IP address 66.132.172.198 conducted a 24-day reconnaissance and exploitation campaign from March 24 to April 17, 2026, targeting industrial control systems (S7comm), SMB services, and network infrastructure across multiple protocols. The threat is assessed as LOW severity with 85% confidence, repres…
IP address 85.217.140.39 conducted sustained reconnaissance activities from March 16 to April 16, 2026, targeting multiple protocols including FTP, HTTP, MQTT, and TLS services across 11 unique ports. Assessment indicates MEDIUM threat level with 85% confidence, representing initial attack phase act…
IP address 66.132.153.123 conducted automated reconnaissance against FortiGate appliances and industrial control systems over a 12-day period from March 4-16, 2026. This represents medium-severity preparatory activity for potential follow-on attacks against network security infrastructure and ICS en…
External IP address 90.151.171.108 conducted sustained reconnaissance and CRLF injection attacks against web services from February 17 to April 16, 2026, generating 2,742 security events. The activity represents a MEDIUM threat level with moderate confidence, indicating potential preparation for web…
IP address 204.76.203.73 conducted a sustained Local File Inclusion (LFI) attack campaign from February 21 to April 16, 2026, targeting multiple web services with 118 recorded events. The activity represents LOW severity reconnaissance and exploitation attempts focused on accessing sensitive system …
IP address 35.216.140.3 conducted a sustained 41-day reconnaissance campaign targeting web applications and network services, attempting to access sensitive configuration files and probing RDP/SMB services. The activity represents a MEDIUM threat level with moderate sophistication, likely representi…
Threat actor at 65.49.20.69 conducted sustained multi-protocol reconnaissance targeting FortiGate appliances, industrial control systems, and IoT devices over 54 days from February 21 to April 15, 2026. Activity demonstrates medium-severity threat with focus on critical infrastructure enumeration ac…
IP address 185.247.137.27 conducted a sustained multi-protocol reconnaissance campaign from February 18 to April 14, 2026, targeting industrial control systems and database infrastructure using EtherNet/IP, Modbus, Oracle TNS, and other protocols across 48 events. This represents MEDIUM-risk reconna…
External IP address 45.33.12.214 conducted sustained multi-protocol reconnaissance activity over 42 days (March 3-April 14, 2026), targeting SMB, RDP, HTTP, and TLS services across 4 unique ports with 55 total events observed. Assessment indicates low-to-moderate threat level focused on network enum…
External threat actor at IP 2.57.122.234 conducted a 42-day reconnaissance and credential harvesting campaign from March 1-April 12, 2026, generating 112 attack events primarily targeting Fortinet devices and authentication systems. Assessment indicates MEDIUM threat level with sophisticated APT-lik…
IP address 64.62.197.122 conducted sustained reconnaissance against network infrastructure and industrial control systems over a 52-day period from February 19 to April 11, 2026, generating 58 security events. The activity primarily targeted FortiGate and Palo Alto security appliances alongside Modb…
IP address 45.91.64.7 conducted sustained multi-protocol reconnaissance against network infrastructure from February 21 to April 11, 2026, generating 89 security events across 14 unique ports. The campaign primarily focused on SMTP probing with secondary targeting of RDP and SSH services, assessed a…
IP address 91.92.240.214 conducted 185 automated attacks over 15 days targeting SMTP services with relay attempts and IoT command injection, assessed as low-sophistication botnet activity with MEDIUM threat level. Organizations should implement SMTP relay restrictions and monitor for similar reconna…
A moderate-volume SSH brute force campaign originating from Polish IP address 195.136.224.101 targeted network infrastructure over a 5-day period from April 6-11, 2026, generating 233 attack events. The activity represents low-sophistication credential stuffing attacks against SSH services with no e…
Threat actor operating from IP 204.76.203.215 conducted sustained reconnaissance and Local File Inclusion (LFI) attacks against multiple services over 47 days (February 22 - April 10, 2026), generating 284 security events. Despite the LOW confidence assessment, the campaign demonstrates escalating s…
External threat actor 85.217.140.43 conducted sustained reconnaissance against critical infrastructure systems over 36 days, targeting BACnet building automation systems, Kubernetes dashboards, and RDP services across 15 unique ports. This medium-risk activity represents typical pre-attack intellige…
A Russian-based threat actor (176.115.192.229) conducted an intensive SMBv1 exploitation campaign generating over 64,000 attack events between April 5-9, 2026. This represents a HIGH severity threat targeting legacy SMB implementations with known exploitation techniques. Organizations should immedia…
Threat actor operating from Chinese CHINANET infrastructure (1.192.212.177) conducted sustained automated credential capture attacks against Telnet services over an 8-day period in April 2026. Assessment: LOW threat level representing opportunistic scanning activity with no novel techniques observed…
External IP 109.105.209.32 conducted sustained reconnaissance against industrial control systems over a 25-day period from March 14-April 8, 2026, targeting MODBUS protocols and other ICS infrastructure. This represents a MEDIUM threat with 85% confidence, indicating potential preparation for operat…
Threat actor operating from IP 185.177.72.61 conducted systematic reconnaissance against web applications, attempting to access sensitive configuration files including .env defaults and Git repositories over a 21-day period ending April 8, 2026 at 06:00. This medium-severity activity represents typi…
A South African IP address (41.157.50.173) conducted intensive credential capture attacks against Telnet services over a 2-hour period on April 6, 2026, generating 1,573 malicious events. This represents routine opportunistic scanning activity with medium threat level. Network defenders should verif…
Romanian-based threat actor at 80.94.95.55 conducted extensive multi-protocol reconnaissance targeting RDP, ICS protocols, SSH, and VNC services over a 9-day period from March 29-April 7, 2026. The campaign generated 134,308 events with notable focus on industrial control systems (S7COMM protocol) a…
IP address 66.132.172.96 conducted extensive reconnaissance targeting industrial control systems and enterprise infrastructure between March 20-April 7, 2026, with 326 observed events focusing on Siemens S7, Modbus, Oracle, and Kubernetes protocols. This activity represents a HIGH threat level with …
IP address 65.49.1.66 conducted sustained multi-protocol reconnaissance targeting industrial control systems, network infrastructure, and enterprise services over a 6-week period from February 25 to April 6, 2026. The activity demonstrates medium-risk threat behavior with 62 recorded events spanning…
IP address 71.6.199.23 conducted a sustained 7-week reconnaissance campaign targeting industrial control systems, focusing on Modbus protocol enumeration and MQTT services with 69 recorded events between February 17 and April 6, 2026. The sophisticated targeting of operational technology protocols i…