Safety researchers have recognized over 91,000 assault classes focusing on AI infrastructure between October 2025 and January 2026, exposing systematic campaigns towards giant language mannequin deployments.
GreyNoise’s Ollama honeypot infrastructure captured 91,403 assault classes throughout this era, revealing two distinct menace campaigns. The findings corroborate and prolong earlier analysis from Defused on AI system focusing on.
The primary marketing campaign exploited server-side request forgery vulnerabilities to power servers into making outbound connections to attacker-controlled infrastructure.
Attackers focused Ollama’s mannequin pull performance by injecting malicious registry URLs and manipulating Twilio SMS webhook MediaUrl parameters.
SSRF Enumeration (Supply: Greynoise)
The marketing campaign ran from October 2025 by January 2026, with a dramatic spike over Christmas, 1,688 classes in simply 48 hours.
Attackers used ProjectDiscovery’s OAST infrastructure to verify profitable exploitation through callback validation.
Fingerprinting revealed a single JA4H signature showing in 99% of assaults, indicating shared automation tooling possible based mostly on Nuclei.
Whereas 62 supply IPs unfold throughout 27 nations have been noticed, constant fingerprints counsel VPS-based infrastructure fairly than a botnet.
GreyNoise assesses this as possible grey-hat operations by bug bounty hunters, although the dimensions and timing increase moral considerations.
Enumeration Marketing campaign: Constructing Goal Lists
Beginning December 28, 2025, two IPs launched methodical probes of 73+ LLM mannequin endpoints, producing 80,469 classes in eleven days.
This systematic reconnaissance sought misconfigured proxy servers which may expose entry to business APIs.
The assaults examined OpenAI-compatible and Google Gemini codecs throughout each main mannequin household: OpenAI GPT-4o, Anthropic Claude, Meta Llama 3.x, DeepSeek-R1, Google Gemini, Mistral, Alibaba Qwen, and xAI Grok.
Check queries remained intentionally innocuous, with “hello” showing 32,716 occasions and “What number of states are there in the USA?” showing 27,778 occasions, possible aiming to fingerprint fashions with out triggering safety alerts.
The infrastructure factors to skilled menace actors: 45.88.186.70 (AS210558, 1337 Companies GmbH): 49,955 classes 204.76.203.125 (AS51396, Pfcloud UG): 30,514 classes
Each IPs have intensive histories of CVE exploitation, with over 4 million mixed sensor hits throughout greater than 200 vulnerabilities, together with CVE-2025-55182 and CVE-2023-1389.
Block these community indicators:
JA4HDomainsIPspo11nn060000…*.oast.dwell, *.oast.me, *.oast.on-line, *.oast.professional, *.oast.enjoyable, *.oast.website, *.oast.today45.88.186.70, 204.76.203.125, 134.122.136.119, 134.122.136.96, 112.134.208.214, 146.70.124.188, 146.70.124.165
Enable Ollama to make outbound connections solely to permitted addresses. Block all different outgoing site visitors so attackers can’t use it for SSRF callbacks.
Eighty thousand enumeration requests symbolize a major funding. Risk actors don’t map infrastructure at this scale with out plans to use it.
When you’re working uncovered LLM endpoints, you’re possible already on somebody’s goal checklist.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
