66.132.153.115

Summary (Bottom Line Up Front)

IP address 66.132.153.115 conducted a 12-day reconnaissance campaign targeting MQTT and SMB services with 83 recorded events between March 1-13, 2026. The threat actor demonstrates medium-level capability with focused protocol exploitation attempts and maintains a maximum AbuseIPDB reputation score. Immediate blocking and enhanced monitoring of MQTT/SMB services is recommended.

SMB TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto mqtt

MQTT_ATTACK SMB

Activity Timeline

INITIAL REPORT2026-03-14T17:46:34Z

Source: batch_hunting

Technical details

The threat actor operated from US-based infrastructure targeting three unique destination ports across multiple protocols including MQTT, SMB, and various TLS versions. Attack patterns included MQTT subscription enumeration with wildcard queries and legacy SMB1 protocol exploitation attempts. The 83 events over 12 days indicate sustained reconnaissance activity rather than opportunistic scanning. Key techniques align with MITRE ATT&CK T1046 (Network Service Scanning) and T1021.002 (Remote Services: SMB/Windows Admin Shares). Primary IOC: 66.132.153.115 with 100/100 AbuseIPDB confidence score.

IOCs

IP:66.132.153.115

COUNTRY:US

Recommendations

Block IP address 66.132.153.115 at network perimeter and document in threat intelligence feeds
Implement enhanced logging and monitoring for MQTT brokers, particularly subscription and wildcard query attempts
Disable SMB1 protocol across all network assets and enforce SMB2/3 with signing requirements
Review and harden authentication mechanisms for IoT/MQTT infrastructure against unauthorized access
Conduct threat hunting for similar multi-protocol reconnaissance patterns targeting industrial/IoT services