SMB reconnaissance activity was detected from IP 148.244.221.22 (León de los Aldama, Mexico) on February 26, 2026 at 22:00 UTC, targeting non-standard ports using legacy SMB protocols including vulnerable SMBv1. This represents medium-severity reconnaissance activity that could precede exploitation…
Venezuelan-origin IP address 200.109.232.194 conducted extensive SMB protocol attacks against industrial control systems infrastructure between February 21-23, 2026, generating over 8,000 malicious events. This HIGH-severity threat demonstrates potential reconnaissance or exploitation attempts agai…
Russian IP address 93.90.41.12 conducted sustained SMBv1 protocol negotiation attempts over 10 days, targeting network infrastructure with techniques associated with EternalBlue exploitation vectors. This activity represents HIGH risk reconnaissance likely linked to botnet operations seeking vulner…
External IP 50.61.47.93 (Saudi Telecom Company JSC, Riyadh) conducted SMBv1 reconnaissance targeting non-standard port configurations during a 3-hour window on 2026-03-04. Assessment: HIGH risk due to legacy SMB protocol exploitation potential and unusual port targeting behavior. Immediate action r…
IP address 90.151.105.34 conducted low-volume SMB reconnaissance activity on March 4, 2026, targeting network infrastructure with 30 events over a 4-minute window. This activity represents low-priority automated scanning with no immediate exploitation attempts observed. Network defenders should moni…
External threat actor at 118.107.1.174 (Hong Kong/AS152194) conducted sustained SMB reconnaissance targeting legacy protocol implementations over 15-day period ending March 6, 2026. Assessment: HIGH threat level with 78% confidence based on SMBv1 exploitation attempts and 100/100 AbuseIPDB reputati…
External host 85.50.194.51 (Orange Espagne SA/Spain) conducted SMB1 protocol reconnaissance targeting legacy implementations on non-standard ports between February 27-March 8, 2026. This activity represents MEDIUM-risk reconnaissance with potential preparation for SMB-based exploitation campaigns. …
Host 185.180.141.47 (Zenlayer Inc/AS21859) conducted low-severity reconnaissance activities against infrastructure from February 24 02:00 to March 12 10:00, 2026. The activity involved automated scanning across multiple protocols with focus on SMB services, consistent with network enumeration rathe…
IP address 66.132.153.115 conducted a 12-day reconnaissance campaign targeting MQTT and SMB services with 83 recorded events between March 1-13, 2026. The threat actor demonstrates medium-level capability with focused protocol exploitation attempts and maintains a maximum AbuseIPDB reputation score…
External IP address 3.134.216.108 conducted sustained multi-protocol reconnaissance against network infrastructure over 30 days, targeting SMB, Fortinet devices, and multiple other services. This HIGH-risk activity demonstrates systematic network mapping behavior consistent with pre-attack reconnai…
IP address 103.231.45.44 (AS59165 Auspice Infratel Pvt. Ltd., India) conducted sustained SMB reconnaissance activity on March 14, 2026, generating 949 events over approximately 5 minutes. This represents medium-severity reconnaissance activity with potential for follow-on exploitation attempts. Net…
A US-based threat actor (66.132.153.121) conducted a sustained SMB-focused attack campaign from March 4-14, 2026, demonstrating characteristics consistent with Advanced Persistent Threat (APT) operations. The actor achieved a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malic…
External actor at 103.136.44.194 conducted SMBv1 protocol negotiation attempts against non-standard port 9001 over a 9-minute window on 2026-02-28. Activity assessed as MEDIUM threat level with 46 discrete events indicating systematic reconnaissance behavior targeting legacy SMB implementations.
A Windows Server 2012 host originating from Chilean telecommunications infrastructure conducted SMBv1 protocol reconnaissance against network sensors over a 49-hour period from March 5-7, 2026. The activity represents MEDIUM threat level reconnaissance operations targeting legacy SMB services. The …
A Bolivia-based threat actor at 190.181.26.29 conducted intensive SMB protocol attacks over an 11-minute window on March 6, 2026, generating 282 malicious events. The activity demonstrates automated scanning behavior targeting legacy SMB implementations with sustained, high-volume attack patterns i…
Internet-facing sensors observed sustained SMB scanning activity from 218.205.64.41 (China Mobile ASN) generating 11,554 events over approximately 5 hours on March 3, 2026. The activity represents medium-severity automated reconnaissance targeting legacy SMB implementations. Behavioral patterns indi…
Between 2026-02-26 11:00 and 14:00 hours, sensors observed 261 SMB protocol reconnaissance events from IP address 5.140.233.1 (Rostelecom/RU) targeting industrial control system infrastructure. The activity represents medium-severity automated scanning behavior with poor protocol awareness, attempt…
IP address 198.199.69.186 conducted a concentrated multi-protocol reconnaissance campaign on February 24, 2026, targeting Oracle TNS, SMB, and web services within a one-minute timeframe. The attacker profile indicates HIGH threat level consistent with advanced persistent threat (APT) tactics. Immed…
A threat actor operating from Kazakhstan (185.217.188.132) conducted sustained SMB reconnaissance activities over a 4-day period from March 4-8, 2026, with 23 recorded events targeting legacy SMB protocols. The campaign demonstrates persistent, methodical reconnaissance behavior with focus on SMBv1…
Network telemetry identified SMBv1 protocol negotiation attempts from IP 179.32.58.255 (Colombia Telecomunicaciones) targeting non-standard port 9001 between February 24-March 2, 2026. This activity represents MEDIUM-risk reconnaissance likely probing for vulnerable SMB services exploitable via leg…
External host 176.116.136.105 conducted SMBv1 protocol enumeration against internal networks on February 27, 2026, between 04:00-05:00 UTC, generating 49 security events over a 5-minute window. This activity represents medium-risk reconnaissance behavior that could precede more sophisticated attack…
External host 200.75.2.138 (Chile, AS14259) conducted SMBv1 reconnaissance including NTLM authentication negotiation on March 6, 2026 at 19:00 UTC. This activity represents MEDIUM-risk reconnaissance that could precede lateral movement or credential harvesting attacks. Network defenders should imme…
External threat actor at 167.94.146.61 conducted sustained reconnaissance activities from February 24 to March 9, 2026, targeting SMB services with legacy SMBv1 protocol exploitation attempts across 45 recorded events. Assessment indicates HIGH threat level due to SMBv1 vulnerability exploitation p…
High-severity reconnaissance campaign detected from IP 18.218.118.203 targeting industrial control systems using Modbus broadcast enumeration techniques alongside multi-protocol scanning activities from February 12 to March 10, 2026. The attacker demonstrated advanced capabilities across OT/IT envir…
A US-based threat actor (3.151.241.153) conducted sustained reconnaissance activities from February 17 to March 8, 2026, targeting industrial control systems and Kubernetes environments using protocol confusion techniques. This HIGH-severity campaign demonstrates advanced operational technology (OT…