IP address 66.132.153.127 conducted an 11-day reconnaissance campaign from March 1-12, 2026, targeting Fortinet appliances and SMTP services with 141 recorded events. The threat actor demonstrates medium-severity scanning behavior focused on network infrastructure enumeration. Organizations should …
Threat actor operating from IP 85.217.140.13 (AS209334 Modat B.V., France) conducted sustained reconnaissance targeting industrial control systems using Modbus protocol scanning from February 18 to March 13, 2026. Assessment indicates medium threat level with 71 recorded events demonstrating persis…
Threat actor operating from IP 45.156.87.91 (Netherlands/SkyLink Data Center) conducted sustained network reconnaissance activities over 16 days targeting organizational infrastructure. Assessment indicates MEDIUM threat level with active scanning operations likely preceding exploitation attempts. …
Malicious actor at 85.217.140.30 (Modat B.V./AS209334) conducted active reconnaissance scanning against network infrastructure on 2026-03-13 between 13:00-14:00 UTC. The threat actor maintains a maximum AbuseIPDB reputation score of 100/100, indicating sustained malicious activity across multiple n…
A host originating from The University of Auckland network (130.216.217.88) conducted targeted Kubernetes API enumeration and reconnaissance activities over a 4-hour period on March 13, 2026. The activity demonstrates medium-severity scanning behavior focused on container orchestration infrastructu…
IP address 85.217.140.32 (Modat B.V./AS209334) conducted sustained reconnaissance scanning against multiple targets from March 3-14, 2026. This represents medium-severity threat activity with 42 recorded events targeting HTTPS services. Network defenders should implement blocking measures and monit…
A US-based actor conducted focused vulnerability scanning and FortiGate SSL VPN exploitation attempts against internet-facing infrastructure over a 2-hour window on 2026-02-28. The activity generated 125 events targeting a single destination port, indicating automated tooling focused on specific att…
Automated reconnaissance activity observed from 87.106.164.191 (IONOS SE/Germany) conducting HTTP-based scanning operations over 7-day period with 86 total events. Assessed as LOW threat level with medium-confidence scanner classification exhibiting bot-like user agent patterns. Actor demonstrated …
A US-based threat actor conducted targeted reconnaissance against Kubernetes infrastructure over a 4-hour window on March 10, 2026, generating 127 events between 11:00-11:00 UTC. The activity combined automated scanning behavior consistent with Censys research infrastructure alongside specific Kube…
Internet-facing sensors observed medium-severity reconnaissance activity from IP 45.148.10.23 (Netherlands/AS48090) conducting Local File Inclusion (LFI) attacks targeting Git configuration files and vulnerability scanning across 27 events over a 12-hour period from February 26-27, 2026. The threat…
A Linux-based threat actor operating from US infrastructure conducted sustained web application exploitation attempts over a 9-day period, generating 2,244 malicious events targeting HTTP services. The actor demonstrated HIGH threat level activity through systematic Local File Inclusion (LFI) attack…
External threat actor at 167.94.146.61 conducted sustained reconnaissance activities from February 24 to March 9, 2026, targeting SMB services with legacy SMBv1 protocol exploitation attempts across 45 recorded events. Assessment indicates HIGH threat level due to SMBv1 vulnerability exploitation p…
IP address 27.123.241.43 (India-based) conducted credential brute force attacks against BoaForm admin interfaces on embedded devices and routers, exploiting CVE-2021-46422. This represents a MEDIUM severity threat with potential for device compromise and lateral network movement. Organizations shou…
Malicious actor at 87.106.111.135 (IONOS SE/Germany) conducted sustained scanning operations against network infrastructure from February 28 to March 5, 2026, with a maximum AbuseIPDB threat score of 100/100. This represents a HIGH threat level indicating active reconnaissance likely preceding expl…
IP address 167.94.146.57 conducted a sustained 16-day reconnaissance campaign from February 19-March 7, 2026, targeting Kubernetes APIs and conducting broad network scanning activities. The threat actor demonstrated knowledge of container orchestration environments and employed multiple protocols (…
A Moroccan threat actor (196.115.7.197) conducted a sustained web application attack campaign from February 27-March 4, 2026, targeting sensitive configuration files and conducting vulnerability scanning. The attacker demonstrates medium-severity capabilities with Local File Inclusion (LFI) techniq…