ELLIO
Sign Up FreeGo to Main Website
AllProduct UpdatesTechnical ArticlesThreat/Vulnerability News

Featured Article

ELLIO threat intelligence dashboard showing IP 178.16.53.51 flagged as malicious Mirai botnet from Amsterdam, with timeline of exploit attempts and port scanning activity detected between March 22-24, 2026.
Scanning
Threat/Vulnerability News__6 min

[watchdog]: Inside a Mirai variant with six-layer persistence

An open directory is serving a Mirai variant across 14 CPU architectures - all updated yesterday. It kills competitors by SHA256 hash, persists through six layers, and hides as a kernel thread. Here's what's inside.

ELLIO Icon
ELLIO Threat Research Lab

Latest Articles

Screenshot of ELLIO threat intelligence interface showing malicious Docker API exploits from IPs 45.156.87.4 and 187.86.243.141, with security indicators and threat classification tags
CVEScanning
Threat/Vulnerability News__6 min

What Gets Deployed via Exposed Docker APIs

Over 1,000 unique IPs scan for exposed Docker APIs every day. A fraction go further. We captured every container creation payload and classified them by monetization strategy.

ELLIO Icon
ELLIO Threat Research Lab
ELLIO threat intelligence dashboard showing React2Shell activity across ports, countries, and time from Dec 2025 to Mar 2026 with color-coded heatmap visualization
CVE
Threat/Vulnerability News__3 min

React2Shell Update: Custom Go L7 DDoS Botnet

A single delivery IP has been exploiting React2Shell to distribute malware from an open directory. 31 binaries including a custom Go L7 DDoS botnet with Cloudflare token forgery, two Mirai variants across 13 CPU architectures, and a C2 server.

ELLIO Icon
ELLIO Threat Research Lab
ELLIO threat intelligence dashboard showing IP 93.123.109.205 from Amsterdam marked as malicious, with MITRE ATT&CK tactics, CVE vulnerabilities, and various exploit detectors including Setup.php, Jenkins, and SQL injection
Network FingerprintsScanning
Threat/Vulnerability News__2 min

Analyze everything or move straight to network-level blocking?

One IP. Four days. Nearly 900 user agents. Over 3,000 probes. Sometimes a single IP address tells you everything you need to know about how industrialized internet scanning has become.

ELLIO cybersecurity stickers with ELLIO's hacker cat masquot Jack at BSides Prague.
ELLIO Community Team
Infographic showing February 2026 credential-stuffing attack on Palo Alto GlobalProtect: 8,575 unique IPs, 3 attack waves, 48-hour duration. ELLIO branding at bottom.
CVENetwork Fingerprints
Threat/Vulnerability News__4 min

Coordinated Credential-Stuffing Campaign Targets Palo Alto GlobalProtect Portals

A coordinated credential-stuffing campaign hit GlobalProtect VPN portals with 8,575 IPs in 48 hours. Three attack waves, 78 targeted usernames, one password. Our team breaks down the timeline, infrastructure, fingerprints, and what defenders can do.

ELLIO Icon
ELLIO Threat Research Lab
Line chart showing SSH brute force attack trends from Jan 12 - Feb 11, 2026, tracking unique attacking IPs per credential for usernames "root" (blue), "admin" (yellow), and "n8n" (red). Shows "n8n" surpassing "admin" as second most targeted.
Threat/Vulnerability News__2 min

"n8n" is the new "admin."

On February 10, 2026, our deception network recorded "n8n" overtaking "admin" as the #2 most brute-forced SSH username. The campaign scaled from a handful of probing IPs to hundreds of unique sources in under a week, with attackers rapidly iterating through password variants.

Vlad Iliushin Portrait
Vlad Iliushin
Network security timeline dashboard showing activity patterns across countries from Oct 29 to Jan 28, with color-coded threat data by geography, fingerprints, HTTP paths and user agents
Product Updates__4 min

New Historical IP Timeline is live

ELLIO Threat Intelligence Platform expands its capabilities with an interactive Historical IP Timeline, giving teams deep visibility into historical IP activity with flexible filtering and report-ready exports.

ELLIO Icon
ELLIO Product Team
React2Shell vulnerability illustration
CVE
Threat/Vulnerability News__5 min

React2Shell in the Wild: Payload Analysis, Active Campaigns, and IoCs

The ELLIO sensor network has been tracking active exploitation of CVE-2025-55182 (React2Shell) in the wild. Here’s what we’re seeing.

ELLIO Icon
ELLIO Threat Research Lab
Hero image
CVE
Threat/Vulnerability News__4 min

From Scan to Exploit: Inside the Latest Cisco ASA/FTD Campaign

From reconnaissance to exploitation in just 48 hours. See how 75 IPs executed surgical, one-hit attacks on Cisco ASA/FTD devices - and how to disappear from target lists.

ELLIO Icon
ELLIO Threat Research Lab
Hero image
Network Fingerprints
Technical Articles__2 min

Every packet tells a story: The evolution of fingerprinting and netsec

The journey began in 1969, when the very first RFC - Request for Comments - was published. Explore key milestones that shaped network security and the practice of network fingerprinting.

ELLIO Icon
ELLIO Threat Research Lab