Today we deployed an updated version of our website which exposes first + last seen timestamps, tags, ASN search, version 2.0 of the API and more! .

Zip of payloads:

Join millions who have switched to Grok.

#RCE attempt targeting Tenda AC15 AC1900 routers to deliver #DDOSAgent CVE-2020-10987. 2025-08-03 20:14:06 UTC.Source IP: 217.113.49.161 🇭🇺. IOCs:.172.233.82.130 🇯🇵.hxxp://172.233.82.130/vtubers.sh

Zip of payloads:

#RCE attempt targeting Hikvision IP Cameras to deliver #Mirai #CVE-2021-36260. 2025-08-02 15:31:01 UTC.Source IP: 5.167.76.48 🇷🇺.PUT /SDK/webLanguage. IOCs:.dori8585[.]global.ssl.fastly[.]net.hxxp://dori8585.global.ssl.fastly.net/dori.sh. CC @fastly for takedown

#Drupal #RCE attempt observed CVE-2019-6340. 2025-08-01 06:37:44 UTC.Source IP: 198.98.56.220 🇺🇸.POST /node/1?_format=hal_json

Dropper MD5: d47fe69df2cb214d09f83518bba4e6bb.

#RCE attempt targeting LB-LINK routers to distribute #Mirai. 2025-07-28 22:11:34 UTC.Source IP: 45.135.193.2 🇳🇱.POST /goform/set_LimitClient_cfg. IOCs:.45.135.194.13 🇳🇱.hxxp://45.135.194.13/akhenaton

Check out our latest post: . RondoDox Botnet: Rando In Your Router. #RondoDox.

SMS based #phishing targeting @CharlesSchwab users. "Feels like garbage" 🗑️. SSL certificate created same day. IOCs:.hxxps://schwabel[.]top/?qr=bsemor.schwabel[.]top.43.166.138.217 🇺🇸

#Log4j #RCE attempts delivering #XMRig #Coinminer. 2025-07-19 23:58:18 UTC.Source IP: 80.75.212.83 🇩🇪. IOCs:.46.8.231.224 🇳🇱.hxxp://46.8.231.224/scripts/4thepool_miner.sh.7948170e68c90a5272a72c4df6292487

#RCE attempt targeting LB-LINK routers to distribute #Mirai. 2025-07-19 22:40:33 UTC.Source IP: 45.135.193.2 🇳🇱.POST /goform/set_LimitClient_cfg. IOCs:.176.65.148.203 🇳🇱.hxxp://176.65.148.203/machinist

#RCE attempt targeting CGI endpoint. IP is perhaps a #DarkGate C2 per VirusTotal but URL 404s. 2025-07-18 02:27:17 UTC.Source IP: 77.221.151.232 🇷🇺.POST /cgi-bin/admin.cgi. IOCs:.hxxp://77.221.151.232:47583/test

Payload URLs:.hxxp://38.59.219.27/rondo.lblink.sh.hxxp://38.59.219.27/rondo.linksys.sh.hxxp://38.59.219.27/rondo.trueonline.sh.hxxp://38.59.219.27/rondo.gpon.sh.

#RCE attempts targeting various #soho router manufacturers to spread #Mirai . #RondoDox #botnet . 2025-07-16 00:50:21 UTC (latest) .Source IP: 45.135.194.11 🇳🇱 . IOCs: .38.59.219.27 🇺🇸

New #Mirai payload from same IP:. 93.95.115.174 🇳🇱.hxxp://93.95.115.174/hiddenbin/boatnet.mips

#RCE attempts targeting Draytek Routers #CVE-2020-8515 to distribute #Mirai. 2025-07-09 11:17:29 UTC.Source IP: 87.121.84.34 🇳🇱.POST /cgi-bin/mainfunction.cgi. IOCs:.220.158.234.135 🇰🇭.hxxp://220.158.234.135/x/vigor.190aaa41386089b83db85ef045dc58f0

OAST attempts targeting @VMware Aria Operations #CVE-2023-20887. 2025-07-08 05:42:55 UTC.Source IP: 88.214.26.30 🇩🇪.POST /saas./resttosaasservlet. IOCs:.d1maosfpq27g8fmquu7ggtfe41ik8n8op.oast[.]site

Suspicious #RCE attempts involving traceroute . 2025-07-02 07:51:05 UTC.Source IP: 87.121.84.208 🇺🇸.POST /bf/tracert. IP was a #Mirai C2 back in April: IOCs:.87.121.84.104 🇺🇸.hxxp://87.121.84.104:7777

#RCE attempts targeting Langflow (CVE-2025-3248) to distribute #redtail #xmrig #coinminer. 2025-06-20 23:33:10 UTC.Source IPs: 193.32.162.157 🇷🇴 and 185.93.89.118 🇮🇷.POST /api/v1/validate/code. IOCs:.66.63.187.193 🇺🇸.hxxp://66.63.187.193/sh.45ccafcdc6e78bd6471a7eb0afcb7e99