Iranian-origin threat actor at 81.30.98.144 conducted sustained SMTP credential harvesting operations targeting mail infrastructure over 17-day period, generating 174,000+ malicious events with focus on authentication bypass. Campaign demonstrates persistent reconnaissance and credential capture cap…
An IP address (81.30.98.44) has been observed engaging in credential capture attempts and SMTP probing activities over a period of 7 days, primarily targeting port 25/TCP. The activity is assessed as noise-level threat with no confirmed CVEs or zero-day exploits; however, network defenders should re…
Malicious activity detected from 116.102.39.187 (VN, ASNone). 65038 events observed across Diameter, MySQL, SMB, TCP, TCP/SYN. AI verdict: MEDIUM.
Malicious activity detected from 81.30.98.207 (LT, AS209425). 73829 events observed across Diameter, MySQL, SMTP, TCP, TCP/SYN. AI verdict: NOISE.
An IP address (81.30.98.181) from Iran has been observed conducting SMTP AUTH probes and credential capture attempts over a period of five days in May 2026. The activity is assessed as noise, but network defenders should review their SMTP configurations and implement additional authentication measur…
Malicious activity detected from 103.210.21.242 (HK, AS135377). 152 events observed across SSH, TCP, TCP/SYN. AI verdict: NOISE.
Malicious activity detected from 83.168.69.197 (PL, AS202520). 12110 events observed across ADB, TCP. AI verdict: NOISE.
Malicious activity detected from 185.150.191.165 (US, AS23470). 4719 events observed across HTTP, HTTPS, TCP, TCP/SYN, TLS. AI verdict: NOISE.
IP address 66.132.172.138 conducted extensive multi-protocol reconnaissance over 42 days (April 2-May 14, 2026), generating 667 security events targeting industrial control systems, Kubernetes infrastructure, and network services. Despite high-severity exploit signatures, this activity is assessed a…
Automated SSH brute force activity observed from IP 175.118.127.138 (Seoul, South Korea) targeting network infrastructure with root credential attacks over a 12-day period. Assessed as low-to-medium threat level opportunistic scanning with standard attack patterns. Recommend implementing SSH hardeni…
A Norwegian IP address (46.46.228.195) conducted sustained Android Debug Bridge (ADB) reconnaissance against network infrastructure over a 4-day period, generating over 4,300 malicious events targeting TCP port 5555. This represents a MEDIUM severity threat focused on identifying exposed Android dev…
High-severity threat activity detected from Brazilian cloud infrastructure (45.205.1.27) conducting systematic reconnaissance and exploitation attempts against multiple network services from April 2nd through April 29th, 2026. The source IP maintains a maximum malicious reputation score and demonstr…
A single IP address from Chinese cloud infrastructure conducted sustained SSH protocol abuse targeting port 2200 over a 4-hour period on April 29, 2026, generating over 5,000 events. This activity represents common automated scanning behavior with low threat severity and no evidence of successful ex…
IP address 66.132.172.182 conducted an extensive 32-day scanning campaign from March 25 to April 26, 2026, targeting multiple protocols including industrial control systems, Kubernetes infrastructure, and enterprise services. Despite generating 490 security events across 8 destination ports, this ac…
Russian-origin IP address 81.29.142.100 conducted a sustained multi-protocol reconnaissance campaign targeting industrial control systems, databases, and enterprise services over a 68-day period from February to April 2026. The attacker demonstrated particular focus on MQTT messaging systems and Ora…
Malicious activity detected from 119.23.110.193 (CN, AS37963). 20371 events observed across SSH, TCP, TCP/SYN, TLS. AI verdict: NOISE.
Threat actor 160.119.76.24 conducted comprehensive reconnaissance against industrial control systems and enterprise services on April 24, 2026, targeting multiple ICS/SCADA protocols including Modbus, S7comm, DNP3, and EtherNet/IP alongside traditional IT services. Despite the broad protocol coverag…
External IP address 90.151.171.108 conducted sustained reconnaissance and CRLF injection attacks against web services from February 17 to April 16, 2026, generating 2,742 security events. The activity represents a MEDIUM threat level with moderate confidence, indicating potential preparation for web…