Summary (Bottom Line Up Front)
Romanian-based threat actor at 80.94.95.55 conducted extensive multi-protocol reconnaissance targeting RDP, ICS protocols, SSH, and VNC services over a 9-day period from March 29-April 7, 2026. The campaign generated 134,308 events with notable focus on industrial control systems (S7COMM protocol) and remote access services, assessed as opportunistic scanning with medium threat level. Organizations should review exposure of critical services and implement enhanced monitoring for the identified attack patterns. ##
Activity Timeline
INITIAL REPORT2026-04-07T13:48:15Z
Source: Analyst Manual Entry
Romanian-based threat actor at 80.94.95.55 conducted extensive multi-protocol reconnaissance targeting RDP, ICS protocols, SSH, and VNC services over a 9-day period from March 29-April 7, 2026. The campaign generated 134,308 events with notable focus on industrial control systems (S7COMM protocol) and remote access services, assessed as opportunistic scanning with medium threat level. Organizations should review exposure of critical services and implement enhanced monitoring for the identified attack patterns.
Technical details
Source: 80.94.95.55 (AS204428 UNMANAGED LTD, Timişoara, Romania)
Campaign Duration: March 29, 2026 16:00 - April 7, 2026 15:00
Attack Volume: 134,308 events across 14 unique destination ports
Primary Attack Vectors:
- RDP scanning via x224_request (38,200 hits) - MITRE T1021.001 (Remote Desktop Protocol)
- Industrial Control Systems targeting via S7COMM protocol (6 hits) - MITRE T0866 (Exploitation of Remote Services)
- SSH reconnaissance via banner exchange (5 hits) - MITRE T1021.004 (SSH)
- VNC authentication attempts and scanning (4 combined hits) - MITRE T1021.005 (VNC)
Infrastructure Profile: Windows 10 build 14393 system with exposed SMB (445), RPC (135), NetBIOS (137,139), RDP (3389), and WinRM (5985) services. AbuseIPDB confidence score: 100/100.
Notable IOC: Captured S7COMM payload `030000130ee0` indicates COTP connection requests targeting industrial systems on port 9001.
IOCs
IP:80.94.95.55
ASN:204428
COUNTRY:RO
Recommendations
- Implement network segmentation to isolate RDP, SSH, and VNC services from internet exposure, utilizing VPN or zero-trust access controls
- Deploy enhanced monitoring for S7COMM and other industrial protocol traffic, particularly on non-standard ports like 9001
- Block traffic from AS204428 (UNMANAGED LTD) and implement geofencing for Romanian IP ranges if not business-critical
- Enable multi-factor authentication on all remote access services (RDP, SSH, VNC) and disable default/weak credentials
- Configure intrusion detection signatures for the observed attack patterns, focusing on x224_request floods and industrial protocol anomalies