Summary (Bottom Line Up Front)
A Linux-based threat actor operating from US infrastructure conducted sustained web application exploitation attempts over a 9-day period, generating 2,244 malicious events targeting HTTP services. The actor demonstrated HIGH threat level activity through systematic Local File Inclusion (LFI) attacks and vulnerability scanning, indicating automated tooling focused on web application compromise.
Activity Timeline
INITIAL REPORT2026-03-14T08:35:52Z
Source: Analyst Manual Entry
A Linux-based threat actor operating from US infrastructure conducted sustained web application exploitation attempts over a 9-day period, generating 2,244 malicious events targeting HTTP services. The actor demonstrated HIGH threat level activity through systematic Local File Inclusion (LFI) attacks and vulnerability scanning, indicating automated tooling focused on web application compromise.
Technical details
The threat actor leveraged HTTP protocol exclusively, targeting web services through two primary attack vectors. LFI exploitation attempts (81 observed instances) focused on accessing sensitive configuration files, mapping to MITRE ATT&CK technique T1005 (Data from Local System) and T1083 (File and Directory Discovery). Vulnerability scanning activity (71 instances) involved systematic probing of common web application paths and endpoints, corresponding to T1595.002 (Active Scanning: Vulnerability Scanning). Traffic analysis revealed consistent User-Agent rotation and systematic URI manipulation patterns targeting configuration files, backup directories, and administrative interfaces. The actor's infrastructure profile shows operation from a cloud hosting provider (Latitude.sh) with multiple exposed services on ports 22, 3000, and 3001, suggesting a compromised or purpose-built attack platform.
IOCs
IP:67.213.118.179
ASN:396356
COUNTRY:US