Summary (Bottom Line Up Front)
Threat actor operating from Netherlands-based hosting infrastructure (45.144.212.98) conducted sustained reconnaissance and exploitation attempts targeting IoT devices and SMTP services over 7-day period ending April 6, 2026. Campaign generated 5,265+ malicious events with focus on MQTT command injection and SMTP enumeration, indicating medium-severity threat to exposed IoT infrastructure. Organizations should immediately audit IoT device exposure and implement enhanced monitoring for SMTP-based reconnaissance. ##
Activity Timeline
INITIAL REPORT2026-04-06T10:50:16Z
Source: Analyst Manual Entry
Threat actor operating from Netherlands-based hosting infrastructure (45.144.212.98) conducted sustained reconnaissance and exploitation attempts targeting IoT devices and SMTP services over 7-day period ending April 6, 2026. Campaign generated 5,265+ malicious events with focus on MQTT command injection and SMTP enumeration, indicating medium-severity threat to exposed IoT infrastructure. Organizations should immediately audit IoT device exposure and implement enhanced monitoring for SMTP-based reconnaissance.
Technical details
Source Infrastructure: Single IP address (45.144.212.98) hosted on AS214940 (Kprohost) in Maastricht, Netherlands, with maximum AbuseIPDB reputation score indicating known malicious activity. Host presents Windows-typical service profile with RDP (3389), SMB (445), and RPC (135) exposed, suggesting compromised endpoint or bulletproof hosting.
Attack Methodology: Primary focus on IoT exploitation via MQTT command injection techniques targeting port 25/SMTP with spoofed EHLO commands. Secondary reconnaissance activity included systematic SMTP service enumeration. Attack pattern suggests automated tooling with consistent "EHLO User" signatures across 695+ documented attempts.
MITRE ATT&CK Mappings: T1190 (Exploit Public-Facing Application), T1595.002 (Active Scanning: Vulnerability Scanning), T1071.003 (Application Layer Protocol: Mail Protocols)
Key IOCs: IP 45.144.212.98, SMTP EHLO signature "User", MQTT command injection payloads via port 25
IOCs
IP:45.144.212.98
ASN:214940
COUNTRY:NL
Recommendations
- Block IP address 45.144.212.98 and monitor for additional activity from AS214940 network range
- Audit all IoT devices for unnecessary SMTP service exposure and disable non-essential network services
- Implement enhanced logging and alerting for MQTT protocol anomalies and non-standard EHLO commands
- Review firewall rules to restrict IoT device communication to required services and known-good destinations only
- Deploy network segmentation to isolate IoT infrastructure from critical business systems and internet exposure