SSH/Telnet Scan Surge Signals New Botnet Wave

On April 2, 2026 the ISC Stormcast telemetry recorded a sharp uptick in scans of SSH (port 22) and Telnet (port 23). The volume of probing activity jumped roughly 250 % over the previous week, with many source IPs linked to known botnet infrastructures. The scans are largely automated, aiming to locate systems with exposed remote‑access services that can be compromised quickly.

Defenders should treat this spike as a warning sign: vulnerable SSH/Telnet endpoints are prime entry points for credential‑stuffing, brute‑force attacks, and subsequent ransomware deployment. Immediate actions include disabling unused Telnet services, enforcing strong, key‑based SSH authentication, applying rate‑limiting on login attempts, and enhancing log monitoring for repeated failed connections. Proactive network segmentation and threat‑intel feeds can further reduce exposure to the emerging botnet campaign.

Categories: Threat Intelligence, Identity & Access Management

Source: Read original article