Summary (Bottom Line Up Front)
IP address 85.217.140.39 conducted sustained reconnaissance activities from March 16 to April 16, 2026, targeting multiple protocols including FTP, HTTP, MQTT, and TLS services across 11 unique ports. Assessment indicates MEDIUM threat level with 85% confidence, representing initial attack phase activity that typically precedes exploitation attempts. Organizations should implement enhanced monitoring for the identified indicators and strengthen defenses on targeted service ports. ##
Activity Timeline
UPDATE 12026-04-16T17:40:39Z
Source: Analyst Manual Entry
IP address 85.217.140.39 conducted sustained reconnaissance activities from March 16 to April 16, 2026, targeting multiple protocols including FTP, HTTP, MQTT, and TLS services across 11 unique ports. Assessment indicates MEDIUM threat level with 85% confidence, representing initial attack phase activity that typically precedes exploitation attempts. Organizations should implement enhanced monitoring for the identified indicators and strengthen defenses on targeted service ports.
New findings
Attack Profile: 67 events observed over 31-day period (March 16 11:00 to April 16 02:00), utilizing automated scanning tools across FTP (port 21), HTTP (port 30000), MQTT, and TLS protocols. Primary techniques include network service scanning (MITRE T1046) and IoT device targeting through MQTT command injection attempts. Attack patterns show progression from basic scanning to FortiGate infrastructure reconnaissance and IoT exploitation attempts. Notable payload includes obfuscated FTP commands containing non-standard Unicode characters and Go-based HTTP client reconnaissance. IOCs: 85.217.140.39, Go-http-client user agent, malformed MQTT command structures on port 21.
Recommendations
- Block IP address 85.217.140.39 at network perimeter and monitor for similar reconnaissance patterns across FTP, HTTP, and MQTT services
- Implement enhanced logging and alerting for non-standard ports, particularly port 2200 and port 30000, which showed targeting activity
- Review and harden FortiGate device configurations, ensuring default credentials are changed and unnecessary management interfaces are disabled
- Deploy additional monitoring for MQTT services and IoT devices, focusing on command injection attempts and unauthorized connection patterns
- Conduct proactive vulnerability assessments on services running on the 11 targeted ports to identify potential exploitation vectors before threat actors return
INITIAL REPORT2026-04-10T07:20:25Z
Source: Analyst Manual Entry
IP address 85.217.140.39 conducted a 25-day multi-protocol reconnaissance campaign targeting IoT infrastructure, web services, and network appliances with 67 recorded events between March 16-April 10, 2026. Assessment indicates LOW severity automated scanning activity with potential for escalation to targeted IoT exploitation. Network defenders should implement enhanced monitoring for MQTT and FTP services while blocking the source IP.
Technical details
Attack Profile: Sustained reconnaissance campaign spanning FTP, HTTP, MQTT, and TLS protocols across 9 unique destination ports. Primary attack vectors included IoT-focused MQTT command injection attempts (5 instances) and Fortinet appliance reconnaissance (1 instance). Activity aligns with MITRE ATT&CK technique T1046 (Network Service Scanning) during the Reconnaissance phase. Notable payload artifacts include malformed FTP commands containing non-standard Unicode characters and automated HTTP requests using Go-http-client user agent. The 25-day persistence window and protocol diversity suggest systematic infrastructure mapping rather than opportunistic scanning.
Key Indicators:
- Source IP: 85.217.140.39
- Attack timeframe: 2026-03-16 11:00 to 2026-04-10 01:00 (UTC)
- Primary targets: MQTT brokers (port 1883), FTP services (port 21), HTTP services (port 30000)
- Signature patterns: MQTT command injection, Fortinet login page enumeration, automated scanning tools
IOCs
IP:85.217.140.39
Recommendations
- Block IP address 85.217.140.39 at network perimeter and monitor for additional IPs exhibiting similar multi-protocol scanning patterns
- Implement enhanced logging and alerting for MQTT broker connections, particularly monitoring for malformed command structures and unauthorized topic access attempts
- Review and harden Fortinet appliance configurations, ensuring management interfaces are not exposed to untrusted networks
- Deploy network segmentation controls to isolate IoT devices and MQTT infrastructure from critical network segments
- Establish baseline monitoring for FTP services to detect anomalous command sequences and potential exploitation attempts