IOC Radar
IPMediumSignal 0/100

104.21.65.86

Location
United StatesUnited States
Toronto, Ontario
ASN
AS13335
Cloudflare, Inc.
First Seen
Oct 10, 2025
Last Seen
Feb 17, 2026
Oct 10
First Seen
258d ago
Feb 17
Last Seen
128d ago
2
Reports
source reports
0%
Confidence
medium
Found in 2 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
0%
Signal Score
0 / 100
IDS Rule
No
Threat Context
Tags

Network Information

CountryUSUnited States
RegionToronto, Ontario
ASNAS13335
OrganizationCloudflare, Inc.

Feed Intelligence Summary

2 reports0% confidence
2
Source reports
0%
Confidence score
Category tags
indicatornetworkresearched

Activity Timeline

1 total obs
Feb 17Feb 17

Threat Activity Heatmap

· Peak: 2026-02-17
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Intelligence SummaryAI Generated

This indicator of compromise (IOC) refers to the IPv4 address 104.21.65.86, which has been explicitly whitelisted. Carrying a threat score of 0.0, this IP address poses a negligible security risk to the organization. Its inclusion in threat intelligence feeds, specifically "Benign - Mastodon" and "SOCRadar Attack Surface Intelligence(ASI)", is primarily due to its benign classification rather than any detected malicious activity. Therefore, the presence of this IP address in logs or network traf…

Threat ScoreLow Risk
0
SIGNAL
Signal Score
0%
Confidence
2
Reports
First seenOct 10, 2025
Last seenFeb 17, 2026
GeolocationUS
CountryUnited States
LocationToronto, Ontario
ASNAS13335
OrgCloudflare, Inc.
Coords37.7757, -122.3952

VirusTotal

Not checked

WHOIS

raw
NetRange: 104.16.0.0 - 104.31.255.255 CIDR: 104.16.0.0/12 NetName: CLOUDFLARENET NetHandle: NET-104-16-0-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Cloudflare, Inc. (CLOUD14) RegDate: 2014-03-28 Updated: 2024-09-04 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv Ref: https://rdap.arin.net/registry/ip/104.16.0.0 OrgName: Cloudflare, Inc. OrgId: CLOUD14 Address: 101 Townsend Street City: San Francisco StateProv: CA PostalCode: 94107 Country: US RegDate: 2010-07-09 Updated: 2024-11-25 Ref: https://rdap.arin.net/registry/entity/CLOUD14 OrgRoutingHandle: CLOUD146-ARIN OrgRoutingName: Cloudflare-NOC OrgRoutingPhone: +1-650-319-8930 OrgRoutingEmail: [email protected] OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN OrgAbuseHandle: ABUSE2916-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-650-319-8930 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN OrgNOCHandle: CLOUD146-ARIN OrgNOCName: Cloudflare-NOC OrgNOCPhone: +1-650-319-8930 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN OrgTechHandle: ADMIN2521-ARIN OrgTechName: Admin OrgTechPhone: +1-650-319-8930 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN RTechHandle: ADMIN2521-ARIN RTechName: Admin RTechPhone: +1-650-319-8930 RTechEmail: [email protected] RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN RNOCHandle: NOC11962-ARIN RNOCName: NOC RNOCPhone: +1-650-319-8930 RNOCEmail: [email protected] RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN RAbuseHandle: ABUSE2916-ARIN RAbuseName: Abuse RAbusePhone: +1-650-319-8930 RAbuseEmail: [email protected] RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
references
https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user., https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026, https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355, https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz, Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz, CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45, https://otx.alienvault.com/indicator/domain/bunny.net, https://otx.alienvault.com/indicator/ip/210.211.117.205, https://otx.alienvault.com/indicator/ip/143.244.50.212, https://otx.alienvault.com/indicator/ip/125.235.4.59, AV Detection: ELF:Mirai-GH\ [Trj], IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST, IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World), IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ..., Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout, Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz, https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0, cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique, Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen, Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen, Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems, Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems), Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems, https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net, wallpapers-nature.com, Was anyone else notified? I'm not sure why I was., Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links., CS Sigma: Matches rule Python Initiated Connection by frack113

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 8 months ago · Last seen 4 months ago
Appeared in 2 threat reports