Threat Intelligence Feed — Tag: SCANNER

Malicious activity detected from 94.26.106.30 (DE, AS48452). 273 events observed across ADB, TCP, TCP/SYN, http. AI verdict: NOISE.

Malicious activity detected from 185.150.191.165 (US, AS23470). 4719 events observed across HTTP, HTTPS, TCP, TCP/SYN, TLS. AI verdict: NOISE.

IP address 66.132.172.138 conducted extensive multi-protocol reconnaissance over 42 days (April 2-May 14, 2026), generating 667 security events targeting industrial control systems, Kubernetes infrastructure, and network services. Despite high-severity exploit signatures, this activity is assessed a…

An IP address from Bulgaria (79.124.40.174) has been observed conducting HTTP GET requests to actuator endpoints across multiple systems since March 25, 2026. The activity is assessed as low threat but indicative of scanning behavior targeting potential vulnerabilities. Network defenders should moni…

External IP 185.247.137.206 conducted sustained multi-protocol reconnaissance targeting Oracle databases and industrial control systems over a 10-week period from February to April 2026. The campaign demonstrates medium-severity threat activity with 61 recorded events spanning database enumeration, …

IP address 66.132.172.182 conducted an extensive 32-day scanning campaign from March 25 to April 26, 2026, targeting multiple protocols including industrial control systems, Kubernetes infrastructure, and enterprise services. Despite generating 490 security events across 8 destination ports, this ac…

IP address 185.247.137.238 conducted sustained reconnaissance targeting industrial control systems and database services over a 72-day period from February 12 to April 24, 2026. The threat actor employed multi-protocol scanning techniques including Siemens S7COMM, Oracle TNS, and Modbus protocols, i…

Threat actor 185.247.137.224 conducted sustained multi-protocol reconnaissance activities over 65 days, targeting industrial control systems (Modbus), IoT infrastructure (MQTT), and web services across 7 unique ports. The campaign demonstrates systematic vulnerability scanning with particular focus …

Threat actor operating from 104.243.34.165 conducted an 18-day reconnaissance campaign targeting hidden environment files and multiple network services, generating 2,504 malicious events between April 4-22, 2026. The activity demonstrates systematic information gathering techniques consistent with c…

IP address 85.217.140.37 conducted a sustained multi-protocol reconnaissance campaign from March 7 to April 20, 2026, targeting 16 unique ports across FTP, MQTT, Oracle, RDP, SMTP, and SSH services with 97 total events. This activity represents low-risk service discovery and enumeration rather than …

IP address 66.132.172.198 conducted a 24-day reconnaissance and exploitation campaign from March 24 to April 17, 2026, targeting industrial control systems (S7comm), SMB services, and network infrastructure across multiple protocols. The threat is assessed as LOW severity with 85% confidence, repres…

IP address 85.217.140.39 conducted sustained reconnaissance activities from March 16 to April 16, 2026, targeting multiple protocols including FTP, HTTP, MQTT, and TLS services across 11 unique ports. Assessment indicates MEDIUM threat level with 85% confidence, representing initial attack phase act…

IP address 66.132.153.123 conducted automated reconnaissance against FortiGate appliances and industrial control systems over a 12-day period from March 4-16, 2026. This represents medium-severity preparatory activity for potential follow-on attacks against network security infrastructure and ICS en…

IP address 35.216.140.3 conducted a sustained 41-day reconnaissance campaign targeting web applications and network services, attempting to access sensitive configuration files and probing RDP/SMB services. The activity represents a MEDIUM threat level with moderate sophistication, likely representi…

External IP address 45.33.12.214 conducted sustained multi-protocol reconnaissance activity over 42 days (March 3-April 14, 2026), targeting SMB, RDP, HTTP, and TLS services across 4 unique ports with 55 total events observed. Assessment indicates low-to-moderate threat level focused on network enum…

External threat actor 85.217.140.43 conducted sustained reconnaissance against critical infrastructure systems over 36 days, targeting BACnet building automation systems, Kubernetes dashboards, and RDP services across 15 unique ports. This medium-risk activity represents typical pre-attack intellige…

Threat actor operating from IP 185.177.72.61 conducted systematic reconnaissance against web applications, attempting to access sensitive configuration files including .env defaults and Git repositories over a 21-day period ending April 8, 2026 at 06:00. This medium-severity activity represents typi…

IP address 66.132.172.96 conducted extensive reconnaissance targeting industrial control systems and enterprise infrastructure between March 20-April 7, 2026, with 326 observed events focusing on Siemens S7, Modbus, Oracle, and Kubernetes protocols. This activity represents a HIGH threat level with …

IP address 87.121.79.222 (Netherlands/AS213725) conducted extensive reconnaissance activity from March 30 to April 5, 2026, targeting SSH, VNC, and Kubernetes infrastructure with 1,569 recorded events across 14 unique ports. The campaign demonstrates systematic scanning behavior with particular focu…

Automated SMTP relay attempts and vulnerability scanning observed from IP 178.16.52.2 between March 11-26, 2026, generating 115 security events targeting port 25/TCP. Assessment indicates low-sophistication automated activity with minimal threat impact. Standard email security hardening and monitori…

IP address 85.217.140.53 conducted a sustained multi-protocol scanning campaign from March 11-28, 2026, targeting Oracle database, SSH, and Kubernetes services across 7 unique ports with 92 total events. Assessment indicates low-sophistication automated reconnaissance activity with minimal immediate…

IP address 204.76.203.30 conducted a month-long HTTP scanning campaign from February 27 to March 27, 2026, generating 586 security events targeting multiple network services. The sustained reconnaissance activity using automated tooling indicates MEDIUM threat level with potential for escalation to …

Automated reconnaissance activity from IP 45.205.1.50 has been observed probing for HTTP proxy functionality on port 9001 using Go HTTP client, likely testing systems for potential abuse as traffic relay infrastructure. This represents a MEDIUM threat level with moderate confidence, indicating prepa…

High-confidence Oracle database reconnaissance activity detected from French IP 85.217.140.50 (AS209334 Modat B.V.) targeting database infrastructure over a 15-day period from March 7-22, 2026. This represents initial attack phase activity that typically precedes Oracle-specific exploitation attempt…

IP address 87.236.176.48 (Leeds, UK) conducted multi-protocol reconnaissance targeting MQTT services and general network infrastructure over 18 days, generating 21 security events. Assessment indicates low-to-medium risk research scanning activity with MQTT-specific targeting that warrants monitorin…