UPDATE 22026-04-15T06:50:37Z

Source: Analyst Manual Entry

Threat actor at 65.49.20.69 conducted sustained multi-protocol reconnaissance targeting FortiGate appliances, industrial control systems, and IoT devices over 54 days from February 21 to April 15, 2026. Activity demonstrates medium-severity threat with focus on critical infrastructure enumeration across 13 unique ports. Organizations should immediately review FortiGate configurations and implement enhanced monitoring for ICS/IoT environments.

New findings

Attack Profile: 54 events spanning FTP, HTTP, MQTT, Modbus, RDP, S7COMM, SMTP, and TLS protocols with primary focus on FortiGate infrastructure (35 total hits across probe, reconnaissance, SSL VPN, and API attack patterns). MITRE Mapping: T1046 (Network Service Scanning) with kill chain activity concentrated in reconnaissance phase. Key Targets: FortiGate management interfaces via /login, /remote/logincheck, /api/v2/static/not.found, and /migladmin paths; Modbus device enumeration using Function Code 0x2B (Read Device ID); MQTT anonymous connection attempts on port 1883; legacy SMB1 protocol usage. IOCs: Source IP 65.49.20.69 with unknown geolocation and ASN attribution, demonstrating consistent behavioral patterns across industrial protocols.

Recommendations

UPDATE 12026-04-14T18:14:16Z

Source: Analyst Manual Entry

IP address 65.49.20.69 conducted a sustained 54-event attack campaign from February 21 to April 14, 2026, targeting industrial control systems, IoT devices, and network infrastructure with HIGH confidence threat assessment. The attacker demonstrated sophisticated knowledge of ICS protocols including S7comm and Modbus, combined with FortiGate appliance reconnaissance and RDP scanning activities. Immediate defensive measures recommended for organizations operating industrial control systems and network security appliances.

New findings

Attack Profile: Multi-protocol reconnaissance and exploitation campaign spanning 52 days with consistent targeting of critical infrastructure components. Protocols Observed: S7comm, Modbus, MQTT, RDP, HTTPS, SMB across 12 unique destination ports. MITRE Mapping: T1190 (Exploit Public-Facing Application) with focus on industrial protocol exploitation. Key Techniques: Modbus broadcast attacks (FC=43), MQTT anonymous connections with weak credentials, FortiGate SSL VPN login attempts, and legacy SMB protocol usage. Attack Vectors: ICS device identification via Modbus function code 43, IoT device compromise through MQTT protocol abuse, and network appliance reconnaissance targeting FortiGate management interfaces. IOCs: Source IP 65.49.20.69, FortiGate API probes to `/api/v2/static/not.found`, Modbus broadcast Unit ID=0 FC=43 requests.

Recommendations

INITIAL REPORT2026-04-08T06:35:40Z

Source: Analyst Manual Entry

Threat actor at 65.49.20.69 conducted sustained reconnaissance and exploitation attempts against industrial control systems, IoT devices, and network infrastructure over 47 days (February 21 - April 8, 2026). Assessment: HIGH threat level with 78% confidence, targeting critical infrastructure through S7comm protocol exploitation and multi-vector attacks. Immediate defensive measures recommended for ICS/SCADA networks and perimeter security devices.

Technical details

Attack Profile: 54 events across 10 protocols including specialized industrial protocols (S7comm, Modbus), IoT messaging (MQTT), and standard network services (RDP, SMB, HTTPS). Primary focus on FortiGate infrastructure with 11 total attempts targeting login pages, API endpoints, and SSL VPN services. Industrial control system attacks included Modbus broadcast attacks (Unit ID=0, Function Code 43) and S7comm protocol exploitation attempts. MITRE technique T1190 (Exploit Public-Facing Application) observed with potential zero-day exploitation probability of 65%. Attack pattern distribution shows systematic reconnaissance followed by targeted exploitation attempts against critical infrastructure protocols.

Key IOCs:

IOCs

Recommendations