A significant escalation in malicious scanning activity targeting MOVEit Transfer systems, with threat actors dramatically increasing their reconnaissance efforts since late May 2025.
The surge represents a marked departure from typical baseline activity and suggests renewed interest in exploiting the popular file transfer platform that has been the target of numerous high-profile attacks in recent years.
The scanning campaign began abruptly on May 27, 2025, when GreyNoise detected a sudden jump from fewer than 10 unique IP addresses per day to over 100 scanning MOVEit Transfer systems.
The activity intensified further on May 28, with researchers observing 319 unique IP addresses conducting reconnaissance operations.
Since this initial surge, daily scanner volumes have remained consistently elevated, fluctuating between 200 to 300 unique IP addresses per day.
This sustained high-volume scanning represents a significant deviation from historical patterns, where MOVEit Transfer scanning activity typically remained minimal.
The persistence of this elevated activity over nearly a month indicates coordinated efforts rather than opportunistic scanning.
Security experts note that such patterns often precede the emergence of new vulnerabilities by two to four weeks, suggesting that organizations should prepare for potential zero-day disclosures.
Over the past 90 days, GreyNoise has tracked 682 unique IP addresses triggering their MOVEit Transfer scanner detection systems.
The geographic distribution of targets includes the United Kingdom, United States, Germany, France, and Mexico, while the majority of scanning infrastructure originates from the United States.
Infrastructure Analysis
The technical analysis of the scanning infrastructure reveals concerning patterns that suggest deliberate, programmatically managed operations.
Tencent Cloud, operating under ASN 132203, hosts 303 IP addresses, representing 44% of all observed scanner infrastructure.
This concentration within a single autonomous system number is unusual for organic scanning activity and indicates coordinated resource allocation.
Additional cloud providers contributing to the campaign include Cloudflare with 113 IP addresses, Amazon Web Services with 94 addresses, and Google Cloud Platform with 34 addresses.
The concentration of scanning infrastructure among major cloud providers suggests threat actors are leveraging legitimate cloud services to obfuscate their activities and avoid detection.
On June 12, 2025, GreyNoise observed confirmed exploitation attempts targeting two previously disclosed vulnerabilities: CVE-2023-34362 and CVE-2023-36934.
While these attempts occurred during the heightened scanning period, researchers emphasize that no widespread exploitation has been detected at this time.
Security Recommendations
Organizations operating MOVEit Transfer systems should implement immediate defensive measures to protect against potential attacks.
GreyNoise recommends dynamically blocking suspicious and malicious IP addresses using their threat intelligence feeds, which provide real-time updates on scanning and exploitation attempts.
Critical security actions include auditing the public exposure of MOVEit Transfer systems, ensuring proper network segmentation, and applying all available security patches for known vulnerabilities, particularly CVE-2023-34362 and CVE-2023-36934.
Organizations should also implement continuous monitoring for real-time attacker activity against their MOVEit Transfer deployments.
Security teams can track ongoing threats by monitoring GreyNoise’s specialized tags for MOVEit Transfer scanner activity and specific CVE exploitation attempts, enabling proactive threat hunting and incident response capabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
