2.57.122.234

Summary (Bottom Line Up Front)

External threat actor at IP 2.57.122.234 conducted a 42-day reconnaissance and credential harvesting campaign from March 1-April 12, 2026, generating 112 attack events primarily targeting Fortinet devices and authentication systems. Assessment indicates MEDIUM threat level with sophisticated APT-like tactics suggesting targeted organizational reconnaissance. Immediate review of Fortinet SSL VPN configurations and authentication logs recommended. ##

HTTP SSH TCP TCP/SYN TELNET TLS TLS/1.0 http https https_tls_handshake
WEB_EXPLOITER FORTI_RECON CREDENTIAL_CAPTURE SSH_SCAN FORTI_ATTACK
Activity Timeline
UPDATE 62026-04-12T11:15:20Z
Source: Analyst Manual Entry
External threat actor at IP 2.57.122.234 conducted a 42-day reconnaissance and credential harvesting campaign from March 1-April 12, 2026, generating 112 attack events primarily targeting Fortinet devices and authentication systems. Assessment indicates MEDIUM threat level with sophisticated APT-like tactics suggesting targeted organizational reconnaissance. Immediate review of Fortinet SSL VPN configurations and authentication logs recommended.
New findings
Attack Profile: Sustained multi-protocol campaign spanning HTTP/HTTPS, SSH, Telnet, and TLS across 10 unique destination ports. Primary focus on Fortinet infrastructure reconnaissance (9 events) and credential capture operations (8 events). MITRE Mapping: T1046 (Network Service Scanning) during reconnaissance phase. Key Techniques: Fortinet SSL VPN login attempts, authentication bypass testing, SSH banner enumeration, XSS payload injection, and default credential attacks against router interfaces. Volume Analysis: Peak activity concentrated on administrative interfaces (ports 443, 4443) with evidence of automated tooling. Notable IOCs: Targeting of /remote/login and /login endpoints, JavaScript-based credential harvesting payloads, and systematic probing of logout mechanisms indicating session management analysis.
Recommendations
  • Review and harden all Fortinet SSL VPN configurations, ensuring latest firmware and disabling unnecessary login pages
  • Implement enhanced monitoring for authentication failures and unusual login patterns across ports 443 and 4443
  • Audit default credentials on all network infrastructure devices, particularly routers and VPN appliances
  • Deploy web application firewall rules to detect and block XSS attempts targeting administrative interfaces
  • Consider IP-based blocking of 2.57.122.234 and implement geofencing if business operations permit
UPDATE 52026-04-07T13:43:14Z
Source: Analyst Manual Entry
IP address 2.57.122.234 conducted a sustained 37-day attack campaign from March 1-April 7, 2026, targeting Fortinet appliances, SSH services, and web applications with 112 recorded events across 10 destination ports. The activity demonstrates sophisticated reconnaissance and credential harvesting techniques consistent with APT-level capabilities, assessed as LOW immediate threat but HIGH concern for escalation potential. Organizations should immediately review Fortinet SSL VPN configurations and implement enhanced monitoring for similar attack patterns.
New findings
Attack Profile: Multi-protocol campaign utilizing HTTP/HTTPS, SSH, TCP, and TLS protocols with primary focus on Fortinet infrastructure exploitation. MITRE Techniques: T1046 (Network Service Scanning) during reconnaissance phase with evidence of credential harvesting and XSS exploitation attempts. Key Patterns: Fortinet login page reconnaissance (7 hits), SSL VPN login attacks (2 hits), SSH banner exchanges (3 hits), and authentication payload captures (3 hits). Attack Vectors: Targeted `/remote/login` and `/login` endpoints on port 443, combined with router default credential attacks and DOM-based XSS attempts using `innerHTML` manipulation. Volume Assessment: Sustained low-volume activity suggesting careful operational security and targeted approach rather than automated scanning.
Recommendations
  • Immediately audit all Fortinet SSL VPN configurations and disable default credentials on network appliances
  • Implement enhanced logging and monitoring for `/remote/login` and `/login` endpoint access attempts
  • Deploy web application firewalls with XSS protection rules focusing on `innerHTML` and JavaScript evaluation patterns
  • Review SSH service configurations and consider implementing fail2ban or similar brute-force protection mechanisms
  • Establish network segmentation to limit lateral movement potential from compromised edge devices
UPDATE 42026-03-23T09:00:26Z
Source: Analyst Manual Entry
IP address 2.57.122.234 (Romania/AS47890) conducted a 21-day attack campaign targeting network infrastructure and web applications with 95 recorded events across multiple attack vectors including FortiGate reconnaissance, credential attacks, and XSS attempts. Despite the multi-vector approach, this is assessed as LOW severity due to basic attack techniques and reconnaissance-focused activity. Organizations should implement standard defensive measures and monitor for similar attack patterns.
New findings
  • Source: 2.57.122.234 (Timişoara, Romania) via TECHOFF SRV LIMITED (AS47890)
  • Campaign Duration: March 1-22, 2026 (21 days, 95 events)
  • Attack Vectors: FortiGate login page reconnaissance (3 hits), router default credential attempts, web application XSS probes
  • Protocols: HTTP/HTTPS, TLS 1.0, TCP on 3 unique destination ports
  • MITRE Technique: T1083 (File and Directory Discovery)
  • Kill Chain Phase: Reconnaissance
  • IOCs: Basic path traversal patterns (../), default credential dictionaries, XSS payloads targeting DOM sinks and event handlers
Recommendations
  • Block IP 2.57.122.234 and monitor for additional activity from AS47890 TECHOFF SRV LIMITED
  • Ensure FortiGate and router management interfaces are not exposed to the internet or implement strict access controls
  • Deploy/tune web application firewalls to block basic path traversal and XSS attack patterns
  • Review and change any default credentials on network infrastructure devices
  • Monitor authentication logs for brute force attempts and implement account lockout policies
UPDATE 32026-03-23T06:26:07Z
Source: Analyst Manual Entry
Romanian IP address 2.57.122.234 conducted sustained reconnaissance and credential attacks against FortiGate infrastructure over 21 days, generating 95 malicious events with a 100/100 AbuseIPDB reputation score. This represents MEDIUM-risk activity consistent with pre-exploitation reconnaissance that could escalate to compromise attempts. Organizations should immediately block this IP and review FortiGate access controls.
New findings
The threat actor operated from Timişoara, Romania (AS47890 TECHOFF SRV LIMITED) between March 1-22, 2026, targeting three unique destination ports. Primary attack vectors included FortiGate login page reconnaissance (T1590.002), authentication attacks, credential harvesting, and XSS attempts across HTTP/HTTPS protocols with TLS 1.0 connections. The campaign demonstrated systematic probing behavior with fortigate_login_page pattern hits (3), router default credential attempts (1), and multiple XSS exploitation techniques. The attacker maintained persistent SSH access capability (port 22 open) and exhibited escalating sophistication across authentication and web application attack vectors.
Recommendations
  • Block IP address 2.57.122.234 at perimeter firewalls and web application firewalls immediately
  • Review and strengthen FortiGate authentication mechanisms, disable default credentials, and implement multi-factor authentication
  • Monitor AS47890 (TECHOFF SRV LIMITED) network range for additional reconnaissance activity against FortiGate infrastructure
  • Audit FortiGate access logs for successful authentication attempts from Romanian IP ranges during March 1-22, 2026 timeframe
  • Implement enhanced logging and alerting for FortiGate login page access patterns and failed authentication attempts
UPDATE 22026-03-18T07:24:47Z
Source: Analyst Manual Entry
Romanian-based threat actor (2.57.122.234) conducted a 16-day campaign combining FortiGate reconnaissance, credential attacks, and DOM-based XSS exploitation targeting network device login interfaces. Assessment: HIGH threat level with 85% confidence based on sophisticated JavaScript payloads and multi-stage attack methodology. Immediate action required to secure network device management interfaces and implement enhanced monitoring.
New findings
  • Source: 2.57.122.234 (AS47890 TECHOFF SRV LIMITED, Timişoara, RO) with maximum AbuseIPDB reputation score
  • Campaign Duration: March 1-17, 2026 (78 total events across 3 destination ports)
  • Attack Vectors: HTTP/HTTPS protocols with TLS 1.0, targeting SSH (port 22) and web management interfaces
  • MITRE Technique: T1059.007 (Command and Scripting Interpreter: JavaScript)
  • Kill Chain Phase: Exploitation with credential manipulation and session hijacking capabilities
  • Key Patterns: FortiGate login reconnaissance, router default credential testing, DOM-based XSS with event handler manipulation and expression evaluation
  • IOC: 2.57.122.234 (Linux-based system, no reverse DNS resolution)
Recommendations
  • Block IP 2.57.122.234 and monitor for additional activity from AS47890 TECHOFF SRV LIMITED
  • Audit all network device management interfaces for default credentials and implement strong authentication policies
  • Deploy web application firewalls with XSS protection on device management portals and disable TLS 1.0
  • Enable enhanced logging for authentication attempts and JavaScript execution on network device interfaces
  • Conduct vulnerability assessments on FortiGate and router firmware, prioritizing DOM-based XSS protections
UPDATE 12026-03-16T16:07:53Z
Source: Analyst Manual Entry
Romanian-based threat actor at 2.57.122.234 conducted a sustained 14-day campaign combining credential attacks, reconnaissance, and DOM-based XSS exploitation specifically targeting FortiGate network devices. Assessment: HIGH threat level with 85% confidence based on sophisticated attack patterns and 100/100 AbuseIPDB reputation score. Immediate action required to audit FortiGate configurations and implement enhanced monitoring for similar attack vectors.
New findings
Attacker leveraged multiple protocols (HTTP, HTTPS, TLS 1.0, TCP) across 61 events from March 1-15, 2026 (04:00 - 10:00 timeframe). Primary techniques included MITRE T1059.007 (Command and Scripting Interpreter: JavaScript) with focus on DOM-based XSS attacks targeting authentication error handling mechanisms. Attack patterns encompassed router default credential testing, FortiGate login page reconnaissance, and advanced XSS payloads utilizing DOM sinks, event handlers, and expression evaluation. Source infrastructure: AS47890 TECHOFF SRV LIMITED, Timişoara, Romania, with SSH service exposed on port 22. Kill chain phase identified as Exploitation with 15% zero-day probability assessment.
Recommendations
  • Immediately block IP 2.57.122.234 and monitor for additional IPs from AS47890 TECHOFF SRV LIMITED
  • Audit all FortiGate devices for default credentials and ensure firmware is updated to latest versions
  • Implement enhanced logging and monitoring for DOM-based XSS attempts on network device management interfaces
  • Deploy additional authentication controls (MFA) for network infrastructure management access
  • Review and harden JavaScript execution policies on web-based network management interfaces
INITIAL REPORT2026-03-14T17:50:48Z
Source: batch_hunting
Romanian-based threat actor at 2.57.122.234 conducted a sustained 11-day campaign targeting network infrastructure with authentication attacks, credential harvesting, FortiGate reconnaissance, and XSS exploitation attempts. This represents a HIGH threat level given the 100/100 AbuseIPDB score and diverse attack methodology targeting critical network appliances. Immediate blocking and enhanced monitoring of authentication endpoints is recommended.
Technical details
  • Source: 2.57.122.234 (AS47890 TECHOFF SRV LIMITED, Timişoara, RO)
  • Campaign Duration: March 1-12, 2026 (11 days, 59 total events)
  • Attack Vectors: Multi-protocol approach using HTTP/HTTPS, TLS 1.0, and TCP across 3 unique destination ports
  • Primary Techniques:
  • Default credential exploitation against router infrastructure
  • Targeted FortiGate appliance reconnaissance and login attempts
  • Cross-site scripting (XSS) attacks via DOM manipulation and event handlers
  • Credential harvesting operations
  • MITRE ATT&CK Mappings: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1595 (Active Scanning)
  • IOC: 2.57.122.234 (confirmed malicious, no legitimate traffic observed)
IOCs
IP:2.57.122.234
ASN:47890
COUNTRY:RO
Recommendations
  • Block 2.57.122.234 and monitor for additional AS47890 TECHOFF SRV LIMITED infrastructure targeting your organization
  • Audit and disable default credentials on all network appliances, particularly routers and FortiGate devices
  • Implement enhanced logging and alerting for authentication failures on network infrastructure management interfaces
  • Deploy web application firewall rules to detect and block XSS attempts targeting DOM sinks and event handlers
  • Conduct immediate security assessment of any FortiGate appliances with public-facing management interfaces
Threat Assessment
Threat Level HIGH
AI Verdict MEDIUM
Confidence 65%
Total Events 310
Indicators of Compromise
ip 2.57.122.234
MITRE ATT&CK
T1059 T1189 T1190
Captured Payloads (7)
medium AUTH_ATTACK https:443 
switch%28mode%29%7Bcase%203:%20if%28iFrmLgErr==4%29%7Berrmsg.innerHTML=TR%28%22User%20Mode%20is%20off%20now.%22%29;%7Delse%20if%28iFrmLgErr==5%29%7Berrmsg.innerHTML=TR%28%22Wrong%20validation%20code%2
medium CREDENTIAL https:443 
pwd=%27%27;for%28i=0;i%3Clen;i++%29%7Bpwd+=chars.charAt%28Math.floor%28Math.random%28%29%2AmaxPos%29%29;%7Dreturn%20pwd;%7Dfunction%20handler%28_e%29%7Bvar%20e=_e,elmt,type;if%28isNav%29%7Belmt=e.targ
high FORTI_ATTACK https:443 
/remote/login
medium FORTI_RECON https:443 
/login
LOW PANOS_PROBE https:4443 
/logout
LOW PANOS_RECON https:4443 
/php/login.php
medium XSS https:443 
onclick=