Summary (Bottom Line Up Front)
A Moroccan threat actor (196.115.7.197) conducted a sustained web application attack campaign from February 27-March 4, 2026, targeting sensitive configuration files and conducting vulnerability scanning. The attacker demonstrates medium-severity capabilities with Local File Inclusion (LFI) techniques and systematic reconnaissance activities, warranting immediate defensive action. Organizations should prioritize web application security controls and monitor for similar attack patterns.
Activity Timeline
UPDATE 22026-03-10T14:38:39Z
Source: Analyst Manual Entry
A Moroccan threat actor (196.115.7.197) conducted a sustained web application attack campaign from February 27-March 4, 2026, targeting sensitive configuration files and conducting vulnerability scanning. The attacker demonstrates medium-severity capabilities with Local File Inclusion (LFI) techniques and systematic reconnaissance activities, warranting immediate defensive action. Organizations should prioritize web application security controls and monitor for similar attack patterns.
New findings
The threat actor operated from ASN AS36925 (ASMedi) in Morocco with a maximum AbuseIPDB reputation score of 100/100, indicating extensive malicious activity. Attack methodology included Local File Inclusion attempts targeting sensitive configuration files and systematic vulnerability scanning across web applications. The campaign utilized HTTP, TCP, and TLS 1.0 protocols over a 6-day period with 35 recorded events concentrated on a single destination port. MITRE ATT&CK mappings include T1083 (File and Directory Discovery) for LFI activities and T1595 (Active Scanning) for vulnerability reconnaissance. Primary IOC: 196.115.7.197 with no associated reverse DNS resolution.
Recommendations
- Block IP address 196.115.7.197 and monitor for additional traffic from ASN AS36925 (ASMedi)
- Implement web application firewalls with specific rules to detect and block Local File Inclusion attack patterns
- Conduct immediate security assessment of web applications for directory traversal vulnerabilities and sensitive file exposure
- Enable enhanced logging for HTTP requests targeting configuration files and system directories
- Review and harden TLS configurations to prevent downgrade attacks, given the threat actor's use of legacy TLS 1.0
UPDATE 12026-03-10T14:26:45Z
Source: Analyst Manual Entry
A Moroccan threat actor (196.115.7.197) conducted a sustained web application attack campaign from February 27-March 4, 2026, targeting sensitive configuration files and scanning for vulnerable paths. The attacker demonstrates medium-severity capabilities with Local File Inclusion (LFI) techniques and systematic vulnerability scanning, warranting immediate defensive action. Organizations should implement enhanced web application monitoring and access controls.
New findings
The threat actor originated from ASMedi (AS36925) in Morocco with a maximum AbuseIPDB reputation score of 100/100, indicating extensive malicious activity. Attack methodology included HTTP-based Local File Inclusion attempts targeting sensitive configuration files and systematic vulnerability scanning across web applications. The campaign spanned 6 days with 35 total events concentrated on a single destination port, suggesting focused targeting. Primary techniques align with MITRE ATT&CK T1083 (File and Directory Discovery) and T1595.002 (Active Scanning: Vulnerability Scanning). Key IOC: 196.115.7.197 with no reverse DNS resolution.
Recommendations
- Block IP address 196.115.7.197 and monitor for additional ASMedi (AS36925) network ranges in security controls
- Implement enhanced logging and monitoring for Local File Inclusion attempts targeting configuration files
- Deploy web application firewalls with rules specifically designed to detect and block LFI attack patterns
- Conduct immediate vulnerability assessments on web applications, focusing on file inclusion vulnerabilities and exposed sensitive files
- Review and restrict file system permissions to prevent unauthorized access to configuration files and sensitive directories
INITIAL REPORT2026-03-10T12:25:23Z
Source: Analyst Manual Entry
A Moroccan threat actor (196.115.7.197) conducted a sustained web application attack campaign from February 27-March 4, 2026, targeting sensitive configuration files and conducting vulnerability scanning. The attacker demonstrates high threat capability with a maximum AbuseIPDB reputation score and escalated attack techniques including Local File Inclusion (LFI) exploitation. Immediate defensive measures are recommended to protect web-facing assets.
Technical details
The threat actor operated from ASMedi (AS36925) infrastructure in Morocco, generating 35 attack events over a 6-day period targeting a single destination port. Primary attack vectors included HTTP-based Local File Inclusion attempts and automated vulnerability scanning against web applications. The attacker employed multiple protocols (HTTP, TCP, TLS/1.0) suggesting sophisticated reconnaissance and exploitation capabilities. Attack patterns align with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1083 (File and Directory Discovery). The 100/100 AbuseIPDB score indicates this IP has been widely reported for malicious activity across multiple victim organizations.
IOCs
IP:196.115.7.197
ASN:36925
COUNTRY:MA
Recommendations
- Block IP address 196.115.7.197 and monitor for additional activity from AS36925 (ASMedi) network ranges
- Implement enhanced web application firewall rules to detect and block Local File Inclusion attack patterns
- Conduct immediate security assessment of web applications for LFI vulnerabilities, particularly focusing on configuration file access controls
- Review and harden web server configurations to prevent unauthorized access to sensitive system files
- Deploy additional monitoring for HTTP-based reconnaissance activities targeting common vulnerability paths