Posts tagged: SSH_SCAN

7 posts
HIGH 2.57.122.234 · ASNone · 6 updates

External threat actor at IP 2.57.122.234 conducted a 42-day reconnaissance and credential harvesting campaign from March 1-April 12, 2026, generating 112 attack events primarily targeting Fortinet devices and authentication systems. Assessment indicates MEDIUM threat level with sophisticated APT-lik…

WEB_EXPLOITER FORTI_RECON CREDENTIAL_CAPTURE SSH_SCAN FORTI_ATTACK
2026-04-12T11:15 UTC
HIGH 45.91.64.7 · ASNone · 1 update

IP address 45.91.64.7 conducted sustained multi-protocol reconnaissance against network infrastructure from February 21 to April 11, 2026, generating 89 security events across 14 unique ports. The campaign primarily focused on SMTP probing with secondary targeting of RDP and SSH services, assessed a…

SMTP_PROBE RDP_SCAN SSH_SCAN IOT_ATTACK
2026-04-11T17:46 UTC
HIGH 80.94.95.55 RO · AS204428

Romanian-based threat actor at 80.94.95.55 conducted extensive multi-protocol reconnaissance targeting RDP, ICS protocols, SSH, and VNC services over a 9-day period from March 29-April 7, 2026. The campaign generated 134,308 events with notable focus on industrial control systems (S7COMM protocol) a…

RDP_SCAN ICS_ATTACK SSH_SCAN VNC_AUTH_ATTEMPT VNC_SCAN
2026-04-07T13:48 UTC
LOW 87.121.79.222 NL · AS213725 · 1 update

IP address 87.121.79.222 (Netherlands/AS213725) conducted extensive reconnaissance activity from March 30 to April 5, 2026, targeting SSH, VNC, and Kubernetes infrastructure with 1,569 recorded events across 14 unique ports. The campaign demonstrates systematic scanning behavior with particular focu…

SSH_SCAN VNC_AUTH_ATTEMPT VNC_SCAN SCANNER
2026-04-05T10:34 UTC
HIGH 141.98.83.86 RO · AS209588

A Windows-based threat actor operating from Romanian hosting provider Flyservers S.A. (141.98.83.86) conducted an intensive multi-protocol scanning campaign between March 29-April 4, 2026, generating over 94,000 malicious events targeting RDP, SSH, and industrial control systems. The activity repres…

RDP_SCAN SSH_SCAN ICS_ATTACK
2026-04-04T14:39 UTC
LOW 125.122.156.134 · ASNone

IP address 125.122.156.134 conducted automated SSH reconnaissance against network infrastructure between 29 March 2026 11:00-14:00 UTC, generating 338 connection events. This activity represents low-severity noise-level scanning with standard SSH banner exchanges using 'SSH-2.0-Go' client identifie…

SSH_SCAN
2026-03-30T14:17 UTC
HIGH 85.217.140.53 · ASNone · 3 updates

IP address 85.217.140.53 conducted a sustained multi-protocol scanning campaign from March 11-28, 2026, targeting Oracle database, SSH, and Kubernetes services across 7 unique ports with 92 total events. Assessment indicates low-sophistication automated reconnaissance activity with minimal immediate…

SCANNER ORACLE_SCAN SSH_SCAN
2026-03-28T21:49 UTC