IP address 204.76.203.73 conducted a sustained Local File Inclusion (LFI) attack campaign from February 21 to April 16, 2026, targeting multiple web services with 118 recorded events. The activity represents LOW severity reconnaissance and exploitation attempts focused on accessing sensitive system …
IP address 35.216.140.3 conducted a sustained 41-day reconnaissance campaign targeting web applications and network services, attempting to access sensitive configuration files and probing RDP/SMB services. The activity represents a MEDIUM threat level with moderate sophistication, likely representi…
Threat actor operating from IP 204.76.203.215 conducted sustained reconnaissance and Local File Inclusion (LFI) attacks against multiple services over 47 days (February 22 - April 10, 2026), generating 284 security events. Despite the LOW confidence assessment, the campaign demonstrates escalating s…
Threat actor operating from IP 185.177.72.61 conducted systematic reconnaissance against web applications, attempting to access sensitive configuration files including .env defaults and Git repositories over a 21-day period ending April 8, 2026 at 06:00. This medium-severity activity represents typi…
High-confidence Local File Inclusion (LFI) attack campaign observed from 89.42.231.182 (Netherlands/Amarutu Technology Ltd) targeting web applications with directory traversal techniques to access sensitive system files. Assessment: HIGH threat level with 95% confidence based on 146 attack events o…
IP address 198.211.115.185 conducted an intensive web exploitation campaign on March 18, 2026, executing 217 attack events over a 3-hour window targeting web applications through Local File Inclusion (LFI) attacks and vulnerability scanning. This represents a HIGH threat level based on the concentr…
Internet-facing sensors observed medium-severity reconnaissance activity from IP 45.148.10.23 (Netherlands/AS48090) conducting Local File Inclusion (LFI) attacks targeting Git configuration files and vulnerability scanning across 27 events over a 12-hour period from February 26-27, 2026. The threat…
A Linux-based threat actor operating from US infrastructure conducted sustained web application exploitation attempts over a 9-day period, generating 2,244 malicious events targeting HTTP services. The actor demonstrated HIGH threat level activity through systematic Local File Inclusion (LFI) attack…
A Moroccan threat actor (196.115.7.197) conducted a sustained web application attack campaign from February 27-March 4, 2026, targeting sensitive configuration files and conducting vulnerability scanning. The attacker demonstrates medium-severity capabilities with Local File Inclusion (LFI) techniq…