IOC Radar
IPMediumSignal 74/100

115.120.250.85

Location
ChinaChina
Shanghai, Shanghai
ASN
AS55990
Huawei Public Cloud Service
First Seen
Feb 16, 2025
Last Seen
May 3, 2026
Feb 16
First Seen
479d ago
May 3
Last Seen
38d ago
16
Reports
source reports
74%
Confidence
medium
Found in 16 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
74%
Signal Score
74 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

95 techniques

Network Information

CountryCNChina
RegionShanghai, Shanghai
ASNAS55990
OrganizationHuawei Public Cloud Service

Feed Intelligence Summary

16 reports74% confidence
16
Source reports
74%
Confidence score
Category tags
abuseactive scanactive scanningagent teslaakamaialibabaandroidapi contactaptarmasciiasiaasyncratbackdoorbad reputationbatbeaconbeaconing activitybianlianbotnetbotnet activitybotnetdomainbraodostealerbrute forcebrute-forcec2c2 communicationc2 servercensyscertchinacncobaltcobalt strikecobalt strike frameworkcobaltstrikecommand & controlcommand and controlcompromise assessmentcompromised systemconfigcredential accesscredential harvestingcredential stuffingdanabotdata encryptiondata exfiltrationdata store exposureddosddos attacksdefault credentialsdeimosdistributed attackse-commerceelfencryptioneuropeexeexecutable fileexploitation activityextortionfeedfindfraudgafgytglobalhackinghajimehak5_cloud_c2hashhavocheader hashhookbothuaweiidentity & access exploitationindicatorindicators of compromiseinformation technologyinfostealerinfrastructure acquisitionreconnaissanceinjection activityinternet of thingsiociocsiotiot botnetiot securityiot/ics attackjarmjarm analysisjarm fingerprintingjarm rulejquerylateral movementlinkedin pagelnkmalicious softwaremalwaremalware deploymentmalware distributionmanualmedia & entertainmentmipsmirai botnetmobile threatmozimythicnanocore ratnation-state activitynetsupportratnetworknetwork communicationnetwork traffic analysisoff-hours attacksopen source intelligenceopendirosintpayload deliverypegasuspersistence mechanismsphishingphishing attackphppointpost-exploitationpost-exploitation activitypost-exploitation frameworkprocess injectionprotectqakbotransomwareransomware feedratreconnaissanceremcos trojanremote accessremote access trojanremote servicesresearchedreverse_sshsaint helena, ascension and tristan da cunhascams & fraudscannerscanning activitysecurity operationsself-signedsentinel mispserverservice scanshellcodesliverslugsocial engineeringsshsshdkitsslssl certificatessl certificate informationstrelastealerstrongsupershellsurface websystem disruptiont1005t1012t1016t1016.001t1016.002t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1027t1027.002t1027.003t1027.005t1033t1036t1041t1047t1049t1053t1053.005t1055t1055.001t1055.002t1055.003t1055.004t1055.005t1055.008t1057t1059t1059.001t1059.003t1068t1071t1071.001t1071.002t1071.003t1078t1078.002t1078.003t1082t1083t1090t1090.001t1090.002t1090.003t1095t1105t1119t1129t1133t1134t1140t1189t1190t1204t1205t1205.001t1205.002t1210t1486t1490t1496t1499.002t1499.003t1543t1547t1547.001t1547.009t1562t1565t1566t1566.001t1566.002t1566.003t1567t1569.002t1572t1573t1573.001t1574t1574.001t1574.002t1574.004t1574.006t1574.010t1587.001t1590.001t1595t1595.001t1595.002t1595.003t1598team servertelecommunicationthreat actorthreat actor activitythreat actor: cobaltthreat feedthreat intelligencetor nodeunixvalidinvietnamvulnerability scanwsgidavxml-opendir

Activity Timeline

1 total obs
May 3May 3

Threat Activity Heatmap

· Peak: 2026-05-03
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
74
SIGNAL
Signal Score
74%
Confidence
16
Reports
First seenFeb 16, 2025
Last seenMay 3, 2026
GeolocationCN
CountryChina
LocationShanghai, Shanghai
ASNAS55990
OrgHuawei Public Cloud Service
Coords34.7732, 113.7220

VirusTotal

Not checked

WHOIS

description
In this Intel Insights report, uncover how Cobalt cybercriminal groups remain active even outside traditional working hours, adapting their tactics to exploit vulnerabilities when defenses may be weaker.
raw
inetnum: 115.120.0.0 - 115.120.255.255 netname: HWCSNET descr: Huawei Public Cloud Service (Huawei Software Technologies Ltd.Co) descr: No.2018 Xuegang Road,Bantian street,Longgang District, descr: Shenzhen,Guangdong Province, 518129 P.R.China country: CN admin-c: LL3172-AP tech-c: GX1759-AP abuse-c: AC1601-AP status: ALLOCATED PORTABLE mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN last-modified: 2022-04-18T05:43:58Z source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: [email protected] abuse-mailbox: [email protected] admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP last-modified: 2021-06-16T01:39:57Z source: APNIC role: ABUSE CNNICCN country: ZZ address: Beijing, China phone: +000000000 e-mail: [email protected] admin-c: IP50-AP tech-c: IP50-AP nic-hdl: AC1601-AP remarks: Generated from irt object IRT-CNNIC-CN abuse-mailbox: [email protected] mnt-by: APNIC-ABUSE last-modified: 2024-07-30T11:55:46Z source: APNIC person: Gui xiaowei address: HUAWEI CLOUD Data Center, Jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guizhou Province country: CN phone: +86-18566251984 e-mail: [email protected] nic-hdl: GX1759-AP mnt-by: MAINT-CNNIC-AP last-modified: 2022-04-18T05:32:41Z source: APNIC person: Liu Liqun address: HUAWEI CLOUD Data Center, Jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guizhou Province country: CN phone: +86-13360099887 e-mail: [email protected] nic-hdl: LL3172-AP mnt-by: MAINT-CNNIC-AP last-modified: 2022-04-18T05:33:15Z source: APNIC
references
https://urlhaus.abuse.ch/downloads/json_online/, https://precisionsec.com/threat-intelligence-feeds/cobaltstrike/, https://open.substack.com/pub/intelinsights/p/cobalt-on-the-weekends?utm_source=share&utm_medium=android&r=5l6xoe, https://x.com/drb_ra/status/1930190610222170331, https://x.com/drb_ra/status/1930190647924834364, https://x.com/drb_ra/status/1930190814321201579, https://x.com/drb_ra/status/1930190872424931773, https://x.com/drb_ra/status/1930190928658026585, https://x.com/drb_ra/status/1930190944239858096, https://x.com/drb_ra/status/1930190968214475153, https://x.com/drb_ra/status/1930191012783091877, https://x.com/drb_ra/status/1930191054470316513, https://x.com/drb_ra/status/1930191095020855375, https://x.com/drb_ra/status/1930191158296092973, https://x.com/drb_ra/status/1930191184468582584, https://x.com/drb_ra/status/1930191214751424908, https://x.com/drb_ra/status/1930191219105161302, https://x.com/drb_ra/status/1930191352085577956, https://x.com/drb_ra/status/1930191359677256078, https://x.com/drb_ra/status/1930193225341436247, https://x.com/drb_ra/status/1930193245343985777, https://x.com/drb_ra/status/1930193264444846085, https://x.com/drb_ra/status/1930193283759645008, https://x.com/drb_ra/status/1930193303347028045, https://x.com/drb_ra/status/1930193327728492771, https://x.com/drb_ra/status/1930193348687532043, https://x.com/drb_ra/status/1930193372993446278, https://x.com/drb_ra/status/1930193394770280761, https://x.com/drb_ra/status/1930200484578488666, https://x.com/drb_ra/status/1930277848029257922, https://x.com/drb_ra/status/1930277867033600351, https://x.com/drb_ra/status/1930277887938052577, https://x.com/drb_ra/status/1930300143347106298, https://x.com/drb_ra/status/1930300663847891288, https://x.com/drb_ra/status/1930335559022416284, https://x.com/drb_ra/status/1930335577955500542, https://x.com/drb_ra/status/1930335596276257238, https://x.com/drb_ra/status/1930335614592758020, https://x.com/drb_ra/status/1930335635925045533, https://x.com/drb_ra/status/1930335654941954163, https://x.com/drb_ra/status/1930335674223194365, https://x.com/drb_ra/status/1930335694733340921, https://x.com/drb_ra/status/1930335713414860892, https://x.com/drb_ra/status/1930335733903978664, https://x.com/drb_ra/status/1930335754183430215, https://x.com/drb_ra/status/1930336271769166052, https://x.com/drb_ra/status/1930336291071070292, https://x.com/drb_ra/status/1930336308683042893, https://x.com/drb_ra/status/1930336327792504968, https://x.com/drb_ra/status/1930336347480264930, https://x.com/drb_ra/status/1930336366979580157, https://x.com/drb_ra/status/1930367729535480155, https://x.com/drb_ra/status/1930368247242862598, https://threatfox.abuse.ch/export/csv/recent/, https://urlhaus.abuse.ch/browse/, https://x.com/drb_ra/status/1891016305198747921, https://x.com/drb_ra/status/1891017174770184687, https://x.com/drb_ra/status/1891017249500053673, https://x.com/drb_ra/status/1891017269569818740, https://x.com/drb_ra/status/1891017289828303055, https://x.com/drb_ra/status/1891017310820819437, https://x.com/drb_ra/status/1891017331628732530, https://x.com/drb_ra/status/1891017866213732864, https://x.com/drb_ra/status/1891017884152836511, https://x.com/drb_ra/status/1891017901999587834, https://x.com/drb_ra/status/1891017920152543437, https://x.com/drb_ra/status/1891017936187314637, https://x.com/drb_ra/status/1891017954663293308, https://x.com/drb_ra/status/1891017971310436357, https://x.com/drb_ra/status/1891017990449041598, https://x.com/drb_ra/status/1891018008178340314, https://x.com/drb_ra/status/1891018027753161109, https://x.com/drb_ra/status/1891018047617393053, https://x.com/drb_ra/status/1891018067812982914, https://x.com/drb_ra/status/1891018087232606497, https://x.com/drb_ra/status/1891018106706763796, https://x.com/drb_ra/status/1891018127166599456, https://x.com/drb_ra/status/1891018147848716625, https://x.com/drb_ra/status/1891018164848226599, https://x.com/drb_ra/status/1891018184188100623, https://x.com/drb_ra/status/1891018203129692285, https://x.com/drb_ra/status/1891018220024263032, https://x.com/drb_ra/status/1891082429927989389, https://x.com/drb_ra/status/1891082449213345932, https://x.com/drb_ra/status/1891082468507136162, https://x.com/drb_ra/status/1891082487796732110, https://x.com/drb_ra/status/1891082508025950520, https://x.com/drb_ra/status/1891082525793046735, https://x.com/drb_ra/status/1891083044192166121, https://x.com/drb_ra/status/1891197305178526130, https://x.com/drb_ra/status/1891197322261868885, https://x.com/drb_ra/status/1891197356898471980, https://x.com/drb_ra/status/1891197375303004435, https://x.com/drb_ra/status/1891197393829319064, https://x.com/drb_ra/status/1891197410174476622, https://x.com/drb_ra/status/1891197926736544062, https://x.com/drb_ra/status/1891197944558198983, https://x.com/drb_ra/status/1891197962216202751, https://x.com/drb_ra/status/1891197980390072434, https://x.com/drb_ra/status/1891197996429152463, https://x.com/drb_ra/status/1891198015521636781, https://x.com/drb_ra/status/1891198032181412327, https://x.com/drb_ra/status/1891198051701739652, https://x.com/drb_ra/status/1891198070253092880, https://x.com/drb_ra/status/1891233969477194100, https://x.com/drb_ra/status/1891233988531880366, https://x.com/drb_ra/status/1891264768020807874

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 1 month ago
Appeared in 16 threat reports