185.247.137.224

Summary (Bottom Line Up Front)

Threat actor 185.247.137.224 conducted sustained multi-protocol reconnaissance activities over 65 days, targeting industrial control systems (Modbus), IoT infrastructure (MQTT), and web services across 7 unique ports. The campaign demonstrates systematic vulnerability scanning with particular focus on non-standard MQTT implementations, indicating potential preparation for IoT/OT network exploitation. Network defenders should implement enhanced monitoring for the identified protocols and review exposure of industrial control systems to internet-facing networks. ##

HTTP MQTT Modbus TCP TCP/SYN TLS/1.0 TLS/1.2+ Unknown auto https

SCANNER

Activity Timeline

UPDATE 32026-04-22T19:39:46Z

Source: Analyst Manual Entry

New findings

Attack Vector: Multi-protocol network reconnaissance

Duration: February 16, 2026 07:00 - April 22, 2026 15:00 (65 days)

Volume: 48 events across 7 destination ports

Protocols Observed: HTTP, HTTPS, MQTT, Modbus, TLS 1.0/1.2+, TCP

MITRE ATT&CK: T1046 (Network Service Scanning)

Kill Chain Phase: Reconnaissance

Key Findings:

Malformed MQTT traffic targeting non-standard port 44818 with truncated payloads
Industrial protocol scanning (Modbus) suggesting OT/ICS targeting
HTTP scanner activity with bot-like user agents on port 30000
Mixed TLS versions indicating broad compatibility testing
Unknown OS fingerprint and ASN information suggesting operational security measures

IOCs

IP Address: 185.247.137.224
Payload Sample: "MQTT<" (truncated/malformed)
User Agent Pattern: InternetMeasurement

Recommendations

Monitor and restrict access to non-standard MQTT ports (particularly 44818) and implement MQTT protocol validation
Review Modbus/industrial protocol exposure to external networks and implement network segmentation for OT environments
Deploy enhanced logging for multi-protocol scanning patterns targeting ports 30000, 44818, and other non-standard service ports
Implement rate limiting and behavioral analysis for reconnaissance activities spanning extended timeframes (60+ days)
Validate TLS configurations and disable legacy TLS 1.0 where operationally feasible to reduce attack surface

UPDATE 22026-04-12T20:46:57Z

Source: Analyst Manual Entry

IP address 185.247.137.224 conducted a sustained multi-protocol reconnaissance campaign from February 16 to April 8, 2026, targeting industrial control systems and IoT infrastructure through MQTT, Modbus, and HTTP scanning activities. This medium-severity threat demonstrates systematic vulnerability discovery techniques across 48 observed events spanning multiple protocols and non-standard ports. Network defenders should implement enhanced monitoring for industrial protocol traffic and consider blocking this IP address.

New findings

Attack Vector: Multi-protocol scanning campaign targeting industrial and IoT systems

Duration: February 16, 2026 07:00 - April 8, 2026 12:00 (52-day campaign)

Volume: 48 events across 6 unique destination ports

Protocols Observed: MQTT, Modbus, HTTP, TLS 1.0/1.2+, TCP SYN scanning

MITRE ATT&CK Mapping: T1046 (Network Service Scanning)

Kill Chain Phase: Reconnaissance

Key Indicators:

Malformed MQTT protocol traffic with truncated 'MQTT<' payloads targeting port 44818
HTTP scanning with "InternetMeasurement" user agent on port 30000
Industrial protocol fuzzing suggesting IoT/SCADA system enumeration
Sustained scanning pattern indicating automated tooling

IOCs

IP: 185.247.137.224
Suspicious User-Agent: "InternetMeasurement"
Malformed MQTT payload: "MQTT<" (truncated)

Recommendations

Block IP address 185.247.137.224 at network perimeter and monitor for similar scanning patterns from related infrastructure
Implement enhanced logging and alerting for MQTT and Modbus protocol traffic, particularly on non-standard ports (e.g., 44818)
Deploy network segmentation to isolate industrial control systems and IoT devices from internet-facing networks
Monitor for HTTP requests containing "InternetMeasurement" user agent strings and other research-oriented identifiers
Conduct asset inventory review to identify exposed MQTT brokers, Modbus devices, and other industrial protocols accessible from external networks

UPDATE 12026-04-08T19:19:56Z

Source: Analyst Manual Entry

IP address 185.247.137.224 conducted automated port scanning activity across multiple protocols from February 16 to April 8, 2026, generating 48 security events targeting 6 unique destination ports. This activity represents low-severity reconnaissance consistent with initial attack chain discovery phases. Network defenders should monitor for potential escalation while reviewing exposed service necessity.

New findings

Attack Vector: Multi-protocol scanning campaign spanning 52 days with consistent reconnaissance patterns

Protocols Observed: HTTP, HTTPS, MQTT, Modbus, TCP, TLS (1.0, 1.2+)

Primary Technique: T1046 (Network Service Scanning) during reconnaissance phase

Attack Patterns: Internet measurement scanning and automated bot reconnaissance via HTTP User-Agent analysis

Key Indicators: Targeting of industrial protocols (Modbus, MQTT) alongside web services suggests broad infrastructure enumeration

Payload Analysis: HTTP requests containing "InternetMeasurement" strings on non-standard port 30000

Threat Assessment: 85% confidence low-severity classification with minimal zero-day probability (5%)

Recommendations

Monitor 185.247.137.224 for 30 days to detect potential attack escalation beyond reconnaissance phase
Review exposure necessity for Modbus and MQTT services, implementing network segmentation if industrial protocols must remain accessible
Implement rate limiting on non-standard HTTP ports (particularly 30000) to mitigate automated scanning effectiveness
Enable enhanced logging for the 6 targeted destination ports to establish baseline traffic patterns and detect anomalies
Consider threat hunting for similar multi-protocol scanning patterns across network perimeter to identify coordinated reconnaissance campaigns

INITIAL REPORT2026-04-06T15:01:43Z

Source: Analyst Manual Entry

IP address 185.247.137.224 conducted benign reconnaissance activity targeting Kubernetes infrastructure over a 7-week period from February 16 to April 4, 2026. The activity appears consistent with academic internet measurement research rather than malicious scanning, representing an INFO-level threat with 95% confidence. Organizations should review exposure of container orchestration services on non-standard ports to reduce unnecessary reconnaissance surface.

Technical details

Activity Summary: 48 events observed across multiple protocols (HTTP, MQTT, Modbus, TCP, TLS/1.0, TLS/1.2+) targeting 5 unique destination ports. Primary activity involved HTTP requests to port 30000 targeting Kubernetes logo images, indicating presence of container orchestration infrastructure. Attack classification mapped to MITRE T1595.001 (Active Scanning: Scanning IP Blocks) during reconnaissance phase. Source exhibited scanner behavior patterns consistent with internet measurement services rather than malicious threat actors.

Key Indicators:

Source IP: 185.247.137.224
Activity timeframe: February 16, 2026 07:00 - April 4, 2026 18:00
User-Agent pattern: InternetMeasurement
Primary target: Kubernetes services on port 30000

IOCs

IP:185.247.137.224

Recommendations

Review and minimize exposure of Kubernetes services on public-facing non-standard ports, particularly port 30000
Implement network segmentation to isolate container orchestration platforms from direct internet access
Configure monitoring for reconnaissance activity targeting container infrastructure endpoints
Establish baseline traffic patterns for legitimate vs. research scanning to improve threat classification
Consider implementing rate limiting on exposed services to reduce reconnaissance effectiveness

medium SCANNER HTTP:30000

InternetMeasurement