94.26.106.200

Summary (Bottom Line Up Front)

A medium-severity credential stuffing attack originating from IP 94.26.106.200 (Germany, AS48452) conducted 204 authentication attempts over 37 hours targeting HTTP proxy services with weak credentials. The attacker employed MITRE technique T1110.004 (Credential Stuffing) using predictable username/password combinations including "newuser:qwerty". Network defenders should implement enhanced authentication monitoring and credential policy enforcement.

TCP TCP/SYN auto

CREDENTIAL

Activity Timeline

INITIAL REPORT2026-03-21T12:53:47Z

Source: Analyst Manual Entry

Technical details

The threat actor operated from 94.26.106.200 (Traffic Broadband Communications Ltd., Germany) with a maximum AbuseIPDB reputation score of 100/100, indicating prior malicious activity. Attack activity spanned from March 8, 2026 10:00 to March 9, 2026 23:00 UTC, generating 204 events primarily targeting TCP services. The campaign focused on credential-based attacks against HTTP proxy authentication mechanisms using basic authentication headers. Primary attack pattern identified as credential stuffing (T1110.004) with medium severity rating and 85% confidence assessment. The attacker maintained persistence across SSH (ports 22, 2022) and proxy services, suggesting reconnaissance and exploitation phases.

IOCs

IP:94.26.106.200

ASN:48452

COUNTRY:DE

Recommendations

Block IP 94.26.106.200 and monitor AS48452 (Traffic Broadband Communications Ltd.) for additional malicious activity
Implement rate limiting and account lockout policies for HTTP proxy authentication attempts
Deploy multi-factor authentication for all proxy and remote access services where feasible
Monitor for basic authentication header anomalies and credential stuffing patterns in web proxy logs
Review and enforce strong password policies, specifically prohibiting common weak credentials like "qwerty" combinations