Automated reconnaissance scanning targeting Kubernetes kubelet API port 10250 observed from Singapore-based IP 167.172.64.18 on 2026-03-04 at 23:00 hours. Assessment indicates MEDIUM threat level with potential for cluster enumeration leading to container escape or compromise if kubelet APIs are mis…
IP address 87.106.146.151 (Germany) conducted low-volume reconnaissance scanning targeting HTTP login endpoints between February 26-March 5, 2026. Assessment indicates LOW threat level with potential for escalation to credential attacks. Organizations should monitor for follow-up authentication att…
Threat actor at 185.247.137.40 conducted reconnaissance scanning targeting industrial control systems over a 32-day period, specifically probing EtherNet/IP and Modbus protocols commonly used in operational technology environments. Assessment indicates LOW threat level with potential for escalation…
IP address 216.180.246.151 conducted reconnaissance scanning targeting administrative login interfaces on March 21, 2026 between 09:00-10:00 UTC, generating 63 security events over a 4-minute window. This activity represents MEDIUM-risk pre-attack reconnaissance consistent with credential harvesting…
Low-severity scanning activity detected from IP 104.164.8.186 (Nodestop LLC/US) conducting automated reconnaissance against authentication endpoints over a 5-day period. Assessment indicates typical opportunistic scanning with LOW threat level and 85% confidence. Network defenders should monitor fo…
External IP 85.217.140.52 (AS209334 Modat B.V.) conducted sustained reconnaissance activities over 16 days targeting network infrastructure including Kubernetes etcd services and FortiGate devices. Assessed threat level is LOW with medium confidence, representing preliminary information gathering t…
Malaysian IP address 47.250.189.15 conducted automated reconnaissance scanning against Kubernetes API server infrastructure (port 6443) on March 3, 2026 at approximately 17:00 UTC. This represents low-severity threat activity focused on service discovery rather than active exploitation. Immediate b…
Automated reconnaissance activity targeting Kubernetes API servers was observed from IP 20.168.121.187 on March 4, 2026 at 00:00 UTC. The attacker conducted version disclosure scans against port 6443 using zgrab scanner to gather intelligence for potential follow-up attacks. Network defenders should…
Threat actor at 165.154.104.88 (Vietnam/UCLOUD) conducted low-severity reconnaissance targeting Kubernetes dashboard resources over a 15-minute window on 2026-03-13 19:00-20:00 UTC. Assessment indicates automated scanning activity with medium-confidence targeting of container orchestration infrastr…
High-confidence reconnaissance activity targeting Kubernetes kubelet API infrastructure detected from French-hosted IP 85.217.140.4 between February 28 and March 20, 2026. This scanning represents initial discovery phase activity against container orchestration platforms with HIGH threat assessment…
Threat actor operating from IP 87.121.84.6 (Netherlands/VPSVAULT.HOST) conducted automated reconnaissance against GeoServer applications over 44-hour period ending 2026-02-28 21:00 UTC. Activity assessed as MEDIUM threat level representing initial discovery phase of likely multi-stage attack campai…
Automated reconnaissance activity detected from IP 176.65.148.52 (Netherlands/AS51396 Pfcloud UG) conducting systematic scanning operations against login endpoints over a 13-day period from February 28 to March 13, 2026. Assessment indicates LOW threat severity with 85% confidence, representing ini…
IP address 45.156.129.164 (AS211680 Sistemas Informaticos, S.A.) conducted vulnerability scanning activities against multiple targets from March 2, 2026 22:00 through March 19, 2026 04:00. The threat is assessed as MEDIUM severity based on reconnaissance behavior patterns and maximum AbuseIPDB repu…
Source IP 193.142.146.230 (Netherlands/ColocaTel Datacenter) conducted low-severity reconnaissance activities against authentication endpoints over a 16-day period from February 26 to March 14, 2026. The activity involved automated scanning using Go HTTP clients with limited credential testing atte…
IP address 198.211.115.185 conducted an intensive web exploitation campaign on March 18, 2026, executing 217 attack events over a 3-hour window targeting web applications through Local File Inclusion (LFI) attacks and vulnerability scanning. This represents a HIGH threat level based on the concentr…
French IP address 85.217.140.45 conducted sustained reconnaissance against Kubernetes infrastructure over a 9-day period, specifically targeting etcd databases and cluster dashboards using ModatScanner tooling. This represents a MEDIUM threat level with potential Advanced Persistent Threat characte…
A US-based threat actor (152.32.148.140) conducted targeted attacks against industrial control systems and IoT infrastructure on March 10, 2026, employing Modbus protocol exploitation and MQTT reconnaissance techniques. The attacker demonstrates sophisticated knowledge of operational technology envi…
A Chinese-hosted threat actor (8.148.22.190) conducted intensive multi-protocol reconnaissance targeting enterprise services including Oracle TNS, SMB, and web applications during a concentrated 2-minute window on March 2nd, 2026. The attacker demonstrates sophisticated capabilities with 13 exposed…
IP address 104.164.8.29 (Nodestop LLC/AS400536) conducted low-severity reconnaissance scanning against authentication endpoints using automated tooling between February 28 and March 5, 2026. Despite the low immediate threat assessment, the source exhibits a maximum AbuseIPDB reputation score and re…
IP address 216.180.246.96 conducted targeted vulnerability scanning against network infrastructure on March 11, 2026, between 22:00-24:00 UTC. The activity represents low-to-medium risk automated reconnaissance with 127 events recorded over an 11-minute window. Organizations should monitor for simi…
Threat actor operating from IP 167.94.146.58 conducted targeted reconnaissance against industrial control systems over a 21-day period, employing Siemens S7comm and Modbus protocols to probe critical infrastructure. The activity represents a MEDIUM threat level with potential for escalation to oper…
IP address 85.217.140.40 (France) conducted sustained reconnaissance activities against multiple network services from March 5-12, 2026, generating 150 security events across 7 destination ports. The threat is assessed as MEDIUM risk due to persistent scanning behavior and maximum AbuseIPDB reputat…
IP address 167.94.138.120 conducted a focused 4-hour reconnaissance campaign on March 12, 2026, targeting Kubernetes infrastructure with 172 attack events combining automated scanning and API enumeration techniques. The activity demonstrates medium-severity threat characteristics with potential APT…
IP address 46.21.82.34 (Germany) conducted vulnerability scanning operations against multiple targets from March 9-12, 2026, generating 104 security events across HTTP/HTTPS protocols. The activity represents low-to-medium threat reconnaissance behavior typical of automated scanning tools. Network …
IP address 66.132.153.130 conducted sustained reconnaissance and scanning activities against multiple targets from March 3-12, 2026, generating 118 security events across web services and infrastructure ports. The activity demonstrates medium-severity automated scanning behavior with focus on servic…