It should be noted that without extra info, such as "did GreyNoise recently add more ability to see the activity?" it is difficult to say for sure if the recent frenzy of activity is valid. However we would see other "patterns of interest" in previous months, even with less data points available. Insight from @yngve would be more useful perhaps. Thanks for promoting my blog posts. I wondered if there was a glitch when I kept seeing them. Feels a bit weird seeing them on the front page. It makes me think "Oh hell! I better re-read it again and make sure it makes sense". My blog is mostly for my reference and for the listeners of my radio show. Often there will be a topic that is difficult to get across on radio without some reference. Normally I don't feel like clutching a pillow while writing a blog, but this is a storm gathering, and the fix is to patch a lot of obviously abandoned or unmaintained servers and PCs, that will not be updated. There have even been discussions about the legality of a Whitehat task force just bruteforce fixing everything they can. Currently that is just an idea we all agree we must not do. However reality sucks and Gov agencies do illegal things towards their people already, so it won't be so long into a botnetpocalypse that klaxons are screaming, bells are ringing and the illegal thing has to be done anyway. The only option I could see without fixing the problem is to simply remove those vulnerable IPs from all DNS. Blackhole them until the owners wake up and update.