www.greynoise.io/blo...
2/2

08.01.2026 19:59 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Threat Actors Actively Targeting LLMs Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments.

New research: Threat actors are actively mapping LLM infrastructure.

Our Ollama honeypots captured 91K+ attack sessions. One campaign systematically probed 73+ model endpointsβ€”GPT-4o, Claude, Llama, Gemini, and moreβ€”across 80K sessions in 11 days.

www.greynoise.io/blo...
1/2

08.01.2026 19:59 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

If your systems were hit during this window, the vulnerability data may already be for sale.

Links to IoCs are in the post.
4/4

08.01.2026 15:00 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

* The IAB Model: This wasn't a direct hit; it was a "restocking" of the Initial Access Broker market.
* Infrastructure: The activity originated from a suspicious hosting provider (CTG Server Limited) with a history of phishing and abuse.
3/4

08.01.2026 15:00 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

A single operator systematically scanned the internet, testing 240+ different exploits to build a fresh inventory for 2026 ransomware attacks.

Key Takeaways:

* Timing is everything: Attackers used the holiday skeleton crew window to scan unimpeded for 4 days.
2/4

08.01.2026 15:00 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacks Over four days in December, one operator scanned the internet with 240+ exploits, logging confirmed vulnerabilities that could power targeted intrusions in 2026.

That which was originally a private customer threat intel share in our weekly At The Edge reports is now a public blog post!

www.greynoise.io/blo...

This is a deep dive into a massive reconnaissance campaign that unfolded between December 25–28.
1/4

08.01.2026 15:00 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

#macOS folks!!

Today is a *great* day to:

```bash
brew update && brew upgrade && brew cleanup && brew doctor
```

then:

```bash
brew bundle dump --file=~/Brewfile --describe --force
```

to create a `Brewfile` you can use to "quickly" restore the Homebrew bits that you rely on.

01.01.2026 17:09 πŸ‘ 11 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

archive.ph/cPlPK

26.12.2025 21:48 πŸ‘ 4 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

I ran it when I got to #2.1/#2.2's house and hopefully the networks you visit will be equally as clean.

Lifehacker does a bang-up job explaining it, too.

NPR has some more background on this new type of consumer exposure, too.

www.npr.org/2025/11/...
2/2

22.12.2025 18:33 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
GreyNoise Check all green!

GreyNoise Check all green!

πŸ™πŸ½ Lifehacker for introducing GreyNoise Check to a broader population!

πŸ‘‰ lifehacker.com/tech/...

If you haven't used GreyNoise Check β€” check.labs.greynoise.io β€” this is the perfect time to do so, especially if you're visiting friends/fam over the holidays.
1/2

22.12.2025 18:33 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
React2Shell Payload Analysis: A Look at Selected Opportunistic and Possibly AI-"Enhanced" Probes and Attacks Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.

I also took the opportunity to make fun of some very incompetent attackers.

Hey, if they can attack, so can I!

www.greynoise.io/blo...
3/3

17.12.2025 15:57 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

We've captured over 50K (some, barely) "unique" #React2Shell payloads, and a few caught our eye as potentially being some of the more nascent "AI"-created or enhanced ones.

We took the opportunity to dig into five of them and see what makes them tick.

2/3

17.12.2025 15:56 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
React2Shell Payload Analysis: A Look at Selected Opportunistic and Possibly AI-"Enhanced" Probes and Attacks Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers.

"There's Payloads, And Then There's pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks"

www.greynoise.io/blo...
1/3

17.12.2025 15:56 πŸ‘ 4 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Video thumbnail

Just in: Watch #React2Shell exploitation unfold over time in the map below (geo of source IPs attempting to exploit CVE-2025-55182).

#GreyNoise #ThreatIntel #CVE202555182 #Nextjs #Cybersecurity

11.12.2025 15:51 πŸ‘ 8 πŸ” 4 πŸ’¬ 0 πŸ“Œ 1
Preview
React2Shell Side Quest: Tracking Down Malicious MeshCentral Nodes – GreyNoise Labs While spelunking through React2Shell initial access payloads, MeshCentral entered the building, so we decided to see just how Mesh-y GreyNoise Data Is

Whilst spelunking through React2Shell traffic and associated initial access payloads, I came across a late-to-the party attacker attempting to deploy a MeshCentral agent for C2. Thanks to Censys, we poked a bit harder, and boy howdy are we on the precipice of a real mes[hs].

09.12.2025 16:42 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

This is textbook opportunistic exploitationβ€”not novel, but serious. These campaigns lead to credential theft, cryptomining, ransomware staging, & access brokering.

Patch if you haven't. DO NOT RELY ON WAFs ALONE.

Block IPs using GN feeds & monitor for IoCs in the post.
3/3

05.12.2025 14:39 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

What we're seeing:

Automation-heavy traffic (Go clients, scanner UAs)

PoE validation via PowerShell math commands

Encoded stagers downloading secondary payloads

AMSI bypass attempts via reflection

~50% of IPs first seen in December 2025

Early migration into Mirai botnets
2/3

05.12.2025 14:39 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) β€œFlight” protocol RCEβ€”often referred to publicly as β€œReact2Shell” and tracked as CVE-2025-55182.

I had the [mis?]fortune of being awake just as attackers decided to slam the public internet with React2Shell exploits. GreyNoise had a tag up for it yesterday afternoon.

Full write-up of the initial spate of attacks:
www.greynoise.io/blo...
1/3

05.12.2025 14:39 πŸ‘ 4 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Holiday cyber scams are getting more inventive Hackers are hoping to take advantage of the holiday season, and they're not just stealing money or data.

Got 30s of public media "fame" on NPR yesterday www.npr.org/2025/11/28/n...

29.11.2025 19:43 πŸ‘ 8 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Preview
GreyNoise IP Check Check if your IP address has been observed by GreyNoise sensors. Instantly detect malicious activity, compromised devices, and security threats affecting your network.

Perfect for holiday tech support seasonβ€”check your relatives' networks in 30 seconds instead of doing the awkward "let me look at your computer" thing.

For devs: `curl -s check.labs.greynoise...` returns JSON. No auth, no limits.

Full story: www.greynoise.io/blo...
3/3

25.11.2025 20:09 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
GreyNoise IP Check Check if your IP address has been observed by GreyNoise sensors. Instantly detect malicious activity, compromised devices, and security threats affecting your network.

Our Labs team built a free tool to check: visit check.labs.greynoise.io and see instantly if your IP has been caught scanning the internet.

No signup. No email harvesting. Just answers from our global sensor network that sees billions of IPs.
2/3

25.11.2025 20:09 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0

πŸ” New tool alert: GreyNoise IP Check

Your home network might be compromised and you'd never know. Residential proxies, IoT botnets, and router malware are everywhereβ€”turning regular internet connections into attack infrastructure.
1/3

25.11.2025 20:09 πŸ‘ 10 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0

ΒΉ I apologize for anyone who ended up with tea on their keyboards after reading that word when associated with the EU.
5/5

17.11.2025 19:44 πŸ‘ 4 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
The Stark Industries Shell Game - When Bulletproof Hosting Proves Bulletproof EU sanctions hit Stark Industries in May 2025. GreyNoise data shows how the group quietly rebranded to THE.Hosting and kept its malicious infrastructure running.

While others look through "legal documents" we got receipts right from the network packets. You can read the whole thing @ "When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game"

πŸ‘‰ www.greynoise.io/blo...
4/5

17.11.2025 19:44 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

As a result, Stark did a series of stunningly adroit "business", organizational, & network infrastructure moves that not only let them completely avoid punishment, but also come back even stronger and more dangerous than they were before.
3/5

17.11.2025 19:44 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Back in May, the EU decided to wield its mightyΒΉ fist & drop some sanctions on Stark. Except…they (the EU) suck @ OPSEC & the impending sanctions leaked.
2/5

17.11.2025 19:44 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Line graph showing IP activity from two bulletproof hosting providers from July to November. Orange line represents PQ Hosting (AS44477) peaking at 1,600 IPs in early September before declining to near zero by November. Blue line shows THE.Hosting/WorkTitans (AS209847) remaining low until late September, then spiking to over 1,000 IPs in November as PQ Hosting activity ceased, illustrating the migration of malicious operations between hosting providers.

Line graph showing IP activity from two bulletproof hosting providers from July to November. Orange line represents PQ Hosting (AS44477) peaking at 1,600 IPs in early September before declining to near zero by November. Blue line shows THE.Hosting/WorkTitans (AS209847) remaining low until late September, then spiking to over 1,000 IPs in November as PQ Hosting activity ceased, illustrating the migration of malicious operations between hosting providers.

There once was an organization called Stark Industries (no, not *that* one! this one is real!).

They emerged around the time Russia decided to invade Ukraine. Oddly enough, their ASN real estate was the source of scads of Russian state-sponsored cyber ops.
1/5

17.11.2025 19:44 πŸ‘ 3 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Good morning.

This is your reminder to get to the gym so that you can beat up racists if you have to.

15.11.2025 17:19 πŸ‘ 1507 πŸ” 234 πŸ’¬ 60 πŸ“Œ 56

The protocol is cool.

Relying on Bluesky for storage, authentication, etc. is stupid.

Really, really, really, really stupid,.

20.10.2025 23:32 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0