Russian-origin IP address 89.109.8.38 conducted SMBv1 protocol negotiation attempts against non-standard port 9001 on February 26, 2026 at 17:00 hours. This reconnaissance activity presents medium risk due to SMBv1's inherent vulnerabilities and potential for lateral movement exploitation. Network d…
External threat actor operating from Lithuanian IP address 185.36.81.23 conducted sustained SMBv1 reconnaissance against network infrastructure over a 30-day period ending March 23, 2026. This activity represents high-risk probing for EternalBlue-vulnerable systems and indicates potential preparatio…
External IP 1.22.230.154 (Bengaluru, India) conducted sustained SMB reconnaissance against non-standard ports using deprecated SMBv1 protocol over a 5-hour period on March 4, 2026. This activity represents medium-risk reconnaissance that could precede exploitation of SMB vulnerabilities. Organizatio…
Russian-origin IP address 81.29.142.6 conducted sustained multi-protocol reconnaissance targeting industrial control systems and enterprise services over a 40-day period from February 12 to March 24, 2026. Despite 468 recorded events across 11 protocols including EtherNet/IP, Modbus, and MQTT, the a…
Russian-origin IP address 109.95.121.70 conducted sustained SMB reconnaissance targeting organizational networks over a 23-day period from February 25 to March 20, 2026, generating 143 security events. The activity primarily leveraged vulnerable SMBv1 protocol for network enumeration and represents …
Russian-origin IP address 95.25.169.123 conducted sustained SMBv1 protocol reconnaissance against non-standard port 9001 over a 15-day period from February 15-March 2, 2026. This activity represents HIGH-risk reconnaissance likely preparing for lateral movement exploitation of legacy SMB services. O…
External threat actor at 109.95.35.214 (Ukraine/AS31725) conducted sustained SMB reconnaissance against network infrastructure over 10 days, generating 252 security events targeting SMB services. Assessed as MEDIUM threat level with 85% confidence due to legacy SMB1 protocol usage indicating potent…
External IP address 202.69.35.118 (Pakistan/Lahore) conducted sustained SMB reconnaissance against network infrastructure between 18 March 2026 05:00-10:00 UTC, generating 6,655 security events targeting port 445. This activity represents MEDIUM-risk reconnaissance behavior consistent with pre-atta…
Brazilian IP address 170.233.6.1 conducted SMB reconnaissance activities over 24 days, probing for legacy SMB protocol support including SMBv1. This represents medium-risk reconnaissance activity that typically precedes SMB-based exploitation attempts. Organizations should immediately audit SMB exp…
External threat actor 109.95.35.130 conducted sustained SMBv1 reconnaissance activities over a 15-day period (March 4-19, 2026), targeting network infrastructure with deprecated protocol exploitation techniques. Assessment indicates HIGH threat level with 85% confidence due to SMBv1's association w…
External threat actor at 2[REDACTED] (Japan/AS7672) conducted sustained SMBv1 protocol reconnaissance against network infrastructure from March 4-16, 2026. This activity represents HIGH-risk preparation for potential EternalBlue-style remote code execution attacks targeting legacy SMB services. Imm…
External host 103.230.107.236 from Bangladesh conducted SMBv1 reconnaissance against internal networks on March 6, 2026 at approximately 11:00 UTC, generating 328 events over 30 minutes. This activity represents CRITICAL-level threat due to targeting of inherently vulnerable SMBv1 services accessibl…
External threat actor from Equatorial Guinea (41.79.51.218) conducted SMBv1 protocol reconnaissance targeting non-standard port 9001 on March 3, 2026 at 16:00 UTC. This activity represents MEDIUM-risk reconnaissance using deprecated, vulnerable protocols historically exploited by major ransomware ca…
Russian-based host 31.173.123.226 conducted sustained SMBv1 reconnaissance against network infrastructure over a 20-day period from February 16 to March 8, 2026, generating nearly 5,000 connection attempts. This activity represents HIGH-confidence reconnaissance operations likely preceding more agg…
External threat actor conducted sustained SMB reconnaissance targeting organizational networks from Italian ISP infrastructure between March 1-12, 2026. Assessment indicates HIGH threat level due to SMBv1 protocol exploitation attempts, representing precursor activity for potential EternalBlue-styl…
Threat actor operating from 185.247.137.207 (Manchester, GB) conducted sustained multi-protocol reconnaissance against industrial control systems, Kubernetes environments, and SMB services over 36 days with 64 recorded events. Assessment indicates MEDIUM threat level with potential APT characterist…
High-confidence SMB reconnaissance activity detected from IP 14.194.49.6 (India/Tata Teleservices) targeting network infrastructure with 6,624 events over approximately 1 hour on March 10, 2026. This automated scanning campaign likely seeks to identify vulnerable Windows systems for potential exploi…
A suspicious IP address (34.140.175.127) originating from Belgium conducted SMB-based reconnaissance activity on March 7, 2026 at approximately 11:00 UTC. The activity demonstrates potential custom tooling characteristics with an AbuseIPDB reputation score of 76/100, indicating moderate threat leve…
External IP 178.124.203.58 from Belarus conducted SMB reconnaissance using deprecated SMBv1 protocol against non-standard ports during a 4-minute window on 2026-02-28 17:00-18:00 UTC. This activity represents medium-risk reconnaissance that could precede exploitation attempts targeting SMB vulnerabi…
Russian-origin IP address 151.252.80.124 conducted sustained SMBv1 reconnaissance activity over a 7-hour period on March 2, 2026, generating 2,407 connection attempts. This represents HIGH-risk activity due to SMBv1's critical vulnerabilities that enable remote code execution. Organizations should …
External threat actor at 115.186.190.88 conducted SMB1 protocol reconnaissance targeting non-standard port 9001 on February 28, 2026 around 11:00 UTC. This activity represents HIGH-risk reconnaissance likely preparing for SMB-based exploitation using deprecated protocol vulnerabilities. Immediate de…
External threat actor from Bangladesh (203.76.96.42) conducted SMB protocol reconnaissance including legacy SMBv1 dialect negotiation attempts over a 4-hour window on February 28, 2026. Assessed threat level is MEDIUM with 85% confidence, representing potential precursor to SMB exploitation attempt…
Threat actors from Bangladesh (103.159.218.198) conducted 982 protocol confusion attacks between February 16-17, 2026, targeting Modbus TCP infrastructure with SMB negotiation requests. This HIGH-severity reconnaissance activity indicates potential targeting of Windows-based HMI systems in industri…
A Chinese-hosted threat actor (8.148.22.190) conducted intensive multi-protocol reconnaissance targeting enterprise services including Oracle TNS, SMB, and web applications during a concentrated 2-minute window on March 2nd, 2026. The attacker demonstrates sophisticated capabilities with 13 exposed…
Our sensors detected reconnaissance activity from IP 1[REDACTED] targeting industrial control systems using Modbus protocol on February 17, 2026 at approximately 16:00 UTC. The activity volume was limited but represents potential threat actor interest in operational technology (OT) infrastructure. …