36.133.80.107

Summary (Bottom Line Up Front)

Threat actor at IP 36.133.80.107 conducted intensive RDP reconnaissance against network infrastructure between March 30, 2026 07:00-20:00 UTC, generating over 10,000 scanning events. This activity represents initial reconnaissance phase of potential RDP exploitation campaign and is assessed as LOW immediate threat with moderate escalation potential. Network defenders should audit RDP exposure and implement enhanced monitoring for follow-on credential attacks.

RDP TCP TCP/SYN

RDP_SCAN

Activity Timeline

INITIAL REPORT2026-03-30T19:27:37Z

Source: Analyst Manual Entry

Technical details

Attack Vector: Remote Desktop Protocol (RDP) scanning using X.224 connection requests with embedded cookie field containing IP [SENSOR-IP], indicating automated tooling. Volume: 10,570 total events with 2,652 distinct RDP scan attempts over 13-hour period. MITRE Mapping: T1018 (Remote System Discovery) during reconnaissance phase of attack chain. Key IOCs: Source IP 36.133.80.107, protocols RDP/TCP/TCP-SYN, single destination port targeted. Behavioral Analysis: Significant activity escalation with 8,517 new events since previous observation, suggesting sustained campaign focus on RDP service discovery.

IOCs

IP:36.133.80.107

Recommendations

Audit all externally-facing RDP services and disable unnecessary Remote Desktop access points
Implement network-level RDP access restrictions using VPN or jump box architecture
Deploy enhanced logging and alerting for RDP connection attempts from external sources
Monitor for follow-on credential stuffing attacks against identified RDP services within 72 hours
Consider temporarily blocking traffic from source IP 36.133.80.107 and associated infrastructure