Threat actor operating from 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against mail infrastructure over 28 days, generating 7,725 events targeting port 25. Activity assessed as LOW threat level reconnaissance likely aimed at identifying vulnerable mail servers for fu…
Threat actor operating from Netherlands-based hosting infrastructure (45.144.212.98) conducted sustained reconnaissance and exploitation attempts targeting IoT devices and SMTP services over 7-day period ending April 6, 2026. Campaign generated 5,265+ malicious events with focus on MQTT command inje…
IP address 194.163.170.234 (Contabo GmbH/FR) conducted a sustained credential brute force attack against telnet services on 2026-04-04 between 07:00-10:00 UTC, generating over 64,000 authentication attempts. This represents a medium-severity threat with high confidence due to the systematic nature a…
IP address 87.121.79.222 (Netherlands/AS213725) conducted extensive reconnaissance activity from March 30 to April 5, 2026, targeting SSH, VNC, and Kubernetes infrastructure with 1,569 recorded events across 14 unique ports. The campaign demonstrates systematic scanning behavior with particular focu…
High-volume RDP scanning activity detected from 149.50.96.56 (Warsaw, Poland) targeting network infrastructure over 20-hour period from April 4-5, 2026. Assessment indicates automated reconnaissance with medium threat level due to scan volume but low sophistication. Recommend standard RDP hardening …
IP address 195.200.16.213 (Netherlands/AS216071) conducted low-volume reconnaissance targeting DVR systems with command injection probes on April 4, 2026 between 13:00-16:00 UTC. Assessment indicates LOW threat severity with automated scanning behavior rather than targeted exploitation. Network defe…
A Windows-based threat actor operating from Romanian hosting provider Flyservers S.A. (141.98.83.86) conducted an intensive multi-protocol scanning campaign between March 29-April 4, 2026, generating over 94,000 malicious events targeting RDP, SSH, and industrial control systems. The activity repres…
A Taiwan-based IP address (165.154.227.162) conducted an intensive credential capture campaign over 4 hours on April 3-4, 2026, generating 28,317 attack events targeting Telnet services. This represents typical opportunistic scanning activity with medium threat severity. Network defenders should ver…
Our sensors detected sustained RDP scanning activity from IP 88.47.170.77 (Milan, Italy) between March 29-April 4, 2026, generating over 132,000 events targeting RDP services. This activity is assessed as low-severity reconnaissance noise with medium confidence, consistent with opportunistic scannin…
A Windows Server 2016 host operating from China Mobile's network (36.133.107.88) conducted intensive RDP scanning activities over a 5-day period from March 29-April 3, 2026, generating over 52,000 security events. This activity represents routine opportunistic scanning with medium severity and poses…
IP address 80.94.95.143 (Romania, AS204428) conducted sustained RDP reconnaissance against network infrastructure from March 30-April 3, 2026, generating over 160,000 connection attempts. This activity represents low-severity automated scanning to identify active RDP services for potential future ex…
A DigitalOcean-hosted IP address (129.212.181.84) conducted extensive VNC scanning operations against network infrastructure from March 31 to April 3, 2026, generating nearly 200,000 security events. This represents low-sophistication reconnaissance activity with no observed exploitation attempts. N…
IP address 36.138.184.167 conducted sustained RDP reconnaissance activity from March 30-April 1, 2026, generating 6,586 events targeting RDP services through X.224 connection requests. This represents low-severity network discovery activity consistent with automated scanning for exposed RDP endpoint…
** IP address 43.142.113.25 conducted sustained credential brute-force attacks against Telnet services over an 8-hour period on March 27, 2026, generating 394 malicious events. This represents a MEDIUM threat level with moderate sophistication targeting weak authentication mechanisms. Network defend…
Malicious activity detected from 45.142.193.233 (, ASNone). 1187050 events observed across EtherNet/IP, TCP, TCP/SYN, TLS, TLS/1.0. AI verdict: HIGH.
Threat actor 185.103.110.159 conducted targeted reconnaissance and exploitation attempts against Industrial Control Systems (ICS) infrastructure between March 24-25, 2026, utilizing Modbus and S7comm protocols. The campaign demonstrates medium-severity threat activity with 76 recorded events focusi…
A Netherlands-based IP address (204.76.203.212) conducted sustained CRLF injection attacks against web infrastructure over a 29-day period from February 26 to March 27, 2026, generating 5,525 malicious events. Despite the high AbuseIPDB score (100/100), this activity is assessed as automated scannin…
IP address 50.72.175.209 conducted sustained credential capture attacks against Telnet services over a 2-hour period on March 29, 2026, generating 1,429 malicious events between 04:00-07:00 UTC. This represents a MEDIUM threat level focused on credential harvesting operations. Network defenders sho…
Threat actor at IP 36.133.80.107 conducted intensive RDP reconnaissance against network infrastructure between March 30, 2026 07:00-20:00 UTC, generating over 10,000 scanning events. This activity represents initial reconnaissance phase of potential RDP exploitation campaign and is assessed as LOW i…
IP address 103.93.93.211 conducted an automated credential stuffing attack against telnet services from March 27-30, 2026, generating 756 events targeting default credentials. This represents a MEDIUM threat level consistent with IoT botnet recruitment activities. Organizations should immediately a…
Threat intelligence sensors detected a sustained Telnet brute force attack originating from IP 177.75.49.40, generating 677 credential capture attempts over approximately one hour on March 28-29, 2026. This activity represents a MEDIUM threat level with automated tooling characteristics targeting l…
Source IP 77.46.207.126 conducted a sustained credential capture campaign against Telnet services on March 29, 2026, generating 1,279 attack events over approximately one hour. This represents routine opportunistic scanning activity with low sophistication and minimal threat impact. Network defende…
IP address 125.122.156.134 conducted automated SSH reconnaissance against network infrastructure between 29 March 2026 11:00-14:00 UTC, generating 338 connection events. This activity represents low-severity noise-level scanning with standard SSH banner exchanges using 'SSH-2.0-Go' client identifie…
Automated SMTP relay attempts and vulnerability scanning observed from IP 178.16.52.2 between March 11-26, 2026, generating 115 security events targeting port 25/TCP. Assessment indicates low-sophistication automated activity with minimal threat impact. Standard email security hardening and monitori…
IP address 91.239.248.69 conducted intensive RDP reconnaissance against network infrastructure on March 29, 2026, generating over 21,000 scanning events targeting port 3389. This medium-severity activity represents initial reconnaissance phase operations that typically precede credential brute-forc…