Summary (Bottom Line Up Front)
Malicious actor at 85.217.140.30 (Modat B.V./AS209334) conducted active reconnaissance scanning against network infrastructure on 2026-03-13 between 13:00-14:00 UTC. The threat actor maintains a maximum AbuseIPDB reputation score of 100/100, indicating sustained malicious activity across multiple networks. Immediate blocking and enhanced monitoring of this IP address is recommended.
Activity Timeline
INITIAL REPORT2026-03-14T17:44:30Z
Source: batch_hunting
Malicious actor at 85.217.140.30 (Modat B.V./AS209334) conducted active reconnaissance scanning against network infrastructure on 2026-03-13 between 13:00-14:00 UTC. The threat actor maintains a maximum AbuseIPDB reputation score of 100/100, indicating sustained malicious activity across multiple networks. Immediate blocking and enhanced monitoring of this IP address is recommended.
Technical details
- Source: 85.217.140.30 (France, AS209334 Modat B.V.)
- Activity Window: 2026-03-13 13:00-14:00 UTC (53 events over 9 minutes)
- Protocols: TCP SYN scanning, TLS 1.0/1.2+ reconnaissance, HTTPS probing
- Attack Vector: Network reconnaissance targeting single destination port
- MITRE ATT&CK: T1046 (Network Service Scanning), T1595.001 (Active Scanning: Scanning IP Blocks)
- Threat Classification: Scanner-Modat pattern, medium confidence
- IOCs: IP 85.217.140.30, no reverse DNS resolution
IOCs
IP:85.217.140.30
ASN:209334
COUNTRY:FR
Recommendations
- Block IP address 85.217.140.30 at perimeter firewalls and web application firewalls immediately
- Monitor for additional scanning activity from AS209334 (Modat B.V.) network ranges
- Review logs for any successful connections or authentication attempts from this source IP
- Implement rate limiting on externally facing services to mitigate future reconnaissance attempts
- Consider threat hunting for similar scanning patterns targeting the same destination port identified in this campaign