On May 8, 2025, GreyNoise observed a tightly coordinated and large-scale reconnaissance campaign launched from 251 malicious IP addresses, all hosted on Amazon AWS and geolocated in Japan. These IPs were active for only one day and collectively triggered 75 distinct scanning behaviors across web technologies, cloud infrastructure, and IoT devices. The targets included legacy CVEs (e.g., CVE-2017-5638 in Apache Struts, CVE-2014-6271 Shellshock) and misconfiguration probes (e.g., exposed .git configs, ENV variables, CGI scripts). The temporary nature of the infrastructure and the synchronized execution suggest centralized orchestration rather than opportunistic scanning.
The targeted technologies spanned a wide range: ColdFusion, Apache Tomcat, Elasticsearch, WebLogic, WordPress, Drupal, and even IoT devices. GreyNoise analysis revealed high overlap between scanning activity, reinforcing the likelihood of a single operator or shared toolset. These patterns mirror behaviors seen before zero-day discoveries like Ivanti EPMM, underscoring how broad scanning often precedes exploitation.