Threat intelligence company Greynoise has warned of “notable surges” in scan activities targeting progressive mobile systems since May 27, 2025. The attacker may be preparing another mass exploitation campaign or investigating a receivable system.
MoveIT Transfer is a popular managed file transfer solution used by businesses and government agencies to securely share sensitive data. They often became the target of attackers because they processed high-value information.
“Previously prior to this date, scans were minimal. Usually less than 10 IPs per day,” the company said. “However, on May 27th, that number surged to over 100 unique IPs, followed by 319 IPs on May 28th.”
Since then, the daily scanner’s IP volume has remained intermittently rising between 200 and 300 IPs per day, and Greynoise has said it marks it as a “significant deviation” from normal operation.
As many as 682 unique IPs have been flagged in relation to activity over the past 90 days, with 449 IP addresses observed in the last 24 hours alone. Of the 449 IPs, 344 were classified as suspicious, and 77 were malicious.
Most of the IPs are global measurements in the US, followed by Germany, Japan, Singapore, Brazil, the Netherlands, Korea, Hong Kong and Indonesia.
Greynoise also stated that on June 12, 2025, it detected attempts to exploit low capacity to weaponize two known MoveIT transfer defects (CVE-2023-34362 and CVE-2023-36934). 2,770 organizations.
Scan activity spikes indicate that the MoveIT forwarding instance is again under the threat actor’s scanner, so users block the problematic IP address, make sure the software is up to date and not publicly available on the Internet.
Source link
