Our sensors detected sustained automated probe activity from IP 79.124.62.134 (Bulgaria/AS207812) between April 1-June 9, 2026, targeting multiple network services including MySQL. This appears to be low-sophistication scanning traffic from known malicious infrastructure with minimal immediate threa…
Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus on authentication bypass. Campaign demonstrates persistent reconnaissance and credential capture cap…
Malicious activity detected from 93.123.109.127 (NL, AS48090). 629 events observed across SMTP, TCP. AI verdict: NOISE.
An IP address from Düsseldorf, Germany (178.16.54.22) has been observed engaging in credential capture attempts and SMTP probing over a three-day period. The activity is assessed as noise but warrants attention due to the high volume of login attempts. Network defenders should implement or review th…
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as noise-level threat with no confirmed CVEs or zero-day exploits; however, network defenders should re…
Malicious activity detected from 116.102.39.187 (VN, ASNone). 65038 events observed across Diameter, MySQL, SMB, TCP, TCP/SYN. AI verdict: MEDIUM.
Malicious activity detected from 81.30.98.207 (LT, AS209425). 73829 events observed across Diameter, MySQL, SMTP, TCP, TCP/SYN. AI verdict: NOISE.
Malicious activity detected from 94.26.106.30 (DE, AS48452). 273 events observed across ADB, TCP, TCP/SYN, http. AI verdict: NOISE.
An IP address (81.30.98.181) from Iran has been observed conducting SMTP AUTH probes and credential capture attempts over a period of five days in May 2026. The activity is assessed as noise, but network defenders should review their SMTP configurations and implement additional authentication measur…
Malicious activity detected from 103.210.21.242 (HK, AS135377). 152 events observed across SSH, TCP, TCP/SYN. AI verdict: NOISE.
Malicious activity detected from 83.168.69.197 (PL, AS202520). 12110 events observed across ADB, TCP. AI verdict: NOISE.
Malicious activity detected from 62.60.130.169 (LT, AS59441). 237156 events observed across SMTP, TCP. AI verdict: NOISE.
An IP address from Luxembourg (64.89.160.43) has been observed conducting repeated SMTP AUTH probes and credential capture attempts over a period of 7 days. The activity is assessed as low to moderate threat level due to the lack of novel techniques or payloads, but network defenders should remain v…
A low-severity TCP-based reconnaissance event was detected from IP 78.128.112.215 targeting port 8080. No exploit payloads or CVE-specific activity were observed. Network defenders should capture PCAP data and apply rate-limiting measures if the scanning persists. ###
A suspicious IP address (130.12.180.65) from Germany has been observed conducting reconnaissance and potential exploitation attempts targeting TCP port 5555 associated with Android Debug Bridge (ADB). The threat level is assessed as MEDIUM, indicating a need for network defenders to investigate and …
An automated credential capture attempt was detected originating from IP 121.102.38.87 in Kyoto, Japan, targeting port 8080 over a two-hour period. The attack is assessed as noise with no associated CVEs or zero-day exploits, and poses minimal risk to networks. ###
An ADB (Android Debug Bridge) attack was observed originating from IP 162.240.226.121 in the US, targeting common ports and exhibiting standard payload behavior. The threat level is assessed as low to medium due to known patterns and no identified zero-day activity. ###
Malicious activity detected from 185.150.191.165 (US, AS23470). 4719 events observed across HTTP, HTTPS, TCP, TCP/SYN, TLS. AI verdict: NOISE.
IP address 66.132.172.138 conducted extensive multi-protocol reconnaissance over 42 days (April 2-May 14, 2026), generating 667 security events targeting industrial control systems, Kubernetes infrastructure, and network services. Despite high-severity exploit signatures, this activity is assessed a…
Automated SSH brute force activity observed from IP 175.118.127.138 (Seoul, South Korea) targeting network infrastructure with root credential attacks over a 12-day period. Assessed as low-to-medium threat level opportunistic scanning with standard attack patterns. Recommend implementing SSH hardeni…
Malicious activity detected from 45.205.1.8 (BR, ASNone). 4652 events observed across ADB, HTTP, TCP, TCP/SYN, TLS. AI verdict: NOISE.
An IP address from Germany (45.135.194.83) has been observed conducting repeated ADB connection attempts and exploit activities over a two-month period. The threat level is assessed as low due to the lack of malicious payloads or unusual behavior, but network defenders should remain vigilant. ###
An IP address from Bulgaria (79.124.40.174) has been observed conducting HTTP GET requests to actuator endpoints across multiple systems since March 25, 2026. The activity is assessed as low threat but indicative of scanning behavior targeting potential vulnerabilities. Network defenders should moni…
Malicious activity detected from 66.132.172.16 (US, ASNone). 875 events observed across BACnet, EtherNet/IP, TCP, TCP/SYN. AI verdict: NOISE.
Two byte-perfect qassam-315 PoC firings on the public-internet sensor (2026-05-06 + 2026-05-07), one literally CVE-named scanner from FPT Vietnam, and four UA-rotation evasion campaigns from Hosteons SG, Algeria Telecom, Deutsche Telekom DSL, and China Unicom. No state-actor (CL-STA-1132) traces — a…