Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus on authentication bypass. Campaign demonstrates persistent reconnaissance and credential capture cap…
Malicious activity detected from 93.123.109.127 (NL, AS48090). 629 events observed across SMTP, TCP. AI verdict: NOISE.
An IP address from Düsseldorf, Germany (178.16.54.22) has been observed engaging in credential capture attempts and SMTP probing over a three-day period. The activity is assessed as noise but warrants attention due to the high volume of login attempts. Network defenders should implement or review th…
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as noise-level threat with no confirmed CVEs or zero-day exploits; however, network defenders should re…
Malicious activity detected from 81.30.98.207 (LT, AS209425). 73829 events observed across Diameter, MySQL, SMTP, TCP, TCP/SYN. AI verdict: NOISE.
An IP address (81.30.98.181) from Iran has been observed conducting SMTP AUTH probes and credential capture attempts over a period of five days in May 2026. The activity is assessed as noise, but network defenders should review their SMTP configurations and implement additional authentication measur…
Malicious activity detected from 62.60.130.169 (LT, AS59441). 237156 events observed across SMTP, TCP. AI verdict: NOISE.
An IP address from Luxembourg (64.89.160.43) has been observed conducting repeated SMTP AUTH probes and credential capture attempts over a period of 7 days. The activity is assessed as low to moderate threat level due to the lack of novel techniques or payloads, but network defenders should remain v…
An automated credential capture attempt was detected originating from IP 121.102.38.87 in Kyoto, Japan, targeting port 8080 over a two-hour period. The attack is assessed as noise with no associated CVEs or zero-day exploits, and poses minimal risk to networks. ###
IP address 178.16.54.237 (Netherlands/dus.net GmbH) conducted sustained SMTP reconnaissance and credential capture attempts against organizational infrastructure from April 29 00:00 to May 4 18:00. The source IP maintains a 100/100 AbuseIPDB reputation score and is listed on Spamhaus DROP, indicatin…
A South Korean IP address (221.166.248.230) conducted sustained automated credential capture attacks against network infrastructure over a 5-day period from March 28-April 2, 2026, generating 1,240 malicious events. This represents low-sophistication opportunistic scanning with medium threat level d…
IP address 64.89.160.72 (Ghosty Networks LLC, Luxembourg) conducted sustained SMTP reconnaissance against mail servers from April 21-29, 2026, generating 4,928 events primarily targeting port 25. The activity consists of standard EHLO probes with credential capture attempts and poses low threat risk…
IP address 65.49.1.108 conducted a 41-day reconnaissance campaign from March 8-April 18, 2026, targeting industrial control systems and network infrastructure across 14 unique ports using multiple protocols including S7comm, RDP, and Fortinet device probes. Despite the broad attack surface and ICS t…
External IP address 65.49.1.132 conducted sustained reconnaissance activities from February 21 to April 18, 2026, targeting enterprise infrastructure including FortiGate appliances, industrial control systems, and network services across 13 unique ports. Assessment indicates LOW threat severity with…
External threat actor at IP 2.57.122.234 conducted a 42-day reconnaissance and credential harvesting campaign from March 1-April 12, 2026, generating 112 attack events primarily targeting Fortinet devices and authentication systems. Assessment indicates MEDIUM threat level with sophisticated APT-lik…
IP address 64.62.197.122 conducted sustained reconnaissance against network infrastructure and industrial control systems over a 52-day period from February 19 to April 11, 2026, generating 58 security events. The activity primarily targeted FortiGate and Palo Alto security appliances alongside Modb…
Threat actor operating from Chinese CHINANET infrastructure (1.192.212.177) conducted sustained automated credential capture attacks against Telnet services over an 8-day period in April 2026. Assessment: LOW threat level representing opportunistic scanning activity with no novel techniques observed…
A South African IP address (41.157.50.173) conducted intensive credential capture attacks against Telnet services over a 2-hour period on April 6, 2026, generating 1,573 malicious events. This represents routine opportunistic scanning activity with medium threat level. Network defenders should verif…
IP address 65.49.1.66 conducted sustained multi-protocol reconnaissance targeting industrial control systems, network infrastructure, and enterprise services over a 6-week period from February 25 to April 6, 2026. The activity demonstrates medium-risk threat behavior with 62 recorded events spanning…
Threat actor operating from 185.93.89.64 (Netherlands/AS213790) conducted sustained SMTP reconnaissance against mail infrastructure over 28 days, generating 7,725 events targeting port 25. Activity assessed as LOW threat level reconnaissance likely aimed at identifying vulnerable mail servers for fu…
IP address 194.163.170.234 (Contabo GmbH/FR) conducted a sustained credential brute force attack against telnet services on 2026-04-04 between 07:00-10:00 UTC, generating over 64,000 authentication attempts. This represents a medium-severity threat with high confidence due to the systematic nature a…
A Taiwan-based IP address (165.154.227.162) conducted an intensive credential capture campaign over 4 hours on April 3-4, 2026, generating 28,317 attack events targeting Telnet services. This represents typical opportunistic scanning activity with medium threat severity. Network defenders should ver…
** IP address 43.142.113.25 conducted sustained credential brute-force attacks against Telnet services over an 8-hour period on March 27, 2026, generating 394 malicious events. This represents a MEDIUM threat level with moderate sophistication targeting weak authentication mechanisms. Network defend…
IP address 50.72.175.209 conducted sustained credential capture attacks against Telnet services over a 2-hour period on March 29, 2026, generating 1,429 malicious events between 04:00-07:00 UTC. This represents a MEDIUM threat level focused on credential harvesting operations. Network defenders sho…
IP address 103.93.93.211 conducted an automated credential stuffing attack against telnet services from March 27-30, 2026, generating 756 events targeting default credentials. This represents a MEDIUM threat level consistent with IoT botnet recruitment activities. Organizations should immediately a…