Category: Uncategorized

Based on the sensors reporting to ISC, this activity started on the 13 Jan 2026. My own sensor started seeing the first scan on the 21 Jan 2026 with limited probes. So far, this activity has been limited to a few scans based on the reports available in ISC [5] (select Match Partial URL and Draw):

This is a sample list of the directories actors are scanning for using the following patterns:

/$(pwd)/.env.staging

/$(pwd)/.env.development

/$(pwd)/.env.production

/$(pwd)/.env.local

/$(pwd)/.env

$(pwd)/terraform.tfstate

/$(pwd)/docker-compose.yml

/$(pwd)/netlify.toml

This Gephi graph shows the relationship of each probed URL by the two IP addresses:

Kibana ES|QL Query

FROM cowrie* 

| WHERE event.reference == “no match”

| KEEP related.ip,http.request.body.content

| WHERE http.request.body.content IS NOT NULL

| WHERE http.request.body.content RLIKE “.*\\/\\$\\(pwd\\).*”

| STATS COUNT(http.request.body.content) BY related.ip, http.request.body.content

Indicators

By selecting one of these two indicators, it shows their scanning activity for the /$(pwd)/ pattern in the ISC web logs.

185.177.72.52

185.177.72.23

We also appreciate feedback and suggestions about what tool is used to perform these scans. Please use our contact page to provide feedback. 

[1] https://www.elastic.co/guide/en/elasticsearch/reference/8.19/esql-using.html

[2] https://gephi.org/

[3] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-21&ip=185.177.72.52

[4] https://isc.sans.edu/weblogs/sourcedetails.html?date=2026-01-25&ip=185.177.72.23

[5] https://isc.sans.edu/weblogs/urlhistory.html?url=LyQocHdkKS8uCg==

———–

Guy Bruneau IPSS Inc.

My GitHub Page

Twitter: GuyBruneau

gbruneau at isc dot sans dot edu

Spanish rail authorities have temporarily reduced the speed limit on part of the high-speed line between Madrid and Barcelona after a fault was detected on the track.

Transport Minister Óscar Puente said a crack had been found on Sunday night in the line 110km (68 miles) west of Barcelona, between Alcover and l’Espluga de Francolí, in the Catalonia region.

It comes days after a high-speed collision killed 45 people in southern Spain and amid severe disruption to local rail services in the north-east of the country.

The transport ministry said the fault in the line did not pose a danger to trains travelling along it and that they would continue to move along it.

This is the latest and most drastic of several speed reductions on high-speed lines in recent days, following the accident in Adamuz, in Andalusia, earlier this month.

The speed limit on the section of track affected will be 80km/h (50mph) until further notice. High-speed trains travel as fast as 300km/h between Madrid and Barcelona – one of Spain’s most heavily used long-distance links.

Last week, the limit on several sections of the Madrid-Barcelona line was temporarily reduced to 230 km/h after drivers had reported vibrations or other anomalies on the route, before being restored to 300km/h following technical checks.

Some sections of the Madrid-Valencia line also had their speed limit cut temporarily to 160km/h and 200km/h.

Meanwhile, the local Rodalies rail service in Catalonia has been severely disrupted.

Last week, a trainee driver was killed when a train struck a collapsed wall, the Rodalies service was grounded as drivers demanded improved safety guarantees and lines were reviewed.

On Monday, two separate incidents caused further chaos in the region, as the service was again suspended, before partially resuming later in the day. The Spanish government said it did not know the cause of the incidents – but did not rule out a cyberattack.

The Catalan Republican Left (ERC) party said the Rodalies network had suffered “decades of lack of investment”.

“The reputational damage is as bad as or worse than the economic losses,” said Ramon Talamàs, president of the Chamber of Commerce of Terrassa.

Socialist Prime Minister Pedro Sánchez is due to appear before Congress on 11 February to be questioned about the rail crisis.

These measures come as the investigation continues into the Adamuz high-speed crash, in which the rear carriages of a train heading north towards Madrid were derailed on a straight section of track, causing a collision with an oncoming train.

Investigators have been examining a 40cm (16in) section of track that broke loose, apparently shortly before the derailment.

The transport ministry has said that the line on which it happened had been renovated and undergone recent technical reviews.

However, it has emerged that the piece of damaged rail, which was made in 2023, had been welded onto an older section, reportedly manufactured in 1989, and the join between the two appears to be where it cracked.

The head of the independent commission investigating the crash, Iñaki Barrón, said that “everything appears to suggest that” the separation of the two welded pieces of track was the cause of the tragedy.

Opposition politicians are demanding the resignation of Óscar Puente, accusing him of misleading the public in the wake of the tragedy.

The Israeli military says it has retrieved the body of the last remaining hostage in Gaza.

It had been searching for Master Sgt Ran Gvili since the ceasefire with Hamas began in October.

Hamas was meant to return all hostages, alive and dead, within 72 hours of the ceasefire taking effect. Twenty living Israeli hostages and the bodies of 27 dead Israeli and foreign hostages were handed over but for the past few weeks Hamas said it had not yet been able to locate Gvili.

On Sunday, Israel said it would reopen Gaza’s key border crossing with Egypt once the operation to find and return Gvili was complete.

Israeli Prime Minister Benjamin Netanyahu called Gvili’s return “an extraordinary achievement”.

“We promised – and I promised – to bring everyone back. We brought them all back, down to the very last captive,” he said.

Hamas spokesman Hazem Qassem said the discovery of the body “confirms Hamas’s commitment to all the requirements of the ceasefire agreement”.

The retrieval of Gvili clears the way for Israel and Hamas to advance to the second phase of US President Donald Trump’s peace plan.

Phase two is meant to involve the reconstruction and full demilitarisation of Gaza, including the disarmament of Hamas and other Palestinian groups.

Israel had resisted moving forward until Gvili was found.

In a statement, the Israel Defense Forces said: “According to the information and intelligence available to us, Sgt Maj (res) Ran Gvili… a Yamam commando fighter, aged 24 at the time of his death, fell in battle on the morning of October 7, 2023, and his body was abducted to the Gaza Strip.

“The IDF shares in the family’s grief. The IDF will continue to accompany the families and the returned hostages and to act to strengthen the security of Israel’s citizens.

“With this, all of the hostages from the Gaza Strip area have been returned.”

Some 251 hostages were taken in the Hamas-led attack on Israel on 7 October 2023 in which about 1,200 people were killed. Most of the hostages were released alive over the course of the next two years in exchange for 250 Palestinian prisoners and 1,718 detainees from Gaza.

Israel’s military campaign in Gaza, launched in response to the attack, has killed 71,660 Palestinians, the Hamas-run health ministry has said.