104.243.34.165

Summary (Bottom Line Up Front)

Threat actor operating from 104.243.34.165 conducted an 18-day reconnaissance campaign targeting hidden environment files and multiple network services, generating 2,504 malicious events between April 4-22, 2026. The activity demonstrates systematic information gathering techniques consistent with credential harvesting operations, with particular focus on exposed configuration files containing sensitive data. Organizations should immediately audit exposure of environment files and implement enhanced monitoring for reconnaissance activities. ##

HTTP HTTPS TCP TCP/SYN TLS TLS/1.0
EXPLOIT LLM_LLM03 SCANNER
Activity Timeline
INITIAL REPORT2026-04-22T10:25:42Z
Source: Analyst Manual Entry
Threat actor operating from 104.243.34.165 conducted an 18-day reconnaissance campaign targeting hidden environment files and multiple network services, generating 2,504 malicious events between April 4-22, 2026. The activity demonstrates systematic information gathering techniques consistent with credential harvesting operations, with particular focus on exposed configuration files containing sensitive data. Organizations should immediately audit exposure of environment files and implement enhanced monitoring for reconnaissance activities.
Technical details
Source: 104.243.34.165 (AS23470 ReliableSite.Net LLC, Piscataway, US)
Campaign Duration: April 4, 2026 04:00 - April 22, 2026 06:00
Attack Volume: 2,504 events across HTTP, HTTPS, TCP, and TLS protocols
Primary Techniques: T1552.001 (Unsecured Credentials: Credentials In Files)
Kill Chain Phase: Reconnaissance
Target Ports: 22 (SSH), 25 (SMTP), 80 (HTTP), 587 (SMTP-TLS), 3080 (Web), 9001 (Custom)
Key Indicators: Requests for hidden environment files (.env), active threat intelligence correlation, systematic port scanning behavior
Threat Classification: Known malicious IP (AbuseIPDB: 100/100) with established poor reputation across threat intelligence feeds
IOCs
IP:104.243.34.165
ASN:23470
COUNTRY:US
Recommendations
  • Immediately block 104.243.34.165 at network perimeter and review logs for successful connections to this IP
  • Conduct audit of web applications and services to identify exposed environment files (.env, .config) and remove from public access
  • Implement monitoring rules to detect requests for common configuration file patterns (/.env, /config/, /.git/)
  • Review and rotate any credentials that may have been exposed in environment files or configuration directories
  • Deploy enhanced logging for reconnaissance activities targeting ports 3080, 9001, and other non-standard web services
Threat Assessment
Threat Level HIGH
AI Verdict MEDIUM
Confidence 75%
Total Events 2,515
AbuseIPDB 100/100
Indicators of Compromise
ip 104.243.34.165
asn 23470
country US
Captured Payloads (2)
HIGH EXPLOIT TCP:9001 
ET CINS Active Threat Intelligence Poor Reputation IP group 149
MEDIUM SCANNER TCP:3080 
ET INFO Request to Hidden Environment File - Inbound