Summary (Bottom Line Up Front)
A South African IP address (41.157.50.173) conducted intensive credential capture attacks against Telnet services over a 2-hour period on April 6, 2026, generating 1,573 malicious events. This represents routine opportunistic scanning activity with medium threat level. Network defenders should verify Telnet service exposure and implement appropriate access controls.
Activity Timeline
INITIAL REPORT2026-04-07T18:29:24Z
Source: Analyst Manual Entry
A South African IP address (41.157.50.173) conducted intensive credential capture attacks against Telnet services over a 2-hour period on April 6, 2026, generating 1,573 malicious events. This represents routine opportunistic scanning activity with medium threat level. Network defenders should verify Telnet service exposure and implement appropriate access controls.
Technical details
- Source: 41.157.50.173 (AS37168 CELL-C, South Africa) with 92/100 AbuseIPDB reputation score
- Attack Window: April 6, 2026, 19:00-21:00 UTC (2 hours)
- Protocols: TCP/Telnet focused credential harvesting campaign
- Volume: 1,573 authentication attempts targeting single destination port
- Techniques: Brute force authentication retry patterns (204 hits) and standard authentication probes (102 hits)
- Assessment: Low-sophistication automated scanning, likely part of broader IoT botnet recruitment effort
IOCs
IP:41.157.50.173
ASN:37168
COUNTRY:ZA
Recommendations
- Disable or restrict Telnet services where SSH alternatives are available
- Implement rate limiting and account lockout policies for authentication attempts
- Deploy network segmentation to isolate critical systems from internet-facing services
- Monitor for unusual authentication patterns and failed login attempts from foreign IP ranges
- Consider geoblocking traffic from high-risk ASNs if business requirements permit