Summary (Bottom Line Up Front)
IP address 80.94.95.143 (Romania, AS204428) conducted sustained RDP reconnaissance against network infrastructure from March 30-April 3, 2026, generating over 160,000 connection attempts. This activity represents low-severity automated scanning to identify active RDP services for potential future exploitation. Network defenders should review RDP exposure and implement access controls.
Activity Timeline
INITIAL REPORT2026-04-03T00:09:55Z
Source: Analyst Manual Entry
IP address 80.94.95.143 (Romania, AS204428) conducted sustained RDP reconnaissance against network infrastructure from March 30-April 3, 2026, generating over 160,000 connection attempts. This activity represents low-severity automated scanning to identify active RDP services for potential future exploitation. Network defenders should review RDP exposure and implement access controls.
Technical details
- Source: 80.94.95.143 (Timişoara, Romania / UNMANAGED LTD ASN204428)
- Campaign Duration: March 30, 2026 15:00 - April 3, 2026 02:00 (4-day window)
- Attack Volume: 160,541 events targeting RDP services
- Primary Technique: T1018 (Remote System Discovery) via X.224 connection requests
- Protocols Observed: RDP, BACnet, Kafka, Memcached, TCP
- Infrastructure Profile: Non-VPN residential/business connection with multiple Windows services exposed (ports 135, 137, 445, 3389, 5985)
- Threat Assessment: Low severity reconnaissance with 5% zero-day probability
IOCs
IP:80.94.95.143
ASN:204428
COUNTRY:RO
Recommendations
- Implement network-level access controls to restrict RDP (port 3389) exposure to authorized IP ranges only
- Deploy multi-factor authentication for all RDP connections and disable RDP for non-essential systems
- Monitor for follow-on activity from AS204428 network range and associated Romanian infrastructure
- Review logs for successful RDP authentication attempts during the March 30 - April 3 timeframe
- Consider blocking or rate-limiting connections from IP 80.94.95.143 and monitoring for infrastructure pivoting