Summary (Bottom Line Up Front)
Threat actor operating from IP 185.177.72.61 conducted systematic reconnaissance against web applications, attempting to access sensitive configuration files including .env defaults and Git repositories over a 21-day period ending April 8, 2026 at 06:00. This medium-severity activity represents typical pre-attack information gathering with 85% confidence. Organizations should immediately audit exposed configuration files and implement appropriate access controls.
Activity Timeline
UPDATE 12026-04-08T06:37:52Z
Source: Analyst Manual Entry
Threat actor operating from IP 185.177.72.61 conducted systematic reconnaissance against web applications, attempting to access sensitive configuration files including .env defaults and Git repositories over a 21-day period ending April 8, 2026 at 06:00. This medium-severity activity represents typical pre-attack information gathering with 85% confidence. Organizations should immediately audit exposed configuration files and implement appropriate access controls.
New findings
The campaign generated 3,950 events targeting HTTP services, primarily focusing on Local File Inclusion (LFI) attacks against sensitive configuration paths. Attack patterns included attempts to access `.git/config`, `.env.default` files, and directory traversal techniques mapped to MITRE T1083 (File and Directory Discovery). The threat actor utilized automated scanning tools including l9explore and LeakIX scanners, with secondary SMTP probing activity observed. All malicious traffic originated from ASN AS198697 (YUFLY TELECOM SL) in France, with the source IP maintaining a 100/100 AbuseIPDB reputation score indicating established malicious activity.
Recommendations
- Block IP 185.177.72.61 and monitor for additional activity from ASN AS198697 (YUFLY TELECOM SL)
- Audit web applications for exposed .git directories, .env files, and other sensitive configuration data accessible via HTTP
- Implement web application firewalls with rules to detect and block directory traversal and LFI attempts
- Review server configurations to ensure development and configuration files are not accessible from public-facing web directories
- Monitor for reconnaissance patterns targeting file discovery techniques (MITRE T1083) as potential precursors to more sophisticated attacks
INITIAL REPORT2026-03-18T11:27:54Z
Source: Analyst Manual Entry
High-severity automated reconnaissance activity detected from 185.177.72.61 (YUFLY TELECOM SL/France) targeting sensitive environment configuration files via Local File Inclusion (LFI) techniques. The attacker specifically targeted /build/.env files containing application secrets and credentials, representing significant information disclosure risk. Immediate blocking and environment file security review recommended.
Technical details
- Source: 185.177.72.61 (AS198697 YUFLY TELECOM SL, France)
- Activity Window: 2026-03-18 02:00 - 07:00 UTC (5-hour campaign)
- Attack Volume: 100 events targeting LFI vectors and vulnerability scanning
- Primary Techniques: Local File Inclusion (T1083 - File and Directory Discovery)
- Target Focus: Environment configuration files (/build/.env) containing sensitive credentials
- Infrastructure: Linux-based system with SSH (22) and NTP (123) services exposed
- Threat Assessment: AbuseIPDB score 100/100, established malicious infrastructure
- Scanner Profile: l9explore automated reconnaissance tool
IOCs
IP:185.177.72.61
ASN:198697
COUNTRY:FR
Recommendations
- Block 185.177.72.61 and monitor for additional IPs from AS198697 YUFLY TELECOM SL
- Audit web application file permissions to prevent unauthorized access to .env and configuration files
- Implement web application firewall rules to detect and block LFI attack patterns
- Review server configurations to ensure sensitive files are outside web-accessible directories
- Monitor logs for successful access to environment files and rotate any potentially exposed credentials