UPDATE 72026-04-16T05:46:36Z

Source: Analyst Manual Entry

External IP address 90.151.171.108 conducted sustained reconnaissance and CRLF injection attacks against web services from February 17 to April 16, 2026, generating 2,742 security events. The activity represents a MEDIUM threat level with moderate confidence, indicating potential preparation for web application exploitation. Network defenders should implement enhanced monitoring for CRLF injection attempts and validate web application input sanitization controls.

New findings

The threat actor operated from IP 90.151.171.108 over a 58-day period, primarily targeting ports 8080 and 9001 using HTTP and TCP protocols. Attack patterns focused on CRLF injection techniques (13 total hits across variants), consistent with MITRE ATT&CK technique T1046 (Network Service Scanning) during the reconnaissance phase. Protocol abuse was observed through Suricata detection signatures, indicating attempts to manipulate application layer communications. The attacker demonstrated methodical reconnaissance behavior without immediate exploitation, suggesting potential preparation for targeted web application attacks. No CVEs were directly exploited, with assessed 5% probability of zero-day usage.

Recommendations

UPDATE 62026-03-27T09:18:12Z

Source: Analyst Manual Entry

Automated CRLF injection attacks targeting HTTP services observed from IP 90.151.171.108 over a 38-day period from February 17 to March 27, 2026, with 2,267 total events. Assessed as LOW severity reconnaissance activity with 25% confidence, likely representing opportunistic scanning rather than targeted operations. Network defenders should monitor for follow-up activity and implement standard web application protections.

New findings

Attack Vector: CRLF injection attempts primarily targeting port 8080/HTTP services using malformed HTTP requests with embedded carriage return/line feed characters. Volume: 2,267 events across 38 days indicating sustained but low-intensity scanning activity. Techniques: 13 total CRLF injection attempts including both standard and decoded variants, consistent with MITRE ATT&CK T1190 (Exploit Public-Facing Application) during reconnaissance phase. Source Attribution: Single IP 90.151.171.108 with unknown geolocation and ASN, no VPN usage detected. IOCs: Malformed User-Agent headers (hash: fc3ff98e8c6a0d3087d515c0473f8677) and HTTP requests containing CRLF sequences targeting web services on non-standard ports.

Recommendations

UPDATE 52026-03-25T10:17:39Z

Source: Analyst Manual Entry

Russian proxy service infrastructure (90.151.171.108) conducted low-severity reconnaissance and CRLF injection attempts against monitored assets between February 17-March 25, 2026. Assessment indicates preliminary reconnaissance activity with potential for escalation to more sophisticated attacks. Network defenders should implement monitoring for this IP and associated attack patterns while maintaining standard defensive postures.

New findings

Attack Vector: HTTP-based reconnaissance and injection attempts utilizing CRLF (Carriage Return Line Feed) injection techniques across TCP ports. Activity spanned 36 days with 1,971 total events, indicating sustained but low-volume probing behavior.

MITRE ATT&CK Mapping: T1590.005 (Gather Victim Network Information: IP Addresses) - consistent with reconnaissance phase operations targeting network infrastructure discovery.

Attack Patterns: Primary focus on CRLF injection attempts (13 total hits) suggesting attempts to manipulate HTTP response headers or bypass input validation controls.

Indicators of Compromise:

Recommendations

UPDATE 42026-03-23T06:31:23Z

Source: Analyst Manual Entry

Russian IP address 90.151.171.108 (Rostelecom AS12389) conducted sustained CRLF injection attacks against web services from February 17 through March 23, 2026, generating 1,804 malicious events. Despite AI assessment indicating LOW threat confidence, the combination of maximum AbuseIPDB score (100/100) and active injection attempts warrants elevated monitoring. Network defenders should implement enhanced web application filtering and monitor for follow-on exploitation attempts.

New findings

Recommendations

UPDATE 32026-03-18T08:13:20Z

Source: Analyst Manual Entry

Russian IP address 90.151.171.108 (Rostelecom AS12389) conducted 1,547 malicious events between February 17-March 18, 2026, primarily targeting web applications with CRLF injection attacks and proxy infrastructure testing. This represents a MEDIUM severity threat with potential botnet command-and-control activity. Network defenders should immediately block this IP and monitor for similar CRLF injection patterns.

New findings

The threat actor operated from a Russian Rostelecom IP with maximum AbuseIPDB reputation score (100/100), indicating extensive prior malicious activity. Attack methodology included CRLF injection techniques (13 total events across encoded and decoded variants) and automated proxy verification requests targeting ip.bablosoft.com infrastructure. The campaign utilized HTTP and TCP protocols across 2 unique destination ports over a 29-day period. Activity maps to MITRE ATT&CK technique T1090.003 (Multi-hop Proxy) within the Command and Control phase, suggesting potential botnet communication testing or infrastructure reconnaissance operations.

Recommendations

UPDATE 22026-03-16T16:05:17Z

Source: Analyst Manual Entry

Russian IP address 90.151.171.108 (Rostelecom ASN) conducted 1,413 malicious events between February 17-March 16, 2026, primarily targeting systems with CRLF injection attacks and proxy verification attempts. This activity represents medium-severity botnet or proxy infrastructure testing with potential command-and-control communication capabilities. Network defenders should immediately block this IP and monitor for similar Russian proxy service traffic patterns.

New findings

The threat actor utilized multiple protocols (HTTP, TCP, TCP/SYN) across two unique destination ports over a 27-day period, with activity concentrated around 06:00-14:00 UTC timeframes. Primary attack vectors included CRLF injection techniques (13 total hits across standard and decoded variants) mapped to MITRE technique T1090.003 (Multi-hop Proxy). The source IP maintains a maximum AbuseIPDB reputation score of 100/100 and demonstrates characteristics consistent with automated proxy testing infrastructure, including attempts to leverage ip.bablosoft.com for IP verification services. Attack patterns suggest command-and-control infrastructure testing rather than direct exploitation attempts.

Recommendations

UPDATE 12026-03-14T17:36:45Z

Source: batch_hunting

Rostelecom-hosted IP address 90.151.171.108 conducted a sustained CRLF injection campaign against web applications from February 17 to March 14, 2026, generating 1,278 malicious events. The threat actor demonstrates medium-severity web application exploitation capabilities with potential for HTTP response splitting and cache poisoning attacks. Organizations should immediately review web application logs for CRLF injection attempts and implement appropriate input validation controls.

New findings

Source Infrastructure: Russian Federation IP 90.151.171.108 (AS12389 Rostelecom) with maximum AbuseIPDB reputation score indicating established malicious activity. Attack Vector: Sustained CRLF injection campaign spanning 26 days targeting 2 unique destination ports via HTTP and TCP protocols. Techniques Observed: Primary focus on CRLF injection attacks (13 total attempts) including both standard and decoded variants, consistent with MITRE ATT&CK T1190 (Exploit Public-Facing Application). Volume Assessment: 1,278 total events indicate persistent reconnaissance and exploitation attempts rather than opportunistic scanning. Key IOC: 90.151.171.108 should be considered hostile infrastructure.

Recommendations

INITIAL REPORT2026-03-10T13:02:34Z

Source: Analyst Manual Entry

A Russian IP address (90.151.171.108) conducted sustained CRLF injection attacks against web applications from February 17 to March 10, 2026, generating 977 malicious events with a maximum AbuseIPDB reputation score. This activity represents a MEDIUM threat level with potential APT characteristics. Organizations should immediately implement web application protections and block the identified IP address.

Technical details

Russian threat actor operating from Rostelecom infrastructure (AS12389) executed 977 attack events over 21 days targeting 2 unique destination ports. Primary attack vector consists of CRLF injection techniques (13 total hits) designed to manipulate HTTP response headers and potentially enable session hijacking or cache poisoning. Activity spans HTTP and TCP protocols with SYN reconnaissance patterns. Maps to MITRE ATT&CK T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). Key IOC: 90.151.171.108 with 100/100 abuse confidence score and no legitimate reverse DNS resolution.

IOCs

Recommendations