IP address 87.236.176.48 (Leeds, UK) conducted multi-protocol reconnaissance targeting MQTT services and general network infrastructure over 18 days, generating 21 security events. Assessment indicates low-to-medium risk research scanning activity with MQTT-specific targeting that warrants monitorin…
Russian-origin IP address 109.95.121.70 conducted sustained SMB reconnaissance targeting organizational networks over a 23-day period from February 25 to March 20, 2026, generating 143 security events. The activity primarily leveraged vulnerable SMBv1 protocol for network enumeration and represents …
Russian-origin IP address 95.25.169.123 conducted sustained SMBv1 protocol reconnaissance against non-standard port 9001 over a 15-day period from February 15-March 2, 2026. This activity represents HIGH-risk reconnaissance likely preparing for lateral movement exploitation of legacy SMB services. O…
High-confidence credential stuffing attacks targeting Cisco ASA SSL VPN login interfaces have been observed from US-based infrastructure (AS396356 Latitude.sh) between March 17-23, 2026. The threat actor demonstrates specific knowledge of Cisco WebVPN authentication mechanisms and poses significant …
Automated reconnaissance scanning targeting Kubernetes kubelet API port 10250 observed from Singapore-based IP 167.172.64.18 on 2026-03-04 at 23:00 hours. Assessment indicates MEDIUM threat level with potential for cluster enumeration leading to container escape or compromise if kubelet APIs are mis…
High-confidence Local File Inclusion (LFI) attack campaign observed from 89.42.231.182 (Netherlands/Amarutu Technology Ltd) targeting web applications with directory traversal techniques to access sensitive system files. Assessment: HIGH threat level with 95% confidence based on 146 attack events o…
High-severity MQTT protocol attack detected from US-based IP 64.23.214.27 targeting industrial messaging infrastructure with suspicious hex-encoded payloads and persistent delivery flags. The attack demonstrates advanced knowledge of MQTT protocol exploitation techniques, potentially indicating pro…
IP address 87.106.146.151 (Germany) conducted low-volume reconnaissance scanning targeting HTTP login endpoints between February 26-March 5, 2026. Assessment indicates LOW threat level with potential for escalation to credential attacks. Organizations should monitor for follow-up authentication att…
Threat actor at 185.247.137.40 conducted reconnaissance scanning targeting industrial control systems over a 32-day period, specifically probing EtherNet/IP and Modbus protocols commonly used in operational technology environments. Assessment indicates LOW threat level with potential for escalation…
IP address 216.180.246.151 conducted reconnaissance scanning targeting administrative login interfaces on March 21, 2026 between 09:00-10:00 UTC, generating 63 security events over a 4-minute window. This activity represents MEDIUM-risk pre-attack reconnaissance consistent with credential harvesting…
Low-severity scanning activity detected from IP 104.164.8.186 (Nodestop LLC/US) conducting automated reconnaissance against authentication endpoints over a 5-day period. Assessment indicates typical opportunistic scanning with LOW threat level and 85% confidence. Network defenders should monitor fo…
A medium-severity threat actor operating from Netherlands infrastructure (45.144.212.199) conducted sustained SMTP reconnaissance activities against mail servers between February 28-March 2, 2026. The attacker performed systematic mail server probing using suspicious sender addresses potentially lin…
External threat actor at 109.95.35.214 (Ukraine/AS31725) conducted sustained SMB reconnaissance against network infrastructure over 10 days, generating 252 security events targeting SMB services. Assessed as MEDIUM threat level with 85% confidence due to legacy SMB1 protocol usage indicating potent…
External IP address 202.69.35.118 (Pakistan/Lahore) conducted sustained SMB reconnaissance against network infrastructure between 18 March 2026 05:00-10:00 UTC, generating 6,655 security events targeting port 445. This activity represents MEDIUM-risk reconnaissance behavior consistent with pre-atta…
Orange Polska-sourced IP address 46.134.26.213 conducted reconnaissance and credential harvesting attempts targeting FortiGate login interfaces on March 12, 2026. Threat level assessed as LOW with medium confidence due to limited attack volume and reconnaissance-phase activity. Network defenders sh…
External IP 85.217.140.52 (AS209334 Modat B.V.) conducted sustained reconnaissance activities over 16 days targeting network infrastructure including Kubernetes etcd services and FortiGate devices. Assessed threat level is LOW with medium confidence, representing preliminary information gathering t…
External threat actor conducted sustained SMTP reconnaissance against organizational infrastructure from IP 45.144.212.237 (Netherlands/Kprohost ASN214940) between March 6-22, 2026, generating 13,097 probe attempts. Assessment indicates LOW severity automated scanning activity designed to enumerate…
Lithuanian-based IP 141.98.9.114 conducted low-volume SMTP reconnaissance against mail infrastructure on March 18, 2026, between 02:00-08:00 hours, attempting to enumerate mail server capabilities and recipients. This activity represents typical network reconnaissance behavior with LOW assessed thre…
Threat actor operating from IP 141.98.9.68 (Lithuania, AS209588) conducted SMTP user enumeration attacks against organizational email infrastructure over a 16-hour period from March 15-16, 2026. Assessment indicates LOW severity reconnaissance activity consistent with email harvesting for potential …
A single threat actor (152.32.149.19) conducted targeted reconnaissance against Fortinet infrastructure on March 4, 2026, between 17:00-18:00 UTC, generating 148 malicious events focused on FortiGate device enumeration and login page discovery. The activity represents a MEDIUM threat level indicati…
A medium-severity credential stuffing attack was observed from IP 64.89.161.182 (Luxembourg) targeting authentication services with weak credentials over a brief timeframe on March 9, 2026. The attacker conducted 214 events within one minute using HTTP Basic Authentication, specifically targeting p…
Brazilian IP address 170.233.6.1 conducted SMB reconnaissance activities over 24 days, probing for legacy SMB protocol support including SMBv1. This represents medium-risk reconnaissance activity that typically precedes SMB-based exploitation attempts. Organizations should immediately audit SMB exp…
External threat actor 109.95.35.130 conducted sustained SMBv1 reconnaissance activities over a 15-day period (March 4-19, 2026), targeting network infrastructure with deprecated protocol exploitation techniques. Assessment indicates HIGH threat level with 85% confidence due to SMBv1's association w…
External threat actor at 2[REDACTED] (Japan/AS7672) conducted sustained SMBv1 protocol reconnaissance against network infrastructure from March 4-16, 2026. This activity represents HIGH-risk preparation for potential EternalBlue-style remote code execution attacks targeting legacy SMB services. Imm…
External host 103.230.107.236 from Bangladesh conducted SMBv1 reconnaissance against internal networks on March 6, 2026 at approximately 11:00 UTC, generating 328 events over 30 minutes. This activity represents CRITICAL-level threat due to targeting of inherently vulnerable SMBv1 services accessibl…