Researchers have unearthed a pervasive offensive targeting industrial controllers that had been inadvertently exposed to the public internet. Beneath the façade of routine Modbus/TCP inquiries lay not merely indiscriminate scanning, but calculated attempts to decipher operational logic, overwhelm system resources, or surreptitiously manipulate register values.
According to a technical exposition by Cato Networks specialists Guy Weizel and Jakub Osmani, this suspicious activity besieged 14,426 IP addresses across 70 nations between September and November 2025. The United States emerged as the primary theater for these incursions, followed by France and Japan; collectively, the ten most affected nations accounted for 86% of the documented exposure.
The Modbus protocol was originally architected for sequestered industrial environments rather than the open web. When a Programmable Logic Controller (PLC) is visible to the internet, an adversary can swiftly transition from reconnaissance to active exploitation: identifying the specific make and model, exfiltrating register data, or—if write access is permitted—altering parameters that dictate the integrity of physical processes.
The most prevalent activity involved inquiries to read holding registers via function 0x03. Over the observed trimester, Cato Networks documented approximately 235,500 such invocations emanating from 233 unique IP addresses. Nearly half of these sources correlated with existing security telemetry, indicating a broader pattern of nefarious intent.
Certain behavioral sequences exhibited heightened precision. Specific sources initially solicited device identification before meticulously reading a fixed range of registers—a tactical pairing indicative of automated scripting designed to categorize the PLC and subsequently harvest model-specific data.
Furthermore, specialists detailed an assault profile suggestive of a “denial-of-service” intent. A singular source dispatched roughly 158,100 rapid-fire inquiries to a solitary target, repeatedly attempting to read the maximum permissible volume of registers. While the precise impact on the controller was not empirically verified, such a saturated deluge is known to severely impede the processing of legitimate operational commands.
The most critical threat manifested as 3,240 write-register commands originating from a single IP address. These directives consistently commenced at address 0x0BB8 and spanned between 27 and 122 registers—a signature that Cato Networks characterizes as a hallmark of automated probing or malicious manipulation.
Manufacturing entities comprised the most significant cohort of targets, representing 18% of the sample, with healthcare, construction, technology, and municipal infrastructure also among the besieged. The report’s authors adamantly advise against exposing Modbus interfaces to the internet, advocating instead for the rigorous isolation of OT (Operational Technology) networks and the restriction of access to verified, trusted sources only.
