IP address 45.186.33.225 conducted 219 credential capture attempts against Telnet services over a one-hour period on 2026-03-28. This activity represents typical opportunistic scanning with low novelty and medium threat level. Network defenders should verify Telnet service exposure and implement ap…
IP address 85.217.140.53 conducted a sustained multi-protocol scanning campaign from March 11-28, 2026, targeting Oracle database, SSH, and Kubernetes services across 7 unique ports with 92 total events. Assessment indicates low-sophistication automated reconnaissance activity with minimal immediate…
IP address 64.89.160.82 conducted sustained SMTP-based reconnaissance and credential capture attempts against mail infrastructure from March 16-28, 2026, generating over 5,200 security events. Despite the high volume of activity, this represents common opportunistic scanning behavior with low sophi…
IP address 204.76.203.30 conducted a month-long HTTP scanning campaign from February 27 to March 27, 2026, generating 586 security events targeting multiple network services. The sustained reconnaissance activity using automated tooling indicates MEDIUM threat level with potential for escalation to …
IP address 91.224.92.114 conducted 49 targeted attacks against industrial control systems between February 18, 2026 14:00 and March 16, 2026 10:00, primarily leveraging Siemens S7 communication protocols. This represents a MEDIUM threat level with moderate confidence, indicating potential reconnaiss…
External threat actor 66.132.172.102 conducted targeted reconnaissance against industrial control systems using Modbus protocol attacks between March 20-26, 2026, with 79 recorded events. This HIGH confidence threat demonstrates sophisticated capabilities targeting critical infrastructure with poten…
Russian-origin IP address 89.109.8.38 conducted SMBv1 protocol negotiation attempts against non-standard port 9001 on February 26, 2026 at 17:00 hours. This reconnaissance activity presents medium risk due to SMBv1's inherent vulnerabilities and potential for lateral movement exploitation. Network d…
External IP address 208.95.112.1 conducted extensive port scanning activities against organizational assets from March 24-26, 2026, targeting 1,566 unique destination ports across 4,673 recorded events. This represents moderate-risk reconnaissance activity consistent with pre-attack intelligence ga…
IP address 18.97.5.121 conducted a high-volume attack campaign against HTTPS infrastructure on March 25, 2026, generating 1,976 malicious events over a 24-minute period. The concentrated nature of this activity targeting a single destination port suggests automated tooling and represents a MEDIUM t…
IP address 223.184.169.119 conducted sustained SMB exploitation probes targeting port 445 over approximately 1.5 hours on March 26, 2026, generating 2,049 security events with 448 confirmed SMB exploit probe attempts. This activity represents a SUSPICIOUS threat level indicating potential reconnais…
Threat actor operating from IP 44.220.188.92 conducted an intensive HTTPS scanning campaign on March 26, 2026, generating over 2,000 connection attempts within a 2-minute window targeting a single port. This represents a HIGH threat level indicative of automated reconnaissance or potential applicati…
IP address 44.220.188.219 conducted a high-volume attack campaign generating 2,170 events over a 3-minute window on March 26, 2026, targeting HTTPS services. The concentrated timeframe and attack volume indicate automated tooling consistent with reconnaissance or exploitation attempts against web ap…
IP address 98.80.4.97 conducted a high-volume attack campaign generating 2,239 events within a 2-hour window on March 25, 2026, targeting HTTPS services. This represents a concentrated, automated attack with moderate threat level due to the focused nature and encryption protocol targeting. Immediat…
Source IP 106.214.8.216 conducted intensive SMB exploitation probes targeting port 445 over a 1-hour window on March 26, 2026, generating 3,009 security events with 867 confirmed SMB exploit attempts. This activity represents a HIGH severity threat consistent with automated vulnerability scanning o…
Threat actor operating from IP address 5.79.108.33 conducted targeted reconnaissance against industrial control systems using DNP3 protocol alongside HTTP and TCP scanning activities on March 26, 2026. This represents a MEDIUM threat level due to the specific targeting of critical infrastructure pro…
External IP address 77.83.39.74 conducted sustained SMTP reconnaissance and credential capture attempts against email infrastructure over a 22-day period from March 4-26, 2026. This activity represents initial reconnaissance phases of a potential email-based attack campaign with 8,403 recorded event…
Threat actor at IP 183.89.229.229 conducted intensive SMB reconnaissance against network infrastructure on March 26, 2026, generating 4,368 events over approximately one hour targeting SMB services. Assessment indicates MEDIUM threat level focused on vulnerability discovery and potential exploitati…
Automated reconnaissance activity from IP 45.205.1.50 has been observed probing for HTTP proxy functionality on port 9001 using Go HTTP client, likely testing systems for potential abuse as traffic relay infrastructure. This represents a MEDIUM threat level with moderate confidence, indicating prepa…
IP address 173.239.240.145 conducted a sustained credential attack campaign against SSL VPN infrastructure over 21 days (March 4-25, 2026), generating 3,555 authentication attempts targeting HTTPS services. This represents a MEDIUM threat with potential for unauthorized network access if weak creden…
IP address 80.94.95.43 conducted targeted reconnaissance against industrial control systems (ICS) infrastructure over a 15-day period from March 10-25, 2026, generating 69 attack events primarily focused on S7comm protocol exploitation. This represents LOW-severity threat activity consistent with in…
External threat actor operating from Lithuanian IP address 185.36.81.23 conducted sustained SMBv1 reconnaissance against network infrastructure over a 30-day period ending March 23, 2026. This activity represents high-risk probing for EternalBlue-vulnerable systems and indicates potential preparatio…
External IP 1.22.230.154 (Bengaluru, India) conducted sustained SMB reconnaissance against non-standard ports using deprecated SMBv1 protocol over a 5-hour period on March 4, 2026. This activity represents medium-risk reconnaissance that could precede exploitation of SMB vulnerabilities. Organizatio…
Russian-origin IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems and enterprise services over a 40-day period from February 12 to March 24, 2026. Despite 468 recorded events across 11 protocols including EtherNet/IP, Modbus, and MQTT, the a…
High-confidence Oracle database reconnaissance activity detected from French IP 85.217.140.50 (AS209334 Modat B.V.) targeting database infrastructure over a 15-day period from March 7-22, 2026. This represents initial attack phase activity that typically precedes Oracle-specific exploitation attempt…
IP address 87.236.176.48 (Leeds, UK) conducted multi-protocol reconnaissance targeting MQTT services and general network infrastructure over 18 days, generating 21 security events. Assessment indicates low-to-medium risk research scanning activity with MQTT-specific targeting that warrants monitorin…