Misconfigured Redis databases left open to the internet are being automatically taken over and used to mine cryptocurrency. We have been watching this on our public honeypot for 28 days straight; on the busiest day a single attacker hit us 6,832 times in five hours. The attackers do not need any vul…
IP address 178.16.54.237 (Netherlands/dus.net GmbH) conducted sustained SMTP reconnaissance and credential capture attempts against organizational infrastructure from April 29 00:00 to May 4 18:00. The source IP maintains a 100/100 AbuseIPDB reputation score and is listed on Spamhaus DROP, indicatin…
A South Korean IP address (221.166.248.230) conducted sustained automated credential capture attacks against network infrastructure over a 5-day period from March 28-April 2, 2026, generating 1,240 malicious events. This represents low-sophistication opportunistic scanning with medium threat level d…
A Norwegian IP address (46.46.228.195) conducted sustained Android Debug Bridge (ADB) reconnaissance against network infrastructure over a 4-day period, generating over 4,300 malicious events targeting TCP port 5555. This represents a MEDIUM severity threat focused on identifying exposed Android dev…
High-severity threat activity detected from Brazilian cloud infrastructure (45.205.1.27) conducting systematic reconnaissance and exploitation attempts against multiple network services from April 2nd through April 29th, 2026. The source IP maintains a maximum malicious reputation score and demonstr…
IP address 64.89.160.72 (Ghosty Networks LLC, Luxembourg) conducted sustained SMTP reconnaissance against mail servers from April 21-29, 2026, generating 4,928 events primarily targeting port 25. The activity consists of standard EHLO probes with credential capture attempts and poses low threat risk…
A single IP address from Chinese cloud infrastructure conducted sustained SSH protocol abuse targeting port 2200 over a 4-hour period on April 29, 2026, generating over 5,000 events. This activity represents common automated scanning behavior with low threat severity and no evidence of successful ex…
IP address 65.49.1.80 conducted a sustained multi-protocol reconnaissance campaign from February 21 to April 27, 2026, targeting industrial control systems, network infrastructure, and enterprise services across 14 unique ports with 135 recorded events. The threat is assessed as HIGH severity due to…
IP address 65.49.1.192 conducted sustained reconnaissance activities over 53 days (March-April 2026) targeting FortiGate appliances and industrial control systems using IEC-104 protocol probes. This represents a MEDIUM threat level with potential critical infrastructure targeting. Organizations shou…
External IP 185.247.137.206 conducted sustained multi-protocol reconnaissance targeting Oracle databases and industrial control systems over a 10-week period from February to April 2026. The campaign demonstrates medium-severity threat activity with 61 recorded events spanning database enumeration, …
IP address 66.132.172.182 conducted an extensive 32-day scanning campaign from March 25 to April 26, 2026, targeting multiple protocols including industrial control systems, Kubernetes infrastructure, and enterprise services. Despite generating 490 security events across 8 destination ports, this ac…
Russian-origin IP address 81.29.142.100 conducted a sustained multi-protocol reconnaissance campaign targeting industrial control systems, databases, and enterprise services over a 68-day period from February to April 2026. The attacker demonstrated particular focus on MQTT messaging systems and Ora…
Malicious activity detected from 119.23.110.193 (CN, AS37963). 20371 events observed across SSH, TCP, TCP/SYN, TLS. AI verdict: NOISE.
Threat actor 160.119.76.24 conducted comprehensive reconnaissance against industrial control systems and enterprise services on April 24, 2026, targeting multiple ICS/SCADA protocols including Modbus, S7comm, DNP3, and EtherNet/IP alongside traditional IT services. Despite the broad protocol coverag…
IP address 185.247.137.238 conducted sustained reconnaissance targeting industrial control systems and database services over a 72-day period from February 12 to April 24, 2026. The threat actor employed multi-protocol scanning techniques including Siemens S7COMM, Oracle TNS, and Modbus protocols, i…
Threat actor 185.247.137.224 conducted sustained multi-protocol reconnaissance activities over 65 days, targeting industrial control systems (Modbus), IoT infrastructure (MQTT), and web services across 7 unique ports. The campaign demonstrates systematic vulnerability scanning with particular focus …
IP address 34.53.160.242 conducted a sustained 25-day campaign targeting RSYNC, SMB, and HTTP services with 192 attack events, demonstrating reconnaissance and exploitation capabilities. This represents a MEDIUM threat level with known attack patterns including SMB1 exploitation attempts and RSYNC a…
Threat actor operating from 104.243.34.165 conducted an 18-day reconnaissance campaign targeting hidden environment files and multiple network services, generating 2,504 malicious events between April 4-22, 2026. The activity demonstrates systematic information gathering techniques consistent with c…
IP address 85.217.140.37 conducted a sustained multi-protocol reconnaissance campaign from March 7 to April 20, 2026, targeting 16 unique ports across FTP, MQTT, Oracle, RDP, SMTP, and SSH services with 97 total events. This activity represents low-risk service discovery and enumeration rather than …
A Windows Server 2012 R2 system in Nagpur, India conducted SMBv1 protocol negotiation attempts against network infrastructure on April 19, 2026 between 07:00-09:00 UTC. This reconnaissance activity poses HIGH risk as it targets legacy SMB services vulnerable to critical remote code execution exploit…
IP address 85.11.183.27 conducted a sustained reconnaissance campaign from March 2026 through April 2026, targeting network infrastructure management interfaces including Palo Alto Networks PAN-OS, FortiGate, and MQTT services across 56 events. This activity represents initial attack chain reconnais…
IP address 85.11.183.19 conducted sustained reconnaissance activities over 50 days (February 28 - April 19, 2026) with 151 events targeting multiple protocols including HTTPS, TLS, and SMTP across 7 unique ports. Despite low individual event severity, the persistent nature and focus on Fortigate inf…
IP address 65.49.1.108 conducted a 41-day reconnaissance campaign from March 8-April 18, 2026, targeting industrial control systems and network infrastructure across 14 unique ports using multiple protocols including S7comm, RDP, and Fortinet device probes. Despite the broad attack surface and ICS t…
External IP address 65.49.1.132 conducted sustained reconnaissance activities from February 21 to April 18, 2026, targeting enterprise infrastructure including FortiGate appliances, industrial control systems, and network services across 13 unique ports. Assessment indicates LOW threat severity with…
IP address 65.49.1.152 conducted sustained reconnaissance activities from March 15 to April 17, 2026, targeting multiple protocols including FortiGate infrastructure, Oracle databases, IoT devices, and Kubernetes clusters across 59 observed events. Assessment indicates LOW threat level with medium c…