Summary (Bottom Line Up Front)
IP address 204.76.203.30 conducted a month-long HTTP scanning campaign from February 27 to March 27, 2026, generating 586 security events targeting multiple network services. The sustained reconnaissance activity using automated tooling indicates MEDIUM threat level with potential for escalation to active exploitation attempts. Network defenders should implement immediate blocking and enhanced monitoring for this IP address.
Activity Timeline
UPDATE 12026-03-27T17:35:25Z
Source: Analyst Manual Entry
IP address 204.76.203.30 conducted a month-long HTTP scanning campaign from February 27 to March 27, 2026, generating 586 security events targeting multiple network services. The sustained reconnaissance activity using automated tooling indicates MEDIUM threat level with potential for escalation to active exploitation attempts. Network defenders should implement immediate blocking and enhanced monitoring for this IP address.
New findings
Attack Vector: HTTP-based network reconnaissance using Go-http-client user agent string across TCP ports, primarily targeting port 8080. Volume: 586 total events over 28-day period with 64 confirmed bot scanning attempts. Techniques: T1595.001 (Active Scanning: Scanning IP Blocks) and T1595.002 (Active Scanning: Vulnerability Scanning). Behavioral Analysis: Consistent automated scanning pattern suggests tooled reconnaissance rather than manual exploration. IOCs: Source IP 204.76.203.30, User-Agent string "Go-http-client", targeting 3 unique destination ports with focus on HTTP services.
Recommendations
- Block IP address 204.76.203.30 at perimeter firewalls and web application firewalls immediately
- Monitor for additional scanning activity using Go-http-client user agent strings across your environment
- Review logs for any successful connections from this IP to identify potentially compromised services
- Implement rate limiting on HTTP services, particularly on non-standard ports like 8080
- Enhance monitoring for sustained scanning patterns exceeding 7-day periods to detect similar campaigns earlier
INITIAL REPORT2026-03-14T17:43:42Z
Source: batch_hunting
Threat actor operating from IP 204.76.203.30 (Netherlands, AS51396 Pfcloud UG) conducted sustained reconnaissance activities over 15 days targeting network infrastructure with 330 attack events. Assessment indicates MEDIUM threat level based on scanning behavior patterns and maximum AbuseIPDB reputation score. Immediate blocking and enhanced monitoring of similar scanning patterns recommended.
Technical details
- Source Infrastructure: 204.76.203.30 (Kerkrade, NL) via Pfcloud UG hosting provider
- Campaign Duration: February 27, 2026 19:00 through March 14, 2026 13:00 (15-day persistence)
- Attack Volume: 330 events across HTTP, TCP, and TCP SYN protocols
- Primary TTPs: Automated scanning using bot user agents, targeting 2 unique destination ports (22, 443)
- MITRE ATT&CK Mapping: T1595.001 (Active Scanning: Scanning IP Blocks), T1046 (Network Service Scanning)
- Reputation Intelligence: AbuseIPDB score 100/100 indicating confirmed malicious activity
- IOCs: 204.76.203.30, AS51396 network range, bot-based user agent strings
IOCs
IP:204.76.203.30
ASN:51396
COUNTRY:NL
Recommendations
- Block IP 204.76.203.30 and consider blocking entire AS51396 (Pfcloud UG) network range at perimeter firewalls
- Implement rate limiting on ports 22 and 443 to mitigate automated scanning attempts
- Deploy enhanced logging for HTTP requests with bot user agent patterns to identify similar reconnaissance activity
- Monitor for follow-on exploitation attempts against scanned services, particularly SSH (port 22) and HTTPS (port 443)
- Review and harden exposed services on commonly targeted ports, ensuring strong authentication and updated security configurations