Summary (Bottom Line Up Front)
A Windows-based threat actor operating from Romanian hosting provider Flyservers S.A. (141.98.83.86) conducted an intensive multi-protocol scanning campaign between March 29-April 4, 2026, generating over 94,000 malicious events targeting RDP, SSH, and industrial control systems. The activity represents opportunistic reconnaissance with medium threat severity, including concerning ICS-targeted probes. Network defenders should immediately block this IP and review logs for similar scanning patterns. ##
Activity Timeline
INITIAL REPORT2026-04-04T14:39:01Z
Source: Analyst Manual Entry
A Windows-based threat actor operating from Romanian hosting provider Flyservers S.A. (141.98.83.86) conducted an intensive multi-protocol scanning campaign between March 29-April 4, 2026, generating over 94,000 malicious events targeting RDP, SSH, and industrial control systems. The activity represents opportunistic reconnaissance with medium threat severity, including concerning ICS-targeted probes. Network defenders should immediately block this IP and review logs for similar scanning patterns.
Technical details
The threat actor leveraged a Windows 10 build 14393 system with multiple exposed services (RDP/3389, WinRM/5985, SMB/445) to conduct broad-spectrum reconnaissance. Primary attack vectors included RDP scanning via x224_request packets (26,056 events), SSH banner enumeration (5 events), and notably two high-severity ICS attacks targeting port 9001 with COTP connection requests containing payload "030000130ee0". The campaign spanned 7 protocols across 6 unique destination ports, indicating automated tooling for infrastructure discovery. The source IP maintains a maximum AbuseIPDB reputation score of 100/100, confirming established malicious activity. Attack patterns align with T1046 (Network Service Scanning) in the MITRE ATT&CK framework, representing Discovery phase tactics.
IOCs
IP:141.98.83.86
ASN:209588
COUNTRY:RO
Recommendations
- Block IP 141.98.83.86 at perimeter firewalls and add AS209588 (Flyservers S.A.) to enhanced monitoring lists
- Review RDP exposure and implement network-level access controls, disabling direct internet-facing RDP where possible
- Examine logs between March 29-April 4, 2026 for similar scanning patterns targeting ports 3389, 22, and 9001
- Implement additional monitoring for ICS/SCADA protocols, particularly S7comm traffic on non-standard ports
- Deploy rate-limiting and connection throttling for remote access services to mitigate future scanning campaigns