202.69.35.118

Summary (Bottom Line Up Front)

External IP address 202.69.35.118 (Pakistan/Lahore) conducted sustained SMB reconnaissance against network infrastructure between 18 March 2026 05:00-10:00 UTC, generating 6,655 security events targeting port 445. This activity represents MEDIUM-risk reconnaissance behavior consistent with pre-attack preparation for SMB-based exploitation, ransomware deployment, or credential harvesting operations. Immediate perimeter blocking and SMB hardening measures are recommended.

SMB TCP TCP/SYN smb

SMB

Activity Timeline

UPDATE 12026-03-23T07:09:37Z

Source: Analyst Manual Entry

New findings

The threat actor operated from 202.69.35.118 (AS23750 Gerrys Information Technology, Lahore, Pakistan) using what appears to be compromised MikroTik RouterOS 6.48 infrastructure with multiple exposed services (ports 21, 53, 80, 2000, 8291, 8728). Primary attack vector focused exclusively on SMB protocol exploitation with 2,645 SMB version 1 detection events, mapping to MITRE ATT&CK technique T1046 (Network Service Scanning) during the Reconnaissance phase. The sustained 4.5-hour campaign against a single destination port indicates methodical scanning behavior rather than opportunistic activity. AbuseIPDB reputation scoring of 30/100 suggests previous malicious activity from this source.

Recommendations

Block IP address 202.69.35.118 at perimeter firewalls and update threat intelligence feeds immediately
Disable SMBv1 protocol across all Windows systems and enable SMB signing to prevent relay attacks
Review SMB access logs for any successful authentication attempts or file share enumeration during the 05:00-10:00 UTC timeframe on 18 March 2026
Implement network segmentation to restrict SMB traffic (port 445) to authorized systems only
Monitor for follow-on activity from AS23750 network range and consider temporary blocking of Pakistan-sourced SMB traffic if operationally feasible

INITIAL REPORT2026-03-21T12:51:43Z

Source: Analyst Manual Entry

External IP 202.69.35.118 (Lahore, Pakistan) conducted sustained SMB reconnaissance against network infrastructure on March 18, 2026, generating 6,655 security events over a 5-hour period. This activity represents MEDIUM-risk reconnaissance behavior consistent with pre-attack preparation for SMB-based exploitation, ransomware deployment, or credential harvesting operations. Immediate perimeter blocking and enhanced SMB monitoring are recommended.

Technical details

The threat actor conducted intensive network scanning targeting SMB services (port 445) from 05:00 to 10:00 UTC on March 18, 2026. Primary attack pattern involved SMB version 1 detection attempts (2,645 hits), indicating reconnaissance for vulnerable legacy SMB implementations. Activity maps to MITRE ATT&CK technique T1046 (Network Service Scanning) within the Reconnaissance phase of the cyber kill chain. The source IP operates from AS23750 (Gerrys Information Technology) with an AbuseIPDB reputation score of 24/100. Additional open ports on the source system include 21, 53, 80, 2000, 8291, and 8728, suggesting potential compromise or malicious infrastructure.

IOCs

IP:202.69.35.118

ASN:23750

COUNTRY:PK

Recommendations

Block IP 202.69.35.118 at perimeter firewalls and update threat intelligence feeds immediately
Implement enhanced monitoring for SMB traffic anomalies and disable SMBv1 protocol across all network segments
Review SMB access logs for successful authentication attempts or file share enumeration from this timeframe
Conduct vulnerability assessment of SMB-enabled systems to identify potential exploitation targets
Monitor for similar reconnaissance patterns from AS23750 network range and Pakistani IP space