36.133.107.88

Summary (Bottom Line Up Front)

A Windows Server 2016 host operating from China Mobile's network (36.133.107.88) conducted intensive RDP scanning activities over a 5-day period from March 29-April 3, 2026, generating over 52,000 security events. This activity represents routine opportunistic scanning with medium severity and poses standard credential brute-force risks to exposed RDP services. Organizations should verify RDP exposure and implement standard hardening measures.

RDP TCP

RDP_SCAN

Activity Timeline

INITIAL REPORT2026-04-03T00:28:42Z

Source: Analyst Manual Entry

Technical details

The threat actor operated from Xi'an, China via China Mobile Communications Corporation infrastructure (AS9808) with no current reputation indicators. Attack methodology focused exclusively on RDP reconnaissance using x224_request packets, generating 10,267 scan attempts classified as medium severity. The host presented typical Windows Server 2016 fingerprints with standard administrative ports exposed (135, 445, 3389, 5985). Activity aligns with MITRE T1021.001 (Remote Services: Remote Desktop Protocol) during the Initial Access phase. Primary IOC: 36.133.107.88 targeting TCP/3389.

IOCs

IP:36.133.107.88

ASN:9808

COUNTRY:CN

Recommendations

Audit and minimize RDP exposure by restricting access to authorized IP ranges or implementing VPN-only access
Enable Network Level Authentication (NLA) and implement account lockout policies to mitigate brute-force attempts
Deploy multi-factor authentication for all RDP connections where technically feasible
Monitor for suspicious RDP login patterns and implement alerting for multiple failed authentication attempts
Consider changing default RDP port (3389) to a non-standard port as an additional obfuscation layer