Summary (Bottom Line Up Front)
IP address 35.216.140.3 conducted a sustained 41-day reconnaissance campaign targeting web applications and network services, attempting to access sensitive configuration files and probing RDP/SMB services. The activity represents a MEDIUM threat level with moderate sophistication, likely representing initial reconnaissance for future exploitation attempts. Organizations should immediately review access controls for configuration files and implement enhanced monitoring for the identified attack patterns. ##
Activity Timeline
UPDATE 12026-04-15T07:16:11Z
Source: Analyst Manual Entry
IP address 35.216.140.3 conducted a sustained 41-day reconnaissance campaign targeting web applications and network services, attempting to access sensitive configuration files and probing RDP/SMB services. The activity represents a MEDIUM threat level with moderate sophistication, likely representing initial reconnaissance for future exploitation attempts. Organizations should immediately review access controls for configuration files and implement enhanced monitoring for the identified attack patterns.
New findings
Attack Summary: 63 events observed from 2026-03-04 22:00 to 2026-04-14 12:00 across 7 unique destination ports. Primary attack vectors included Local File Inclusion (LFI) attempts targeting sensitive configuration files (/.git/config, /config.json) and vulnerability scanning (/server-status). The threat actor employed multiple protocols including HTTPS/TLS, RDP, and SMB, with SMBv1 exploitation probes detected alongside X.224 RDP connection requests.
MITRE ATT&CK Mapping: T1592.004 (Gather Victim Network Information - Client Configurations)
Key IOCs: 35.216.140.3 (source IP), GET requests for /.git/config and /server-status endpoints, SMBv1 probe signatures, RDP X.224 connection attempts
Kill Chain Phase: Reconnaissance with potential preparation for lateral movement via exposed services
Recommendations
- Block IP address 35.216.140.3 at network perimeter and monitor for similar multi-protocol reconnaissance patterns
- Audit web applications to ensure .git directories and configuration files are not accessible via HTTP/HTTPS requests
- Disable SMBv1 protocol across all systems and implement network segmentation to limit SMB/RDP exposure
- Deploy enhanced logging for configuration file access attempts and server status page requests
- Review and harden RDP configurations, implementing network-level authentication and restricting access to authorized IP ranges
INITIAL REPORT2026-04-14T17:04:30Z
Source: Analyst Manual Entry
IP address 35.216.140.3 conducted a sustained 41-day reconnaissance campaign targeting web applications and network services through Local File Inclusion (LFI) attempts and vulnerability scanning. The activity demonstrates medium threat level with systematic probing for sensitive configuration files and service enumeration across RDP, SMB, and HTTPS protocols. Organizations should immediately review access controls for configuration files and implement enhanced monitoring for the identified attack patterns.
Technical details
Campaign Overview: 63 security events observed from 2026-03-04 22:00 to 2026-04-14 12:00 across 7 unique destination ports. Primary attack vectors included LFI attempts targeting sensitive configuration files (.git/config, /config.json) and vulnerability scanning for exposed server status pages (/server-status). The threat actor employed multiple protocols (RDP, SMB, HTTPS with TLS 1.0/1.2+) indicating broad reconnaissance objectives.
MITRE ATT&CK Mapping: T1592.004 (Gather Victim Network Information) with kill chain positioning in Reconnaissance phase. Notable attack patterns include SMB1 exploitation probes, RDP X224 connection requests, and LeakIX scanner signatures.
Key IOCs: Source IP 35.216.140.3, targeting ports 443/HTTPS and additional network services, with specific focus on Git configuration files and Apache server status endpoints.
IOCs
IP:35.216.140.3
Recommendations
- Block IP address 35.216.140.3 at network perimeter and monitor for similar reconnaissance patterns across identified protocols
- Audit and restrict access to sensitive configuration files including .git directories, config.json files, and server-status endpoints
- Implement enhanced logging and alerting for LFI attempts and unauthorized access to application configuration paths
- Disable legacy SMB1 protocol and strengthen RDP access controls with network-level authentication
- Deploy behavioral analytics to detect sustained reconnaissance activities spanning multiple protocols and services