IPMediumSignal 65/100

`104.152.52.127`

Location

United States

Chicago, Illinois

ASN

AS51088

Rethem Hosting LLC

First Seen

Nov 18, 2021

Last Seen

Jun 17, 2026

Nov 18

First Seen

1678d ago

Jun 17

Last Seen

6d ago

Reports

source reports

65%

Confidence

medium

Found in 33 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

65%

Signal Score

65 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

66 techniques

Network Information

Country

United States

RegionChicago, Illinois

ASNAS51088

OrganizationRethem Hosting LLC

Feed Intelligence Summary

33 reports65% confidence

Source reports

65%

Confidence score

Category tags

abuseaccess attemptaccess controlaccount compromiseaccount securityactive scanactive scanningadministrative accessaerospace & defenseapacheapache attackerapplication layer protocolaptasiaattackattack source ipattacker ipsattacker-ipaustraliaauthentication failureauto-generated securityautomated attacksautomated threatautomated threatsautomated-attackautomotive manufacturingbad reputationbad web botblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attemptbrute force attemptsbrute-forcebrute-force attackbruteforcecanadachinacisco asacisco brute forcecisco devicecisco device attackcisco device targetedcisco exploitation attemptcisco exploitation attemptscivil servicescloud infrastructurecloud infrastructure attackcloud servicescode executioncommand and controlcommand executioncommand injection attemptcommunication protocolcompromised credentialscompromised hostconpot honeypotcowriecowrie attackscowrie honeypotcowrie interactionscowrie ssh honeypotcredential accesscredential attackscredential brute forcecredential brute-forcingcredential harvestingcredential stuffingcredential-bruteforcingctadata encryptiondata exfiltrationdata store exposuredatabase attackdatabase exploitation attemptsdatabase securityddosddos attackddos attacksdecoy systemdefensedefense contractingdefense logisticsdefense systemsdefense technologydenial of servicedevice managementdigital oceandionaeadionaea activitydionaea attacksdionaea honeypotdirectory traversal attemptdistributed attackselectronics manufacturingencryptionenterprise networkingeuropeexploitexploit attemptexploit attemptsexploit probingexploitationexploitation activityexploited hostexternal access attemptsexternal threatexternal_threatfail2ban triggeredfattfatt analysisfinlandfrancefraud voipftpftp attacksftp brute forceftp brute-forcegermanygovernment technologyhackinghoneynet connecthoneytrap activityhoneytrap datahoneytrap honeypothttp brute forcehttp scannerhttp scanninghttp/sics securityidentity & access exploitationindicatorindustrial automationindustrial control systemsindustrial iotindustrial productioninformation gatheringinfrastructure acquisitionreconnaissanceinitial accessinjection activityinjection attacksinternet of thingsinternet-facing assetsintrusion detectioniociot botnetiot device targetingiot securityiot targetediot/ics attackip-addressesipv4ipv4_addresskfsensor honeypotlamplamp attacklamp exploitlamp exploitation attemptslamp server attacklamp stack attacklamp stack targetinglateral movementlcialinux serverslinux systemsloginlogin attacklogin attemptlogin brute forcemailoney activitymailoney honeypotmalicious activitymalicious activity detectedmalicious login attemptsmalicious payloadmalicious softwaremalicious trafficmalwaremalware behaviourmalware capturemalware deliverymalware distributionmalware downloadmanualmanufacturing technologymilitary operationsmirai botnetmssqlnational securitynetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork monitoringnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-reconnaissancenetwork_scanningnextraynorth americaoceaniaoperating systemoperating system securityopportunistic-attackos credential dumpingp0fp0f passive fingerprintingp0f signaturespassword attackpassword attacksphishingphishing attackphishing trappolandportscanpossible malware distributionpossible mirai variantpotential compromiseprivilege escalationprocess injectionprocess manufacturingprotocol exploitationpublic administrationpublic infrastructurepublic policyquality controlransomwarereconnaissanceredis honeypotregulatory agenciesremote accessremote servicesresearchresearchedresource hijackingsansscams & fraudscanscannerscannersscanning activityscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionservice discoveryservice scanservice scanningsftp access attemptsftp activitysftp attacksingaporesip attackssip scanningsmb brute forcesmtpsmtp attackssmtp brute forcesocial engineeringsoftware exploitationspamsql injection attemptsshssh attackssh attacksssh monitoringssh-brutesupply chain attacksupply chain managementsuricata alertssystem accesssystem discoveryt-pott1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1027t1040t1041t1046t1055t1059t1059.001t1059.003t1059.004t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1087t1088t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1203t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1505t1555t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1587.001t1589t1590t1590.001t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytargeting databasetcp protocoltcp scantcp scanningtelecommunicationstelnettelnet threatthreat actorthreat detectionthreat intelligencethreat preventionthreat_intelligencetor nodetorontotpotudp port scanudp scanudp/161unauthorized accessunauthorized access attemptunauthorized loginunauthorized probingunited kingdomunited statesunknown threat actorusvoipvoip attackvoip systemsvulnerability scanvultrweb app attackweb application attackweb application scanningweb attackweb exploitweb exploitationweb serversweb shell attemptweb spamweb traffic

Activity Timeline

1 total obs

Jun 17Jun 17

Threat Activity Heatmap

· Peak: 2026-06-17

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

Minimal

30d

Minimal

3mo

Minimal

Threat ScoreMedium Risk

SIGNAL

Signal Score

65%

Confidence

Reports

First seenNov 18, 2021

Last seenJun 17, 2026

GeolocationUS

CountryUnited States

LocationChicago, Illinois

ASNAS51088

OrgRethem Hosting LLC

Coords37.7510, -97.8220

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning DigitalOcean Toronto (CA) honeypot
raw: NetRange: 104.152.52.0 - 104.152.55.255 CIDR: 104.152.52.0/22 NetName: RETHEM-HOSTING NetHandle: NET-104-152-52-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Rethem Hosting LLC (RHL-18) RegDate: 2014-07-11 Updated: 2014-07-11 Ref: https://rdap.arin.net/registry/ip/104.152.52.0 OrgName: Rethem Hosting LLC OrgId: RHL-18 Address: 500 N. Michigan Ave Address: Suite 300 City: Chicago StateProv: IL PostalCode: 60611 Country: US RegDate: 2011-03-16 Updated: 2012-05-25 Ref: https://rdap.arin.net/registry/entity/RHL-18 OrgTechHandle: NOC11885-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-212-257-2998 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgNOCHandle: NOC11885-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-212-257-2998 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgAbuseHandle: NOC11885-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-212-257-2998 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN
references: https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/vultrwarsaw-telnet-bruteforce-ip-list-2025-07-29/, https://jamesbrine.com.au, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, http://cinsscore.com/list/ci-badguys.txt

`104.152.52.127`

MITRE ATT&CK TTPs

Network Information

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey