IP address 85.217.140.37 conducted a sustained multi-protocol reconnaissance campaign from March 7 to April 20, 2026, targeting 16 unique ports across FTP, MQTT, Oracle, RDP, SMTP, and SSH services with 97 total events. This activity represents low-risk service discovery and enumeration rather than …
IP address 65.49.1.108 conducted a 41-day reconnaissance campaign from March 8-April 18, 2026, targeting industrial control systems and network infrastructure across 14 unique ports using multiple protocols including S7comm, RDP, and Fortinet device probes. Despite the broad attack surface and ICS t…
IP address 35.216.140.3 conducted a sustained 41-day reconnaissance campaign targeting web applications and network services, attempting to access sensitive configuration files and probing RDP/SMB services. The activity represents a MEDIUM threat level with moderate sophistication, likely representi…
Threat actor at 65.49.20.69 conducted sustained multi-protocol reconnaissance targeting FortiGate appliances, industrial control systems, and IoT devices over 54 days from February 21 to April 15, 2026. Activity demonstrates medium-severity threat with focus on critical infrastructure enumeration ac…
IP address 45.91.64.7 conducted sustained multi-protocol reconnaissance against network infrastructure from February 21 to April 11, 2026, generating 89 security events across 14 unique ports. The campaign primarily focused on SMTP probing with secondary targeting of RDP and SSH services, assessed a…
External threat actor 85.217.140.43 conducted sustained reconnaissance against critical infrastructure systems over 36 days, targeting BACnet building automation systems, Kubernetes dashboards, and RDP services across 15 unique ports. This medium-risk activity represents typical pre-attack intellige…
Romanian-based threat actor at 80.94.95.55 conducted extensive multi-protocol reconnaissance targeting RDP, ICS protocols, SSH, and VNC services over a 9-day period from March 29-April 7, 2026. The campaign generated 134,308 events with notable focus on industrial control systems (S7COMM protocol) a…
High-volume RDP scanning activity detected from 149.50.96.56 (Warsaw, Poland) targeting network infrastructure over 20-hour period from April 4-5, 2026. Assessment indicates automated reconnaissance with medium threat level due to scan volume but low sophistication. Recommend standard RDP hardening …
A Windows-based threat actor operating from Romanian hosting provider Flyservers S.A. (141.98.83.86) conducted an intensive multi-protocol scanning campaign between March 29-April 4, 2026, generating over 94,000 malicious events targeting RDP, SSH, and industrial control systems. The activity repres…
Our sensors detected sustained RDP scanning activity from IP 88.47.170.77 (Milan, Italy) between March 29-April 4, 2026, generating over 132,000 events targeting RDP services. This activity is assessed as low-severity reconnaissance noise with medium confidence, consistent with opportunistic scannin…
A Windows Server 2016 host operating from China Mobile's network (36.133.107.88) conducted intensive RDP scanning activities over a 5-day period from March 29-April 3, 2026, generating over 52,000 security events. This activity represents routine opportunistic scanning with medium severity and poses…
IP address 80.94.95.143 (Romania, AS204428) conducted sustained RDP reconnaissance against network infrastructure from March 30-April 3, 2026, generating over 160,000 connection attempts. This activity represents low-severity automated scanning to identify active RDP services for potential future ex…
IP address 36.138.184.167 conducted sustained RDP reconnaissance activity from March 30-April 1, 2026, generating 6,586 events targeting RDP services through X.224 connection requests. This represents low-severity network discovery activity consistent with automated scanning for exposed RDP endpoint…
Threat actor at IP 36.133.80.107 conducted intensive RDP reconnaissance against network infrastructure between March 30, 2026 07:00-20:00 UTC, generating over 10,000 scanning events. This activity represents initial reconnaissance phase of potential RDP exploitation campaign and is assessed as LOW i…
IP address 91.239.248.69 conducted intensive RDP reconnaissance against network infrastructure on March 29, 2026, generating over 21,000 scanning events targeting port 3389. This medium-severity activity represents initial reconnaissance phase operations that typically precede credential brute-forc…