UPDATE 42026-03-24T23:49:35Z

Source: Analyst Manual Entry

External threat actor operating from Lithuanian IP address 185.36.81.23 conducted sustained SMBv1 reconnaissance against network infrastructure over a 30-day period ending March 23, 2026. This activity represents high-risk probing for EternalBlue-vulnerable systems and indicates potential preparation for remote code execution attacks. Organizations should immediately audit SMB configurations and implement blocking measures for the identified threat infrastructure.

New findings

Attack Vector: SMBv1 protocol negotiation attempts targeting port 445

Volume: 98 events across 30-day observation period (February 21 - March 23, 2026)

Protocols: SMBv1, SMB, Modbus, TCP reconnaissance

MITRE Technique: T1210 (Exploitation of Remote Services)

Kill Chain Phase: Reconnaissance

Primary CVE: CVE-2017-0144 (EternalBlue)

Key IOC: 185.36.81.23 (AbuseIPDB score: 100/100)

Payload Signature: SMBv1 negotiation header `ff534d42720000000018456800000000`

Geographic Origin: Lithuania (LT)

Recommendations

UPDATE 32026-03-21T12:01:03Z

Source: Analyst Manual Entry

External threat actor 185.36.81.23 (Lithuania/AS209605) conducted sustained SMBv1 reconnaissance against network infrastructure over a 28-day period from February 21 to March 21, 2026. Assessment indicates MEDIUM threat level with 85% confidence, representing preparation phase for potential SMB-based exploitation. Immediate action required to audit and disable SMBv1 services across enterprise networks.

New findings

Threat actor conducted 91 reconnaissance events targeting SMB services, specifically probing for vulnerable SMBv1 protocol implementations on port 445. Activity spans 28-day window from February 21 15:00 to March 21 01:00 (2026), indicating persistent targeting rather than opportunistic scanning. MITRE technique T1135 (Network Share Discovery) employed during reconnaissance kill chain phase. Source IP 185.36.81.23 originates from UAB Host Baltic (AS209605) in Lithuania with maximum AbuseIPDB reputation score (100/100). Attack patterns focused on SMBv1 protocol detection and enumeration, with 17 total SMBv1-related detection events. No active exploitation attempts observed, but SMBv1 reconnaissance commonly precedes EternalBlue and related SMB exploit deployment.

Recommendations

UPDATE 22026-03-14T17:41:14Z

Source: batch_hunting

Threat actors operating from Lithuanian hosting provider UAB Host Baltic (185.36.81.23) conducted sustained SMB reconnaissance activities over a 21-day period, specifically targeting SMBv1 services with 56 recorded events. This activity represents HIGH risk reconnaissance behavior consistent with preparation for SMB-based exploitation campaigns. Organizations should immediately audit SMB configurations and implement enhanced monitoring for SMBv1 protocol usage.

New findings

The threat actor demonstrated persistent reconnaissance behavior from February 21, 2026 15:00 through March 14, 2026 13:00, utilizing multiple protocols including Modbus, SMB, and TCP SYN scanning across 2 unique destination ports. Primary attack patterns focused on SMBv1 protocol negotiation and usage detection, mapped to MITRE technique T1021.002 (SMB/Windows Admin Shares). The source IP maintains a maximum AbuseIPDB reputation score of 100/100 with no reverse DNS resolution, suggesting dedicated malicious infrastructure. Attack volume and persistence patterns indicate systematic network enumeration rather than opportunistic scanning, with SMBv1-specific targeting representing preparation for potential EternalBlue-class exploitation.

Recommendations

UPDATE 12026-03-14T12:37:40Z

Source: Analyst Manual Entry

External actor at 185.36.81.23 conducted sustained SMB reconnaissance activity over 21 days, generating 56 security events through legacy SMBv1 protocol negotiations. Assessment: HIGH threat level based on persistent targeting of vulnerable SMB services and use of deprecated protocols associated with critical exploitation vectors.

New findings

Actor utilized SMBv1 protocol for service enumeration against 2 unique destination ports, generating 8 SMBv1 detection events and 5 legacy SMB usage violations. Traffic analysis revealed standard SMB dialect negotiation packets rather than active exploit payloads. Activity maps to MITRE ATT&CK technique T1021.002 (SMB/Windows Admin Shares) within the Reconnaissance phase of the cyber kill chain. No specific CVE exploitation attempts were observed in captured traffic, though SMBv1 usage inherently presents exposure to multiple critical vulnerabilities including MS17-010 (EternalBlue). Source IP 185.36.81.23 originates from AS209605 (UAB Host Baltic) in Lithuania with maximum AbuseIPDB reputation score of 100/100.

INITIAL REPORT2026-03-10T13:03:15Z

Source: Analyst Manual Entry

External threat actor at 185.36.81.23 (AS209605 UAB Host Baltic, Lithuania) conducted sustained SMB reconnaissance using vulnerable SMBv1 protocol against network infrastructure over 17-day period ending March 10, 2026. Activity assessed as HIGH threat level with 85% confidence, indicating potential preparation for SMB-based exploitation including EternalBlue-style attacks. Immediate SMBv1 hardening and network monitoring recommended.

Technical details

Threat actor conducted 33 attack events between February 21 15:00 and March 10 07:00, 2026, targeting 2 unique destination ports using SMB and Modbus protocols. Primary attack vector involved SMBv1 protocol negotiation attempts mapped to MITRE technique T1021.002 (SMB/Windows Admin Shares). AbuseIPDB scoring indicates 100/100 malicious reputation with 12 VirusTotal malicious detections. Attack patterns focused on SMBv1 detection and usage, suggesting reconnaissance phase activity. Source infrastructure shows APT candidate characteristics with sustained, methodical approach over extended timeframe.

IOCs

Recommendations