Ghost Fleet: Half of All New Scanning IPs Last Week Geolocated to Hong Kong — Nearly None Completed a Connection

GreyNoise researchers identified a significant anomaly in network traffic involving 242,666 new scanning IP addresses geolocated to Hong Kong within a single week. Notably, 99.7% of these addresses failed to complete a single TCP connection, suggesting widespread background noise rather than targeted exploitation attempts. While the volume is substantial, representing half of all new scanning IPs observed during the period, the lack of completed connections indicates a low immediate threat severity. This activity aligns with reconnaissance tactics often seen in early-stage cyber operations or benign scanning services. Organizations should maintain robust perimeter monitoring to distinguish between harmless noise and genuine reconnaissance efforts. No specific threat actors or malware families were attributed to this campaign. Security teams are advised to continue monitoring ingress traffic patterns without escalating incident response unless connection completion rates increase significantly.

Last week, the GreyNoise Observation Grid observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days and 99.7% of them never completed a single TCP connection.

GreyNoise researchers identified a significant anomaly in network traffic involving 242,666 new scanning IP addresses geolocated to Hong Kong within a single week. Notably, 99.7% of these addresses failed to complete a single TCP connection, suggesting widespread background noise rather than targeted exploitation attempts. While the volume is substantial, representing half of all new scanning IPs observed during the period, the lack of completed connections indicates a low immediate threat severity. This activity aligns with reconnaissance tactics often seen in early-stage cyber operations or benign scanning services. Organizations should maintain robust perimeter monitoring to distinguish between harmless noise and genuine reconnaissance efforts. No specific threat actors or malware families were attributed to this campaign. Security teams are advised to continue monitoring ingress traffic patterns without escalating incident response unless connection completion rates increase significantly. Last week, the GreyNoise Observation Grid observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days and 99.7% of them never completed a single TCP connection. Last week, the GreyNoise Observation Grid observed something unusual: 242,666 new scanning IPs geolocating to Hong Kong appeared in seven days and 99.7% of them never completed a single TCP connection.