IPMediumSignal 100/100

`149.154.167.220`

Location

United Kingdom

Amsterdam, England

ASN

AS62041

Telegram Messenger Amsterdam Network

First Seen

Jul 25, 2021

Last Seen

May 15, 2026

Jul 25

First Seen

1793d ago

May 15

Last Seen

39d ago

Reports

source reports

99%

Confidence

medium

Found in 18 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

99%

Signal Score

100 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

110 techniques

Network Information

Country

United Kingdom

RegionAmsterdam, England

ASNAS62041

OrganizationTelegram Messenger Amsterdam Network

Feed Intelligence Summary

18 reports99% confidence

Source reports

99%

Confidence score

Category tags

802.11 protocolaaaaabout contactabuseacceptaccessaccount compromiseaccount securityactive scanactive scanningadded activeaddressaddress googleamerica asnamerica flagantiguaantigua and barbudaapacheapi abuseapikeyappleapple devices targetingapple iocapple publicarmadillov171asiaattackauthorityavast avgbackdoorbad reputationbank securitybanksbarbuda flagbarbuda unknownbatbatch scriptblackie virusblacklisted ipbody doctypebot tokenbotnetbotnet activitybotnet infectionbottokenbrute forcebrute force attackbytesc2c2 communicationc2: nonever.net/tkuong.shopcalls-wmicanadacanvascertificate authoritycertificate managementcheat servicecheckinchecks-bioschecks-network-adapterschecks-user-inputchina asnchina unknownchristoper p ahmannchristopher p. ahmannck idck matrixclick-based attackcloud backupcloud infrastructurecloud servicescloud storagecloudflare abusecnccode executioncode injectioncode overlapcom laudecommandcommand & controlcommand and controlcommand decodecommand executioncommand injectioncommunication protocolcommunication technologiescompiler vulnerabilitycompromised hostcompromised websiteconcernscontactcontent homecontent typecorporate lawcorruptcountry codecouriercreation datecredential accesscredential harvestingcredential stuffingcredential theftcrlf linecryptocurrencycryptocurrency threatscryptojackingcyber hackdarkdata encryptiondata exfiltrationdata store exposuredata theftdatingdcom exploitationddosddos attackdeaddeautherdefense evasiondeletedelete cdelphidenial of servicedenial-of-servicedetect-debug-environmentdigital certificatedigital mediadirect-cpu-clock-accessdiscovery attdistributed attacksdnsdns attackdockdropbox abusedynadot llcdynamicdynamic apidynamicloaderelfemailsencryptionenglishenomentertainment technologyentityerrorespaolet toret trojaneuropeevasion attevasion techniquesevil corpexe32executable fileexitexpiration dateexploitexploit deliveryexploitation activityextortionfilefilesfiles ipfiles showfinancefinancial institutionfinancial motivationfinancial servicesfor privacyformfoundfound titlefoundryframe injectionfrance asnftpftp brute forceg2 cgaz1genco labsgeneric windosgithubgithub abuseglobalglobalcgovernment contractsgrande arialgreat britainhackingharrodshighhitman serviceshitmenhomehostilehostname addhtml publichttp attackhttp hosthttp scannerhttp scanninghttpshybrididentity & access exploitationietfdtd htmlindicatorindicators of compromiseindonesiainfo titleinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelintellectual property lawintrusion detectioninvalid urliociosiot securityipv4ipv4 addircit infrastructurejabber zeusjeffrey reimerjoe tidyjsonknown torlateral movementlaw firmslaw practicelawyerslazaruslazarus grouplearnlegal consultinglegal researchlegal serviceslegal system abuselegal technologylengthlikely gandcrablinuxlocallong-sleepslooklowfiltd dbamacosmainmakeupmalicious activitymalicious filemalicious linkmalicious linksmalicious network trafficmalicious object detectionmalicious powershell activitymalicious softwaremalicious software installermalwaremalware distributionmalware distribution campaignmanualmarkmonitormarkusmedia & entertainmentmedia distributionmediummenu closemenu homemetadata analysismicrosoft technologiesmisc attackmitre attmobile carriersmobile networksmobile threatmonitored targetmovedmozartmozillamsiemsvcmultimedia productionmyriad setnamename serversname tacticsnamecheap incnetherlandsnetworknetwork attacksnetwork disruptionnetwork probingnetwork protocolnetwork scanningnetwork securitynextnext associatednids unitednode trafficnorth americaocspoperating systemoperating system securityos2 executableoverlaypackedpacking t1045palantir foundrypassive dnspassword attackspath traversalpattern matchpe sectionpe32 executablepe32 installerpeexephishingphishing attackphishing campaignphishing urlpngpng disguised malwarepodcastpolcertpoliceportportalportal openpotential code injectionpremiumpresent aprpresent augpresent decpresent janpresent junpresent marpresent novpresent octpresent seppro myriadprocessprocess injectionprocess32nextwprotocol exploitationpulse searchpythonquasirams twitterransomransomwareransomware payloadrarreadread creadsreconnaissancerecord valuerefreshregulatory compliancerelated pulsesremote accessremote servicesresearchedresource developmentresource hijackingresponse iprestartreverse dnsrole titlerootroot certificateruntime-modulessafe browsingsarah rainsfordscannerscanning activityscript tagsscripting attackssearchseasonsecurity operationsserver rsaserversset lucidasf hellosf monoshared-libshowshow techniqueshowingsignal jammingsmtpsocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware vulnerabilitysolidspamspam distributionspanspawnsssh attacksslstatusstore homestreamstreaming servicesstringssupply chain attacksupply chain compromisesystemsystem disruptionsystem roott1003t1005t1012t1016t1018t1021t1021.001t1027t1031t1036t1040t1041t1043t1045t1046t1047t1053t1053.005t1055t1056t1057t1059t1059.001t1059.005t1060t1063t1067t1068t1069t1069.001t1070t1071t1071.001t1071.004t1078t1078.003t1082t1083t1086t1090t1094t1095t1102t1105t1106t1110t1110.001t1110.002t1110.003t1110.004t1112t1113t1129t1133t1140t1143t1147t1155t1187t1189t1190t1195t1199t1203t1204t1204.001t1204.002t1205t1480t1480 executiont1486t1490t1496t1497t1499t1499.001t1499.002t1499.003t1499.004t1518t1547.001t1550t1553t1553.005t1555t1561t1561.001t1561.002t1565t1566t1566.001t1566.002t1566.003t1568t1571t1573t1573.001t1574t1583t1583.005t1587t1587.001t1588t1590.001t1592t1595t1595.001t1595.002t1595.003t1598t1598.003ta markmonitortargettcp protocoltelecom servicestelecommunicationstelegrambottelnet threatthreat actorthreat intelligencethustitletld registrartlstlsv1toolstortor exittor nodetotaltrojan malwaretrojandroppertrojanspytsara brashearstucows domainstulach typetwittertype indicatorukraineunitedunited kingdomunited statesunknown nsunknown soaunsigned codeurlsurls filesuser executionusm anywhereutc htmlverdictverifyvictimsvirgin islandsvirtoolvulnerability scanweb application attackweb application exploitationweb securityweb trafficwebccwebshell activitywifi deauthentication attackwin16 newin32 malwarewin32berbew junwindowswindows malwarewindows ntwine emulatorwireless attackworkers compensationwormwritex applexssyarayara detectionsyara ruleyara signaturezipzip archive

Activity Timeline

1 total obs

May 15May 15

Threat Activity Heatmap

· Peak: 2026-05-15

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Threat ScoreHigh Risk

100

SIGNAL

Signal Score

99%

Confidence

Reports

First seenJul 25, 2021

Last seenMay 15, 2026

GeolocationGB

CountryUnited Kingdom

LocationAmsterdam, England

ASNAS62041

OrgTelegram Messenger Amsterdam Network

Coords51.5072, -0.1276

VirusTotal

Not checked

WHOIS

description: Compilation Timestamp 2025-05-01 18:04:59 UTC Entry Point 527** Contained Sections 7 Written in C++, this malware functions as a first-stage backdoor designed to establish an initial foothold before continuing its stealthy attack to move into MAAS, operations, and development. Bumblebee is primarily delivered via phishing emails—often disguised as invoices—but its scope also includes PDFs, voicemails, zip files, and images. The malware is highly evasive, routinely checking its environment, executing payloads, and creating LOLBins. Related to Operation Endgame, it notably disrupted regsvr32.exe in May 2024. This specific variant was created on May 1, 2025, and appeared to be set into operation on May 5, 2025—interestingly, just one day after Microsoft changed its DKIM, SPF, and DMARC rules. ed76019fbae16d3992d1939c38d620185f4520e128f80983a00cadc6a9c3b509 2025-05-05_77aa5cace886af5e61db8eb4c4cea57e_black-basta_cobalt-strike_satacom
raw: inetnum: 149.154.164.0 - 149.154.167.255 netname: Telegram_Messenger_Network descr: Telegram Messenger Network country: GB geoloc: 52.379189 4.899431 admin-c: ND2624-RIPE tech-c: ND2624-RIPE abuse-c: TMI12-RIPE status: ASSIGNED PA mnt-by: MNT-TELEGRAM created: 2014-09-19T22:29:39Z last-modified: 2018-06-12T10:52:20Z source: RIPE person: Nikolai Durov address: P.O. Box 146, Road Town, Tortola, British Virgin Islands phone: +357 96 287319 nic-hdl: ND2624-RIPE mnt-by: MNT-TELEGRAM created: 2014-03-07T19:25:00Z last-modified: 2014-03-08T03:31:36Z source: RIPE route: 149.154.167.0/24 origin: AS62041 mnt-by: mnt-ag-globalnet-1 mnt-by: MNT-TELEGRAM created: 2023-08-06T18:26:02Z last-modified: 2023-08-06T18:26:02Z source: RIPE

`149.154.167.220`

MITRE ATT&CK TTPs

Network Information

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey