109.95.35.130

Summary (Bottom Line Up Front)

External threat actor 109.95.35.130 conducted sustained SMBv1 reconnaissance activities over a 15-day period (March 4-19, 2026), targeting network infrastructure with deprecated protocol exploitation techniques. Assessment indicates HIGH threat level with 85% confidence due to SMBv1's association with wormable exploits and potential preparation for lateral movement operations. Immediate SMBv1 protocol hardening and enhanced monitoring of SMB traffic is recommended.

SMB TCP TCP/SYN auto smb

SMB

Activity Timeline

INITIAL REPORT2026-03-21T15:24:29Z

Source: Analyst Manual Entry

Technical details

Threat actor conducted 22 security events utilizing SMB, TCP, and TCP/SYN protocols against 2 unique destination ports between March 4 05:00 and March 19 17:00 UTC. Primary attack vectors included SMBv1 service detection (11 instances), SMBv1 protocol usage (2 instances), and NTLM authentication negotiation attempts (2 instances). Activity maps to MITRE ATT&CK technique T1135 (Network Share Discovery) within the Reconnaissance kill chain phase. Source IP 109.95.35.130 originates from Ukrainian infrastructure with low AbuseIPDB reputation score (4/100) and no VPN masking detected.

IOCs

IP:109.95.35.130

COUNTRY:UA

Recommendations

Disable SMBv1 protocol across all Windows systems and network infrastructure immediately
Implement enhanced logging and monitoring for SMB traffic, particularly focusing on external connection attempts
Deploy network segmentation controls to restrict SMB protocol access from untrusted networks
Conduct threat hunting for additional SMBv1 reconnaissance activity using similar TTPs across the environment
Review and harden NTLM authentication configurations to prevent credential relay attacks