Threat intelligence firm GreyNoise is warning of a “notable surge” in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems.
MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data securely. Because it often handles high-value information, it has become a favorite target for attackers.
“Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day,” the company said. “But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28.”
Since then, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day, GreyNoise added, stating it marks a “significant deviation” from usual behavior.
As many as 682 unique IPs have been flagged in connection with the activity over the past 90 days, with 449 IP addresses observed in the past 24 hours alone. Of the 449 IPs, 344 have been categorized as suspicious and 77 have been marked malicious.
A majority of the IP addresses geolocate to the United States, followed by Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.
GreyNoise also said it detected low-volume exploitation attempts to weaponize two known MOVEit Transfer flaws (CVE-2023-34362 and CVE-2023-36934) on June 12, 2025. It’s worth noting that CVE-2023-34362 was abused by Cl0p ransomware actors as part of a widespread campaign in 2023, impacting more than 2,770 organizations.
The spike in scanning activity is an indication that MOVEit Transfer instances are once again under the threat actor’s scanner, making it essential that users block the offending IP addresses, make sure the software is up-to-date, and avoid publicly exposing them over the internet.
