Security researchers have identified over 91,000 attack sessions targeting AI infrastructure<\/a> between October 2025 and January 2026, exposing systematic campaigns against large language model deployments.<\/p>\n GreyNoise\u2019s Ollama honeypot infrastructure captured 91,403 attack sessions during this period, revealing two distinct threat campaigns. The findings corroborate and extend previous research from Defused on AI system targeting.<\/p>\n The first campaign exploited server-side<\/a> request forgery vulnerabilities to force servers into making outbound connections to attacker-controlled infrastructure.<\/p>\n Attackers targeted Ollama\u2019s model pull functionality by injecting malicious registry<\/a> URLs and manipulating Twilio SMS webhook MediaUrl parameters.<\/p>\n The campaign ran from October 2025 through January 2026, with a dramatic spike over Christmas, 1,688 sessions in just 48 hours.<\/p>\n Attackers used ProjectDiscovery\u2019s OAST<\/a> infrastructure to confirm successful exploitation via callback validation.<\/p>\n Fingerprinting revealed a single JA4H signature appearing in 99% of attacks, indicating shared automation tooling likely based on Nuclei.<\/p>\n While 62 source IPs spread across 27 countries were observed, consistent fingerprints suggest VPS-based infrastructure rather than a botnet.<\/p>\n GreyNoise assesses<\/a> this as probable grey-hat operations by bug bounty hunters, though the scale and timing raise ethical concerns.<\/p>\n Starting December 28, 2025, two IPs launched methodical probes of 73+ LLM model<\/a> endpoints, generating 80,469 sessions in eleven days.<\/p>\n This systematic reconnaissance sought misconfigured proxy servers that might expose access to commercial APIs.<\/p>\n The attacks tested OpenAI-compatible and Google Gemini<\/a> formats across every major model family: OpenAI GPT-4o, Anthropic Claude, Meta Llama 3.x, DeepSeek-R1, Google Gemini, Mistral, Alibaba Qwen, and xAI Grok.<\/p>\n Test queries remained deliberately innocuous, with \u201chi\u201d appearing 32,716 times and \u201cHow many states are there in the United States?\u201d appearing 27,778 times, likely aiming to fingerprint models without triggering security alerts.<\/p>\n The infrastructure points to professional threat actors: 45.88.186.70\u00a0(AS210558, 1337 Services GmbH): 49,955 sessions 204.76.203.125\u00a0(AS51396, Pfcloud UG): 30,514 sessions<\/p>\n Both IPs have extensive histories of CVE exploitation, with over 4 million combined sensor hits across more than 200 vulnerabilities, including CVE-2025-55182<\/a> and CVE-2023-1389.<\/p>\n Block these network indicators:<\/p>\n![\"Ollama](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgLUQ1fnKf9ZHt5vn1jOTWlztU7h_rKElbmScTlPmnfNjwpfSNgn0fgtX5hVWN3-JGjIkNfiw9vGAfDs4YbMiQBa0Ou7LRPvSmqfonvjdulQhyphenhyphenLfWI0u6f9YoXayg6J1-2voCD9othOy5IiugjFR4zmwxZbuIio5x3rxNnTWXhN-XOqUiWWc9Q_LuW2sIc\/s1600\/Screenshot%25202026-01-09%2520105611%2520%25281%2529.webp?ssl=1\")
Enumeration Campaign: Building Target Lists<\/strong><\/h2>\n