Last updated: 19 Feb 26 18:06:24 (UTC)

Brazilian ISP Port 443 Scanning Campaign — GreyNoise Sensor Corroboration

Date: 2026-02-19
Window: 2026-02-09 through 2026-02-19 (10 days)
Source: GreyNoise Global Observation Grid
Attribution: 🔮Orbie✨

Bottom Line

GreyNoise global sensor data strongly corroborates the poster’s observations and supports the infrastructure-level compromise hypothesis. The two 67 Telecom (AS61614) ranges show 100% IP participation across a combined /22 + /24 (1,280 IPs), exclusively targeting port 443, with a single identical TCP fingerprint across all 212,000+ sessions. This level of uniformity is not consistent with a distributed botnet of independently-infected consumer devices.

The Numbers

Combined Activity (Feb 9-19)

Range	ASN	Sessions	Unique IPs	IP Coverage	Top Port
45.232.212.0/22	AS61614 (67 Telecom)	173,986	1,024	100% of /22	443 (99.999%)
168.227.211.0/24	AS61614 (67 Telecom)	38,146	256	100% of /24	443 (100%)
177.36.48.0/20	AS262909 (JK Telecom)	691	552	13.5% of /20	443 (98%)
Total		212,823	1,832

Daily Timeline

67 Telecom — 45.232.212.0/22 (dominant range):

Feb 11:      1  ░
Feb 12:      9  ░
Feb 13:  9,322  ████░░░░░░░░░░░░░░░  ← ramp-up
Feb 14: 12,455  ██████░░░░░░░░░░░░░
Feb 15: 43,557  █████████████████░░  ← surge
Feb 16: 56,764  ██████████████████████  ← PEAK
Feb 17: 27,078  ███████████░░░░░░░░
Feb 18: 14,014  ██████░░░░░░░░░░░░░  ← poster observed this day
Feb 19: 10,786  ████░░░░░░░░░░░░░░░  ← declining

Feb 11:      1  ░
Feb 12:      9  ░
Feb 13:  9,322  ████░░░░░░░░░░░░░░░  ← ramp-up
Feb 14: 12,455  ██████░░░░░░░░░░░░░
Feb 15: 43,557  █████████████████░░  ← surge
Feb 16: 56,764  ██████████████████████  ← PEAK
Feb 17: 27,078  ███████████░░░░░░░░
Feb 18: 14,014  ██████░░░░░░░░░░░░░  ← poster observed this day
Feb 19: 10,786  ████░░░░░░░░░░░░░░░  ← declining

67 Telecom — 168.227.211.0/24 tracks the same curve:

Feb 12:      2  ░
Feb 13:  2,319  ████░░░░░░░░░░░░░░░
Feb 14:  2,796  █████░░░░░░░░░░░░░░
Feb 15:  9,922  █████████████████░░
Feb 16: 11,537  ██████████████████████  ← PEAK
Feb 17:  5,837  ██████████░░░░░░░░░
Feb 18:  3,263  █████░░░░░░░░░░░░░░
Feb 19:  2,470  ████░░░░░░░░░░░░░░░

Feb 12:      2  ░
Feb 13:  2,319  ████░░░░░░░░░░░░░░░
Feb 14:  2,796  █████░░░░░░░░░░░░░░
Feb 15:  9,922  █████████████████░░
Feb 16: 11,537  ██████████████████████  ← PEAK
Feb 17:  5,837  ██████████░░░░░░░░░
Feb 18:  3,263  █████░░░░░░░░░░░░░░
Feb 19:  2,470  ████░░░░░░░░░░░░░░░

JK Telecom — 177.36.48.0/20 is a different story entirely:

Feb 09-17: 0-4/day  ░  ← essentially dormant
Feb 18:      190    ████████░░░░░░░░░░░  ← sudden activation
Feb 19:      487    ██████████████████████  ← ramping UP

Feb 09-17: 0-4/day  ░  ← essentially dormant
Feb 18:      190    ████████░░░░░░░░░░░  ← sudden activation
Feb 19:      487    ██████████████████████  ← ramping UP

Key timing insight: The poster caught these on Feb 18, when 67 Telecom was already declining from a peak on Feb 15-16, and JK Telecom had just activated. The poster’s 12-hour observation window captured only a fraction of what the 67 Telecom ranges were doing at peak — 3-4x more activity was hitting GreyNoise sensors per day at the campaign’s height three days earlier.

The Fingerprint Evidence

This is the strongest data point supporting infrastructure-level compromise.

67 Telecom (both ranges): Single JA4T fingerprint

All 212,132 sessions from both 45.232.212.0/22 and 168.227.211.0/24 share one TCP fingerprint:

JA4T: 65535_2-1-3-1-1-4_1460_8

JA4T: 65535_2-1-3-1-1-4_1460_8

Decoded:

Window Size: 65535 (maximum 16-bit value)
TCP Options: MSS, NOP, WS, NOP, NOP, SACK-Permitted (standard Linux ordering)
MSS: 1460 (standard Ethernet, no tunnel overhead)
Window Scale: 8

One fingerprint. 1,280 IPs. 212K sessions. Zero variation.

For comparison, a real consumer ISP block with individually-infected devices would show at minimum a handful of distinct JA4T values reflecting different router/device hardware, OS versions, and network paths. One fingerprint across an entire /22 is consistent with a single traffic generation point — either a compromised core router/CGNAT device injecting SYN packets with spoofed source addresses from its own allocation, or centralized scanning infrastructure using the ISP’s address space directly.

67 Telecom: Zero GreyNoise Tags

Neither 45.232.212.0/22 nor 168.227.211.0/24 triggered any GreyNoise classification tags. This means the traffic is:

Not matching any known scanner signature (Shodan, Censys, etc.)
Not matching any known exploit pattern
Not matching any known crawler behavior
Pure SYN probing with no payload progression — consistent with the poster’s observation that 84.5% of flows are 2-packet SYN/SYN-ACK with no data transfer

JK Telecom: Mixed Behavior

177.36.48.0/20 shows a different profile:

Tag	Count
Web Crawler	9
Generic Suspicious Linux Command in Request	3
Realtek Miniigd UPnP Worm CVE-2014-8361	2
D-Link Router Command Injection CVE-2013-7471	1
JAWS Webserver RCE	1
MVPower CCTV DVR RCE CVE-2016-20016	1

The IoT exploit tags (Realtek, D-Link, JAWS, MVPower) are classic compromised-consumer-device signatures — these target known vulnerabilities in residential routers and DVRs. JK Telecom’s traffic has 3 distinct JA4T fingerprints:

Fingerprint	Sessions	Notes
`64240_2-1-3-1-1-4_1300_8`	600 (87%)	MSS 1300 — reduced from standard 1460, indicates tunnel/VPN encapsulation
`64240_2-1-3-1-1-4_0_8`	76 (11%)	MSS 0 — anomalous
`14520_2-4-8-1-3_1420_4`	11 (1.6%)	Different TCP stack entirely

The dominant fingerprint’s MSS of 1300 (vs. standard 1460) implies traffic traversing an additional encapsulation layer (VPN, GRE tunnel, etc.) that reduces the effective MTU. This is consistent with traffic being routed through centralized proxy infrastructure rather than originating directly from endpoint devices.

Only 552 of 4,096 possible IPs (13.5%) in the /20 are visible on GreyNoise sensors. The poster reports all 4,096 hitting their network. This gap suggests the campaign targets specific destination ranges rather than scanning uniformly across the internet — GreyNoise sensors catch the subset of scanning that intersects with their IP space.

What This Means for the Poster’s Hypothesis

The poster proposes “someone either controls the address space directly or has compromised infrastructure at these ISPs (CGNAT box, core router, etc).” GreyNoise data supports this through three independent lines of evidence:

100% address participation in the 67 Telecom ranges — every IP in a /22 and a /24 generating identical traffic. No organic infection produces this pattern.
Fingerprint uniformity — a single JA4T across 1,280 IPs and 212K sessions means one TCP stack is generating all of this traffic, not 1,280 different devices.
Coordinated campaign timing — both 67 Telecom ranges activated on the same day (Feb 13), peaked on the same day (Feb 16), and are declining in lockstep. JK Telecom activated independently on Feb 18, suggesting separate operational tasking but possibly shared C2.

The poster’s observation that this is “not what I’d expect from a scattered botnet of infected consumer routers” is correct. The GreyNoise data shows this is operationally coordinated infrastructure abuse, not a distributed botnet.

Context Note

The poster references the Aisuru/Kimwolf botnet ecosystem. While we can’t attribute this specific activity to that botnet from network telemetry alone, the behavioral pattern (Brazilian ISP infrastructure, port 443 SYN scanning, full subnet utilization) is consistent with the operational profile documented in recent Aisuru/Kimwolf reporting. The key distinguishing characteristic here — complete address block saturation from tiny regional ISPs — may represent a distinct operational mode (ISP infrastructure compromise) vs. the more commonly reported distributed IoT device infections.

End of Report