IP address 66.132.172.138 conducted extensive multi-protocol reconnaissance over 42 days (April 2-May 14, 2026), generating 667 security events targeting industrial control systems, Kubernetes infrastructure, and network services. Despite high-severity exploit signatures, this activity is assessed a…
IP address 65.49.1.80 conducted a sustained multi-protocol reconnaissance campaign from February 21 to April 27, 2026, targeting industrial control systems, network infrastructure, and enterprise services across 14 unique ports with 135 recorded events. The threat is assessed as HIGH severity due to…
IP address 65.49.1.192 conducted sustained reconnaissance activities over 53 days (March-April 2026) targeting FortiGate appliances and industrial control systems using IEC-104 protocol probes. This represents a MEDIUM threat level with potential critical infrastructure targeting. Organizations shou…
IP address 85.217.140.37 conducted a sustained multi-protocol reconnaissance campaign from March 7 to April 20, 2026, targeting 16 unique ports across FTP, MQTT, Oracle, RDP, SMTP, and SSH services with 97 total events. This activity represents low-risk service discovery and enumeration rather than …
IP address 85.11.183.27 conducted a sustained reconnaissance campaign from March 2026 through April 2026, targeting network infrastructure management interfaces including Palo Alto Networks PAN-OS, FortiGate, and MQTT services across 56 events. This activity represents initial attack chain reconnais…
IP address 85.11.183.19 conducted sustained reconnaissance activities over 50 days (February 28 - April 19, 2026) with 151 events targeting multiple protocols including HTTPS, TLS, and SMTP across 7 unique ports. Despite low individual event severity, the persistent nature and focus on Fortigate inf…
External IP address 65.49.1.132 conducted sustained reconnaissance activities from February 21 to April 18, 2026, targeting enterprise infrastructure including FortiGate appliances, industrial control systems, and network services across 13 unique ports. Assessment indicates LOW threat severity with…
IP address 65.49.1.152 conducted sustained reconnaissance activities from March 15 to April 17, 2026, targeting multiple protocols including FortiGate infrastructure, Oracle databases, IoT devices, and Kubernetes clusters across 59 observed events. Assessment indicates LOW threat level with medium c…
IP address 66.132.172.198 conducted a 24-day reconnaissance and exploitation campaign from March 24 to April 17, 2026, targeting industrial control systems (S7comm), SMB services, and network infrastructure across multiple protocols. The threat is assessed as LOW severity with 85% confidence, repres…
IP address 85.217.140.39 conducted sustained reconnaissance activities from March 16 to April 16, 2026, targeting multiple protocols including FTP, HTTP, MQTT, and TLS services across 11 unique ports. Assessment indicates MEDIUM threat level with 85% confidence, representing initial attack phase act…
IP address 66.132.153.123 conducted automated reconnaissance against FortiGate appliances and industrial control systems over a 12-day period from March 4-16, 2026. This represents medium-severity preparatory activity for potential follow-on attacks against network security infrastructure and ICS en…
Threat actor at 65.49.20.69 conducted sustained multi-protocol reconnaissance targeting FortiGate appliances, industrial control systems, and IoT devices over 54 days from February 21 to April 15, 2026. Activity demonstrates medium-severity threat with focus on critical infrastructure enumeration ac…
External threat actor at IP 2.57.122.234 conducted a 42-day reconnaissance and credential harvesting campaign from March 1-April 12, 2026, generating 112 attack events primarily targeting Fortinet devices and authentication systems. Assessment indicates MEDIUM threat level with sophisticated APT-lik…
IP address 64.62.197.122 conducted sustained reconnaissance against network infrastructure and industrial control systems over a 52-day period from February 19 to April 11, 2026, generating 58 security events. The activity primarily targeted FortiGate and Palo Alto security appliances alongside Modb…
IP address 66.132.172.96 conducted extensive reconnaissance targeting industrial control systems and enterprise infrastructure between March 20-April 7, 2026, with 326 observed events focusing on Siemens S7, Modbus, Oracle, and Kubernetes protocols. This activity represents a HIGH threat level with …
High-confidence Oracle database reconnaissance activity detected from French IP 85.217.140.50 (AS209334 Modat B.V.) targeting database infrastructure over a 15-day period from March 7-22, 2026. This represents initial attack phase activity that typically precedes Oracle-specific exploitation attempt…
Orange Polska-sourced IP address 46.134.26.213 conducted reconnaissance and credential harvesting attempts targeting FortiGate login interfaces on March 12, 2026. Threat level assessed as LOW with medium confidence due to limited attack volume and reconnaissance-phase activity. Network defenders sh…
External IP 85.217.140.52 (AS209334 Modat B.V.) conducted sustained reconnaissance activities over 16 days targeting network infrastructure including Kubernetes etcd services and FortiGate devices. Assessed threat level is LOW with medium confidence, representing preliminary information gathering t…
A single threat actor (152.32.149.19) conducted targeted reconnaissance against Fortinet infrastructure on March 4, 2026, between 17:00-18:00 UTC, generating 148 malicious events focused on FortiGate device enumeration and login page discovery. The activity represents a MEDIUM threat level indicati…
IP address 85.217.140.15 (France) conducted sustained reconnaissance targeting FortiGate infrastructure over a 10-day period from March 3-13, 2026, generating 103 security events with maximum abuse scoring. The threat level is assessed as MEDIUM with potential for escalation to active exploitation …
Hong Kong-based IP address 43.132.207.18 conducted 147 reconnaissance attempts against FortiGate infrastructure between March 9-20, 2026, employing automated scanning techniques to probe for vulnerabilities and access points. This activity represents a LOW severity threat with moderate confidence, …
A Hong Kong-based threat actor (199.45.155.98) conducted focused reconnaissance against FortiGate infrastructure on 2026-03-17 around 07:00, generating 78 attack events within a one-hour window. This represents an active exploitation phase with medium threat level targeting network security applian…
A US-based threat actor (3.131.220.121) conducted sustained reconnaissance against industrial control systems and network infrastructure over a 20-day period, employing Modbus protocol attacks and FortiGate device enumeration. The activity demonstrates HIGH threat level with 85% confidence, indicat…
French-origin IP address 85.217.140.38 conducted sustained reconnaissance against Fortinet infrastructure over a 6-day period from March 5-11, 2026, generating 126 security events. This represents medium-severity threat activity focused on identifying vulnerable FortiGate appliances. Network defend…
Our sensors detected reconnaissance activity from IP [SENSOR-IP] (Poland/AS50584) targeting Fortinet login interfaces on March 11, 2026 between 19:00-21:00 UTC. The activity represents low-to-medium risk reconnaissance behavior with 51 events over a 15-minute window. Network defenders should monito…