Summary (Bottom Line Up Front)
Threat actor operating from IP 45.156.87.91 (Netherlands/SkyLink Data Center) conducted sustained network reconnaissance activities over 16 days targeting organizational infrastructure. Assessment indicates MEDIUM threat level with active scanning operations likely preceding exploitation attempts. Immediate blocking and enhanced monitoring of scanning activity is recommended.
Activity Timeline
INITIAL REPORT2026-03-14T17:46:58Z
Source: batch_hunting
Threat actor operating from IP 45.156.87.91 (Netherlands/SkyLink Data Center) conducted sustained network reconnaissance activities over 16 days targeting organizational infrastructure. Assessment indicates MEDIUM threat level with active scanning operations likely preceding exploitation attempts. Immediate blocking and enhanced monitoring of scanning activity is recommended.
Technical details
- Source Infrastructure: 45.156.87.91 (AS51396 SkyLink Data Center BV, Netherlands)
- Campaign Duration: February 27, 2026 00:00 - March 14, 2026 16:00 (16-day window)
- Attack Volume: 144 events across HTTP and TCP protocols
- Primary Technique: Automated scanning using bot user agents (16 instances)
- Target Scope: 2 unique destination ports including SSH (22/tcp)
- MITRE ATT&CK Mapping: T1595.001 (Active Scanning: Scanning IP Blocks)
- Threat Indicators: 100/100 AbuseIPDB reputation score, Linux-based attack platform
- IOCs: 45.156.87.91
IOCs
IP:45.156.87.91
ASN:51396
COUNTRY:NL
Recommendations
- Block IP 45.156.87.91 at perimeter firewalls and web application firewalls immediately
- Implement enhanced logging and alerting for scanning activities targeting SSH and web services
- Review logs for any successful connections from this IP and investigate for potential compromise
- Monitor for additional scanning activity from AS51396 (SkyLink Data Center BV) address space
- Validate SSH service exposure and implement fail2ban or similar rate limiting for brute force protection