UPDATE 42026-05-12T14:13:09Z

Source: Analyst Manual Entry

Malicious activity detected from 45.205.1.8 (BR, ASNone). 4652 events observed across ADB, HTTP, TCP, TCP/SYN, TLS. AI verdict: NOISE.

New findings

Protocols: ADB, HTTP, TCP, TCP/SYN, TLS, auto, http, https, https_tls_handshake

Attack types: ADB_ATTACK, EXPLOIT, RCE,SMB_EXPLOIT_PROBE

Unique destination ports: 5

Active window: 2026-04-04 15:41:43.965623 to 2026-05-12 10:54:33.756932

Top patterns: suricata_sid_2500020, adb_shell, adb_connect, suricata_sid_2403364, suricata_sid_2402000

Recommendations

UPDATE 32026-04-18T06:50:24Z

Source: Analyst Manual Entry

High-confidence detection of sustained multi-protocol attack activity from IP 45.205.1.8 (AS215925 Cloud Innovation Ltd, Brazil) targeting multiple services including ADB, HTTP, SMB, and Telnet over a 40-day period from March 9 to April 18, 2026. The threat actor conducted 3,029 attack events including credential harvesting, remote code execution attempts, and Android Debug Bridge exploitation. Immediate blocking and investigation of affected systems is recommended.

New findings

The attacker leveraged multiple protocols (ADB, HTTP, TCP, TELNET, TLS, MQTT) to conduct a broad-spectrum attack campaign mapped to MITRE technique T1071.001 (Application Layer Protocol). Primary attack vectors included Android Debug Bridge exploitation (168 events), credential capture attempts (287 events), and multiple exploit attempts targeting known vulnerabilities. The threat actor operated from open ports 22 and 8082, demonstrating command and control capabilities consistent with compromised infrastructure. Key indicators include basic authentication bypass attempts, shell command injection via Telnet (port 23), and HTTP-based reconnaissance against port 8080. Attack volume peaked with exploit attempts generating 324 high-severity events, indicating automated tooling deployment.

Recommendations

UPDATE 22026-04-05T18:45:23Z

Source: Analyst Manual Entry

Brazilian-hosted attacker (45.205.1.8) conducted a sustained 4-week campaign targeting multiple services with credential theft, remote code execution attempts, and reconnaissance activities across 2,974 events. Assessment: MEDIUM threat severity with high confidence based on diverse attack vectors including critical RCE attempts and systematic credential harvesting. Immediate action required to block source IP and review authentication logs for compromise indicators.

New findings

Source: 45.205.1.8 (AS215925 Cloud Innovation Ltd, Brazil) with maximum AbuseIPDB reputation score (100/100)

Campaign Duration: March 9, 2026 07:00 - April 5, 2026 15:00 (4-week sustained activity)

Attack Vectors: HTTP/HTTPS credential capture (287 attempts), critical RCE exploitation via TCP/Telnet (21 attempts), SMB reconnaissance and exploitation probes (14 attempts)

MITRE Techniques: T1087.004 (Account Discovery: Cloud Account), Reconnaissance kill chain phase

Protocols Observed: Multi-protocol approach spanning HTTP/HTTPS, Telnet, SMB, and MQTT services

Key Indicators: Basic authentication brute force patterns, bash command injection attempts, SMB enumeration payloads, and geospatial service targeting

Recommendations

UPDATE 12026-03-24T06:26:52Z

Source: Analyst Manual Entry

Threat actor operating from Brazilian cloud infrastructure (45.205.1.8) conducted sustained credential theft operations over a 14-day period targeting administrative interfaces on port 8080. Assessment indicates MEDIUM threat level with 75% confidence, representing reconnaissance activity that may precede more sophisticated attacks. Network defenders should immediately audit administrative interface exposure and implement enhanced authentication controls.

New findings

Attack Profile: 484 events observed between 2026-03-09 07:00 and 2026-03-23 09:00 targeting 3 unique destination ports. Primary attack vector utilized HTTP/HTTPS protocols with TLS 1.0 handshakes to probe administrative endpoints.

MITRE Mapping: T1190 (Exploit Public-Facing Application) during reconnaissance phase of kill chain. Attacker demonstrated focus on credential theft through basic authentication bypass attempts.

Infrastructure: Source IP 45.205.1.8 (AS215925 Cloud Innovation Ltd, Brazil) with maximum AbuseIPDB reputation score (100/100). Linux-based system with SSH service exposed on port 22.

IOCs: Basic authentication header "Authorization: Basic YWRtaW46" indicating default/weak credential testing against diagnostic PHP endpoints.

Recommendations

INITIAL REPORT2026-03-23T14:06:33Z

Source: Analyst Manual Entry

Brazilian-hosted threat actor (45.205.1.8) conducted sustained credential theft operations over two weeks targeting administrative interfaces via basic authentication attacks. Assessment indicates MEDIUM threat level with 75% confidence, representing reconnaissance activity that may precede more sophisticated attacks. Organizations should immediately audit administrative interface exposure and implement enhanced authentication controls.

Technical details

Attack Vector: HTTP-based credential theft targeting administrative endpoints on non-standard ports

Volume: 484 events observed between March 9-23, 2026 (14-day campaign)

Protocols: Multi-protocol approach including HTTP, HTTPS, TLS 1.0, and TCP reconnaissance

MITRE Mapping: T1190 (Exploit Public-Facing Application) during Reconnaissance phase

Key IOC: 45.205.1.8 (AS215925 Cloud Innovation Ltd, Brazil) - AbuseIPDB score 100/100

Attack Pattern: Basic authentication brute force with weak credential combinations (admin:admin observed)

Infrastructure: Linux-based system with SSH service exposed, no reverse DNS resolution

IOCs

Recommendations