Threat actors are targeting LLMs in a widespread reconnaissance campaign that could be the first step in cyberattacks on exposed AI models, according to security researchers.
The attackers scanned for every major large language model (LLM) family, including OpenAI-compatible and Google Gemini API formats, looking for “misconfigured proxy servers that might leak access to commercial APIs,” according to research from GreyNoise, whose honeypots picked up 80,000 of the enumeration requests from the threat actors.
“Threat actors don’t map infrastructure at this scale without plans to use that map,” the researchers said. “If you’re running exposed LLM endpoints, you’re likely already on someone’s list.”
LLM Reconnaissance Targets ‘Every Major Model Family’
The researchers said the threat actors were probing “every major model family,” including:
- OpenAI (GPT-4o and variants)
- Anthropic (Claude Sonnet, Opus, Haiku)
- Meta (Llama 3.x)
- DeepSeek (DeepSeek-R1)
- Google (Gemini)
- Mistral
- Alibaba (Qwen)
- xAI (Grok)
The campaign began on December 28, when two IPs “launched a methodical probe of 73+ LLM model endpoints,” the researchers said. In a span of 11 days, they generated 80,469 sessions, “systematic reconnaissance hunting for misconfigured proxy servers that might leak access to commercial APIs.”
Test queries were “deliberately innocuous with the likely goal to fingerprint which model actually responds without triggering security alerts” (image below).
The two IPs behind the reconnaissance campaign were: 45.88.186.70 (AS210558, 1337 Services GmbH) and 204.76.203.125 (AS51396, Pfcloud UG).
GreyNoise said both IPs have “histories of CVE exploitation,” including attacks on the “React2Shell” vulnerability CVE-2025-55182, TP-Link Archer vulnerability CVE-2023-1389, and more than 200 other vulnerabilities.
The researchers concluded that the campaign was a professional threat actor conducting reconnaissance operations to discover cyberattack targets.
“The infrastructure overlap with established CVE scanning operations suggests this enumeration feeds into a larger exploitation pipeline,” the researchers said. “They’re building target lists.”
Second LLM Campaign Targets SSRF Vulnerabilities
The researchers also detected a second campaign targeting server-side request forgery (SSRF) vulnerabilities, which “force your server to make outbound connections to attacker-controlled infrastructure.”
The attackers targeted the honeypot infrastructure’s model pull functionality by injecting malicious registry URLs to force servers to make HTTP requests to the attacker’s infrastructure, and they also targeted Twilio SMS webhook integrations by manipulating MediaUrl parameters to trigger outbound connections.
The attackers used ProjectDiscovery’s Out-of-band Application Security Testing (OAST) infrastructure to confirm successful SSRF exploitation through callback validation.
A single JA4H signature appeared in almost all of the attacks, “pointing to shared automation tooling—likely Nuclei.” 62 source IPs were spread across 27 countries, “but consistent fingerprints indicate VPS-based infrastructure, not a botnet.”
The researchers concluded that the second campaign was likely security researchers or bug bounty hunters, but they added that “the scale and Christmas timing suggest grey-hat operations pushing boundaries.”
The researchers noted that the two campaigns “reveal how threat actors are systematically mapping the expanding surface area of AI deployments.”
LLM Security Recommendations
The researchers recommended that organizations “Lock down model pulls … to accept models only from trusted registries. Egress filtering prevents SSRF callbacks from reaching attacker infrastructure.”
Organizations should also detect enumeration patterns and “alert on rapid-fire requests hitting multiple model endpoints,” watching for fingerprinting queries such as “How many states are there in the United States?” and “How many letter r…”
They should also block OAST at DNS to “cut off the callback channel that confirms successful exploitation.”
Organizations should also rate-limit suspicious ASNs, noting that AS152194, AS210558 and AS51396 “all appeared prominently in attack traffic,” and they should also monitor JA4 fingerprints.