IOC Radar
IPMediumSignal 100/100

121.165.149.162

Location
South KoreaSouth Korea
Gangdong-gu, Seoul
ASN
AS4766
Kornet
First Seen
Apr 5, 2025
Last Seen
Feb 7, 2026
Apr 5
First Seen
445d ago
Feb 7
Last Seen
138d ago
15
Reports
source reports
99%
Confidence
medium
Found in 15 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

66 techniques

Network Information

CountryKRSouth Korea
RegionGangdong-gu, Seoul
ASNAS4766
OrganizationKornet

Feed Intelligence Summary

15 reports99% confidence
15
Source reports
99%
Confidence score
Category tags
abuseaccess controlaccount compromiseactive scanninganomalous network connectionsapache log4j rceasiaattackaustraliaauthentication attacksback orifice trafficbad web botblock listblock.txtblog spambotnetbotnet activitybotnet activity detectionbrute forcebrute force attackbrute force attacksbrute force attemptbrute force attemptsc2c2 communicationchinachina mobilecisco devicecloud infrastructurecloud infrastructure attackcloud servicescolumnscommand and controlcommand injectioncommunication protocolcommunication technologiescompany limitedcompromised hostcompromised systemscowrie honeypotcowrie interactionscowrie ssh attackscredential accesscredential stuffingdaily_sourcesdasan gpon rcedata exfiltrationdata exfiltration attemptdatabase attacksdatabase securityddosddos attackddos attacksddos probedecoy systemdenial of servicedenial-of-service attemptdevice managementdionaea honeypotdionaea interactionsdionaea malware samplesdistributed attacksenterprise networkingenumerationeuropeexploitexploit attemptsexploitationexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploited hostfailed login attemptsfattfatt signaturesfinlandfranceftpftp attackftp brute forcegermanyhackinghk abusehandlerhoneynet connecthoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probinghttp request anomalieshttp scannerhttp scanninghurricane usicmpindiaindicatorinitial accessinjection attacksinput validation bypassinternet of thingsintrusion detectioniociot botnetiot targetediot/ics attackirckorea, republic oflamplamp server targetinglamp stack targetinglateral movementlinux server targetingloginlogin attacklogin attemptlogin attemptsmailoney honeypotmailoney interactionsmalicious activitymalicious file transfermalicious ip activitymalicious network activitymalicious softwaremalicious trafficmalwaremalware analysismalware behaviourmalware capturemalware distributionmalware propagationmalware scanningmirai botnetmobile carriersmobile networksnetgear cgi rcenetworknetwork attacksnetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork intrusion detectionnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnorth americaoceaniap0fp0f network fingerprintingp0f signaturespassword attackpassword attackspassword sprayingpath traversalpgp signphishing attackphishing trapping of deathpolandpossible botnet activitypossible malware distributionpotential malware uploadprocess injectionprotocol exploitationreconnaissancereconnaissance activityremote accessremote code executionremote servicesresearchedresource hijackingscanscannerscanning activitysecurity operationssecurity policysensor-taggedsentrypeer botnetsentrypeer interactionssftp attackshell command executionsmb brute forcesmtpsmtp brute forcesmtp probingsmtp scanningsocradar honeypotsouth koreasql injection attemptsql injection attemptsssh attackssh monitoringstarlight-ctisuricata alertssystembc botnett1005t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1040t1041t1046t1047t1048t1053t1055t1056t1056.001t1059t1059.001t1059.003t1059.004t1065t1068t1071t1071.001t1076t1078t1078.001t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1505t1555t1563t1565t1572t1573t1573.001t1583t1588t1592t1595t1595.001t1595.002t1595.003tannertanner interactionstcp protocoltcp scantelecom servicestelecommunicationstelnet threatthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat preventiontimeouttop10.txttopips.txttpotudp scanunauthorized accessunauthorized access attemptunited statesus abuseus nonevoipvoip attackvulnerability scanweb application attackweb application attacksweb application exploitationweb exploitationweb shell detectionweb spamweb traffic

Activity Timeline

1 total obs
Feb 7Feb 7

Threat Activity Heatmap

· Peak: 2026-02-07
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
15
Reports
First seenApr 5, 2025
Last seenFeb 7, 2026
GeolocationKR
CountrySouth Korea
LocationGangdong-gu, Seoul
ASNAS4766
OrgKornet
Coords37.5360, 127.1426

VirusTotal

Not checked

WHOIS

description
Scans hitting the server at TCP port 23 Telnet. Same IP should not appear more than once in 96 hours in our lists S3#.
raw
inetnum: 121.160.0.0 - 121.191.255.255 netname: KORNET descr: Korea Telecom admin-c: IM667-AP tech-c: IM667-AP country: KR status: ALLOCATED PORTABLE mnt-by: MNT-KRNIC-AP mnt-irt: IRT-KRNIC-KR last-modified: 2017-02-03T02:22:01Z source: APNIC irt: IRT-KRNIC-KR address: 9, Jinheung-gil, Naju-si, Jeollanam-do e-mail: [email protected] abuse-mailbox: [email protected] admin-c: IM574-AP tech-c: IM574-AP auth: # Filtered remarks: [email protected] was validated on 2020-04-09 mnt-by: MNT-KRNIC-AP last-modified: 2025-09-04T01:00:01Z source: APNIC person: IP Manager address: Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90 country: KR phone: +82-2-500-6630 e-mail: [email protected] nic-hdl: IM667-AP mnt-by: MNT-KRNIC-AP last-modified: 2017-03-28T06:37:04Z source: APNIC inetnum: 121.160.0.0 - 121.191.255.255 netname: KORNET-KR descr: Korea Telecom country: KR admin-c: IA9-KR tech-c: IM9-KR status: ALLOCATED PORTABLE mnt-by: MNT-KRNIC-AP mnt-irt: IRT-KRNIC-KR changed: [email protected] 20240912 remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.kisa.or.kr. source: KRNIC person: IP Manager address: Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90 address: KT Head Office country: KR phone: +82-2-500-6630 e-mail: [email protected] nic-hdl: IA9-KR mnt-by: MNT-KRNIC-AP changed: [email protected] 20240912 remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.kisa.or.kr. source: KRNIC person: IP Manager address: Gyeonggi-do Bundang-gu, Seongnam-si Buljeong-ro 90 address: KT Head Office country: KR phone: +82-2-500-6630 e-mail: [email protected] nic-hdl: IM9-KR mnt-by: MNT-KRNIC-AP changed: [email protected] 20240912 remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.kisa.or.kr. source: KRNIC
references
https://github.com/telekom-security/tpotce, https://feeds.dshield.org/feeds/topips.txt, https://feeds.dshield.org/feeds/top10.txt, https://feeds.dshield.org/feeds/block.txt, https://jamesbrine.com.au/vultrwarsaw-telnet-bruteforce-ip-list-2025-08-16/, https://jamesbrine.com.au, https://jamesbrine.com.au/vultrwarsaw-telnet-bruteforce-ip-list-2025-08-31/, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 4 months ago
Appeared in 15 threat reports