129.212.181.84

Summary (Bottom Line Up Front)

A DigitalOcean-hosted IP address (129.212.181.84) conducted extensive VNC scanning operations against network infrastructure from March 31 to April 3, 2026, generating nearly 200,000 security events. This represents low-sophistication reconnaissance activity with no observed exploitation attempts. Network defenders should verify VNC service exposure and implement appropriate access controls.

BACnet TCP TCP/SYN VNC

VNC_SCAN

Activity Timeline

INITIAL REPORT2026-04-02T23:23:16Z

Source: Analyst Manual Entry

Technical details

The threat actor operated from a Linux system hosted on DigitalOcean infrastructure in Broomfield, US, with a maximum AbuseIPDB reputation score indicating prior malicious activity. Attack patterns consisted exclusively of VNC version exchange requests totaling 33,778 scanning attempts across the 4-day observation period. The activity aligns with MITRE ATT&CK technique T1046 (Network Service Scanning) within the Discovery tactic phase. Primary protocols observed include VNC, TCP, and BACnet communications targeting remote desktop services. No CVEs were exploited and no zero-day indicators were detected during the campaign.

IOCs

IP:129.212.181.84

COUNTRY:US

Recommendations

Block traffic from 129.212.181.84 and monitor for additional scanning activity from the 129.212.0.0/16 DigitalOcean subnet
Audit all VNC services for unnecessary internet exposure and implement network segmentation where remote access is required
Deploy rate limiting and connection throttling on VNC ports (typically 5900-5906) to mitigate automated scanning
Enable enhanced logging for VNC connection attempts and integrate alerts for suspicious authentication patterns
Consider implementing VPN or zero-trust access controls for legitimate remote desktop requirements