IOC Radar
IPMediumSignal 100/100

154.212.141.253

Location
Hong KongHong Kong
São Paulo, São Paulo
ASN
AS17561
Cloud Innovation Ltd
First Seen
Apr 2, 2024
Last Seen
Apr 9, 2026
Apr 2
First Seen
810d ago
Apr 9
Last Seen
73d ago
27
Reports
source reports
99%
Confidence
medium
Found in 27 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

102 techniques

Network Information

CountryHKHong Kong
RegionSão Paulo, São Paulo
ASNAS17561
OrganizationCloud Innovation Ltd

IP Category

Proxy
Proxy server

Feed Intelligence Summary

27 reports99% confidence
27
Source reports
99%
Confidence score
Category tags
abuseaccess controlaccount discoveryackack scanactive scanactive scanningadbhoney honeypotamerican expressamerican express companyapacheapache attackerasiaattachment phishingattackaustraliaaustralia network activityauthenticationauthentication attackauthentication attacksauthentication attemptauthentication attemptsauto-generated securityautomated emailautomated scanningbad reputationbad web botbanner grabbing attemptbase64base64 encodingbecblacklist ipbotnetbotnet activitybrute forcebrute force attackbrute force attacksbrute force attemptsbulk emailc2c2 servercertciscocisco devicecisco exploit attemptcisco exploitation attemptscitrix exploitationcitrix exploitation attemptscitrix securitycode executioncommand & controlcommand and controlcommand executioncommon ports scancommunication protocolcompromised credentials attemptcompromised hostsconnect scanconpot honeypotcowriecowrie activitycowrie detectedcowrie detected activitycowrie honeypotcowrie ssh attackscowrie ssh logscredential accesscredential brute forcecredential brute-forcingcredential harvestingcredential phishingcredential stuffingcredentialsctadata encryptiondata exfiltrationdata store exposuredata theftdatabase attackdatabase attacksdatabase brute forcedatabase securityddosddos attackddos attacksddos attemptdecoy systemdenial of servicedevice managementdictionary attackdiners club internationaldionaeadionaea activitydionaea honeypotdionaea malware collectiondistributed attackselephant flowemailencryptionenterprise networkingenterprise securityenumerationenumeration activityenumeration attempteuropeexploit attemptexploit attemptsexploit probingexploit targetingexploitation activityexploited hostexternal scanfinfin port scanfin scanfirewall detectionfirewall evasionfirewall probingftpftp brute forcefull connect scangithubhackingheralding activityheralding attemptshigh volume traffichkhoneytrap activityhoneytrap honeypothong konghttp brute forcehttp enumerationhttp probinghttp scannerhttp scanninghttpshttps scanninghuaweihydraics securityidentity & access exploitationids evasionimapimap brute forceimap scanningindicatorindustrial control systemsinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure discoveryinitial accessinitiator ipinjection activityinjection attacksinternet of thingsintrusion blockintrusion detectioninvalid credentialsinvalid logininvalid login attemptsiociosiot attackiot botnetiot securityiot/ics attackipphoney honeypotlamplamp attacklamp exploitlamp exploit attemptlamp exploitation attemptlamp exploitation attemptslamp server targetlamp stack targetinglateral movementlogin attacklogin attemptlogin attemptslogin brute forcemailoney detectedmailoney honeypotmaimon scanmalicious activitymalicious login attemptsmalicious scanmalicious sftp activitymalicious sip activitymalicious softwaremalicious ssh activitymalwaremalware behaviourmalware capturemalware distributionmalware distribution attemptmalware distribution attemptsmalware propagationmalware scanningmanualmass port scanmass scanningmass scanning activitymasscanmasscan activitymassive port scanmedusamirai botnetmobile threatnation-state activitynetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork mappingnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnmapnmap scannmap scan detectednull port scannull scanoceaniaopen port detectionopen port discoveryopen port identificationos detectionos fingerprintingpasswordpassword attackpassword attackspassword crackingpassword sprayingpassword theftpayment fraudphishingphishing attackphishing campaignphishing trappop3 brute forcepop3 scanningpossible botnet activitypossible intrusion attemptpossible malicious activitypossible malware distributionpossible reconnaissancepossible reconnaissance activitypossible vulnerability probingpossible vulnerability scanpossible vulnerability scanningpotential attack vectorpotential compromisepotential credential compromisepotential exploit targetingpotential intrusion attemptpotential malwarepotential malware activitypotential malware propagationpotential reconnaissancepotential reconnaissance activitypotential threatpotential threat activitypotential vulnerability assessmentpotential vulnerability exploitationpotential vulnerability scanpotential vulnerability scanningprice requestprice request scamprobing activityprocess injectionprotocol exploitationproxyproxy protocolpythonransomwareransomware probereconnaissancereconnaissance activityredis honeypotredis honeypot detectedredpiranhareferenceremote accessremote access attemptsremote servicesresearchedresource hijackingrtbhscams & fraudscanscannerscanning activityschedule themescheduled task abusescripting attackssecurity eventsecurity operationssecurity policysentrypeer botnetsentrypeer dataserver exploitationservice detectionservice discoveryservice enumerationservice scanservice version detectionsftpsftp attacksftp attemptsftp scanningsipsip brute forcesip exploitationsip scanningsip vulnerability exploitationsipvicious scanslugsmb brute forcesmb enumerationsmb scanningsmtpsmtp brute forcesmtp scanningsocial engineeringsocradarsoftware exploitationspamsql brute forcesql injectionsql injection attemptsql injection attemptssql serversshssh attackssh monitoringssh scanningstealthstealth scansurface websweep scansynsyn port scansyn scansyn scanningsystem discoveryt1003t1003.001t1016t1016.001t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.006t1021.007t1021.008t1027t1040t1041t1046t1047t1048t1053t1055t1056t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1065t1068t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1087.001t1087.002t1087.003t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1134t1187t1189t1190t1192t1199t1203t1204t1204.002t1205t1210t1213t1486t1496t1497t1499.001t1499.002t1499.003t1505.002t1539t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1573t1583t1587.001t1588t1588.002t1589t1589.001t1589.002t1590t1590.001t1590.002t1591t1592t1593t1595t1595.001t1595.002t1595.003t1598t1598.003tannertanner activitytanner detectedtanner detected activitytanner exploit attemptstargeted scantargeting databasetariff server compromisetariff server themetariffs servertcp protocoltcp scantcp scanningtelecommunicationtelecommunicationstelnet threatthreat actorthreat detectionthreat intelligencethreat preventiontor nodetpotcetsecudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized activityunauthorized login attemptsunauthorized network activityunauthorized probingunauthorized scanninguncommon portsunited kingdomunknown threat actorunsolicited network probevoipvoip attackvulnerability scanweb application attackweb application attacksweb attackweb exploitationweb trafficwells fargo bankwestpac new zealandwetransfer abusewindow scanxmasxmas port scanxmas scanzmap

Activity Timeline

1 total obs
Apr 9Apr 9

Threat Activity Heatmap

· Peak: 2026-04-09
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
27
Reports
First seenApr 2, 2024
Last seenApr 9, 2026
GeolocationHK
CountryHong Kong
LocationSão Paulo, São Paulo
ASNAS17561
OrgCloud Innovation Ltd
Coords22.2578, 114.1657
Proxy

VirusTotal

Not checked

WHOIS

description
2025-07-07T00:24:13.608Z Honeypot : Sentrypeer : Source: 154.212.141.253 Port: 5060 Data: OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/UDP nm;branch=foo;rport From: <sip:nm@nm>;tag=root To: <sip:nm@nm> Call-ID: 50000 CSeq: 63104 OPTIONS Contact: <sip:nm@nm> Accept: application/sdp Max-forwards: 70 Content-Length: 0
raw
inetnum: 154.0.0.0 - 154.255.255.255 netname: ERX-NETBLOCK descr: Early registration addresses remarks: ------------------------------------------------------ remarks: Important: remarks: remarks: Networks in this range were allocated by InterNIC remarks: prior to the formation of Regional Internet remarks: Registries (RIRs): AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC. remarks: remarks: Address ranges from this historical space have now remarks: been transferred to the appropriate RIR database.remarks: remarks: If your search has returned this record, it means the remarks: address range is not administered by APNIC. remarks: remarks: Instead, please search one of the following databases: remarks: remarks: - AfriNIC (Africa) remarks: website: http://www.afrinic.net/ remarks: command line: whois.afrinic.net remarks: remarks: - ARIN (Northern America) remarks: website: http://www.arin.net/ remarks: command line: whois.arin.net remarks: remarks: - LACNIC (Latin America and the Carribean) remarks: website: http://www.lacnic.net/ remarks: command line: whois.lacnic.net remarks: remarks: - RIPE NCC (Europe) remarks: website: http://www.ripe.net/ remarks: command line: whois.ripe.net remarks: remarks: For information on the Early Registration Transfer remarks: (ERX) project, see: remarks: remarks: http://www.apnic.net/db/erx remarks: remarks: ------------------------------------------------------ country: AU admin-c: IANA1-AP tech-c: IANA1-AP mnt-by: APNIC-HM mnt-lower: APNIC-HM status: ALLOCATED PORTABLE last-modified: 2015-08-28T00:31:22Z source: APNIC mnt-irt: IRT-APNIC-AP irt: IRT-APNIC-AP address: Brisbane, Australia e-mail: [email protected] abuse-mailbox: [email protected] admin-c: HM20-AP tech-c: NO4-AP auth: # Filtered remarks: APNIC is a Regional Internet Registry. remarks: We do not operate the referring network and remarks: are unable to investigate complaints of network abuse. remarks: For information about IRT, see www.apnic.net/irt remarks: [email protected] was validated on 2020-02-03 mnt-by: APNIC-HM last-modified: 2023-08-18T00:42:38Z source: APNIC role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-AP tech-c: IANA1-AP nic-hdl: IANA1-AP remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: MAINT-APNIC-AP last-modified: 2018-06-22T22:34:30Z source: APNIC
references
https://github.com/telekom-security/tpotce, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, https://redpiranha.net

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 2 months ago
Appeared in 27 threat reports