IOC Radar
IPMediumSignal 60/100

154.223.20.58

Location
Taiwan, Province of ChinaTaiwan, Province of China
Taoyuan, Taiwan
ASN
AS138915
Lightnode Limited
First Seen
Feb 13, 2025
Last Seen
May 22, 2026
Feb 13
First Seen
486d ago
May 22
Last Seen
23d ago
17
Reports
source reports
60%
Confidence
medium
Found in 17 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
60%
Signal Score
60 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

49 techniques

Network Information

CountryTWTaiwan, Province of China
RegionTaoyuan, Taiwan
ASNAS138915
OrganizationLightnode Limited

IP Category

Proxy
Proxy server

Feed Intelligence Summary

17 reports60% confidence
17
Source reports
60%
Confidence score
Category tags
abuseactive scanactive scanningamadeyanalystantispamasiaasyncratattackauto-colorbackdoorbad reputationbianlianbotnetbotnet activitybrute forcec2cobalt-strikecobaltstrikecommand & controlcommand and controlcompromised credentialscowriecowrie honeypotcredential accesscredential harvestingcredential stuffingcyberdarktracedata encryptiondata exfiltrationdata store exposuredecoy systemdeimosdistributed attacksencryptionexploitation activityextortionfirstgh0st ratghostsockshak5_cloud_c2havochong konghookbothostnamehostname enumerationidentity & access exploitationinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceinitial accessinjection activityit infrastructurelinuxlog4jlumma stealerlynxmalicious activitymalicious softwaremalwaremanualmonitoringnetsupportratnetworknetwork scanningpegasusphishingphishing attackpossible ransomwareprocess injectionproxyqakbotqilinransomhubransomwareraspberry robinratsreconnaissanceremcosremcos trojanremote accessremote servicesresearchedreverse shellsaasscanning activityseychellessftpsftp attacksliversocial engineeringsocks proxysoftware developmentspamsshssh attackssh monitoringstealcsupershellsystem disruptiont1001t1003t1005t1016t1021.001t1027t1036t1041t1048t1053t1055t1056t1059t1059.003t1059.004t1068t1071t1071.001t1078t1078.003t1105t1110t1110.001t1110.002t1133t1189t1190t1486t1490t1496t1499.002t1499.003t1543t1546t1547t1555t1565t1566.001t1566.002t1566.003t1571t1587.001t1588t1589.001t1590.001t1595t1595.001t1595.002t1595.003taiwantaiwan, province of chinathreat actortor nodetpotcetw

Activity Timeline

1 total obs
May 22May 22

Threat Activity Heatmap

· Peak: 2026-05-22
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
60
SIGNAL
Signal Score
60%
Confidence
17
Reports
First seenFeb 13, 2025
Last seenMay 22, 2026
GeolocationTW
CountryTaiwan, Province of China
LocationTaoyuan, Taiwan
ASNAS138915
OrgLightnode Limited
Coords22.2578, 114.1657
Proxy

VirusTotal

Not checked

WHOIS

description
CC=HK ASN=AS328608 african network information center
raw
inetnum: 154.0.0.0 - 154.255.255.255 netname: ERX-NETBLOCK descr: Early registration addresses remarks: ------------------------------------------------------ remarks: Important: remarks: remarks: Networks in this range were allocated by InterNIC remarks: prior to the formation of Regional Internet remarks: Registries (RIRs): AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC. remarks: remarks: Address ranges from this historical space have now remarks: been transferred to the appropriate RIR database.remarks: remarks: If your search has returned this record, it means the remarks: address range is not administered by APNIC. remarks: remarks: Instead, please search one of the following databases: remarks: remarks: - AfriNIC (Africa) remarks: website: http://www.afrinic.net/ remarks: command line: whois.afrinic.net remarks: remarks: - ARIN (Northern America) remarks: website: http://www.arin.net/ remarks: command line: whois.arin.net remarks: remarks: - LACNIC (Latin America and the Carribean) remarks: website: http://www.lacnic.net/ remarks: command line: whois.lacnic.net remarks: remarks: - RIPE NCC (Europe) remarks: website: http://www.ripe.net/ remarks: command line: whois.ripe.net remarks: remarks: For information on the Early Registration Transfer remarks: (ERX) project, see: remarks: remarks: http://www.apnic.net/db/erx remarks: remarks: ------------------------------------------------------ country: AU admin-c: IANA1-AP tech-c: IANA1-AP mnt-by: APNIC-HM mnt-lower: APNIC-HM status: ALLOCATED PORTABLE last-modified: 2015-08-28T00:31:22Z source: APNIC mnt-irt: IRT-APNIC-AP irt: IRT-APNIC-AP address: Brisbane, Australia e-mail: [email protected] abuse-mailbox: [email protected] admin-c: HM20-AP tech-c: NO4-AP remarks: APNIC is a Regional Internet Registry. remarks: We do not operate the referring network and remarks: are unable to investigate complaints of network abuse. remarks: For information about IRT, see www.apnic.net/irt remarks: [email protected] was validated on 2020-02-03 auth: # Filtered mnt-by: APNIC-HM last-modified: 2025-11-18T00:26:21Z source: APNIC role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-AP tech-c: IANA1-AP nic-hdl: IANA1-AP remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: MAINT-APNIC-AP last-modified: 2018-06-22T22:34:30Z source: APNIC
references
https://www.darktrace.com/blog/auto-color-backdoor-how-darktrace-thwarted-a-stealthy-linux-intrusion/, https://threatfox.abuse.ch/export/csv/recent/, https://github.com/telekom-security/tpotce, https://x.com/drb_ra/status/1889497417797546200, https://x.com/drb_ra/status/1889567174999630190, https://x.com/drb_ra/status/1889567192754131427, https://x.com/drb_ra/status/1889567300698701885, https://x.com/drb_ra/status/1889567319451459783, https://x.com/drb_ra/status/1889567338921365738, https://x.com/drb_ra/status/1889567359020474666, https://x.com/drb_ra/status/1889567378486284540, https://x.com/drb_ra/status/1889567395712250076, https://x.com/drb_ra/status/1889567413282250826, https://x.com/drb_ra/status/1889567430726353055, https://x.com/drb_ra/status/1889567449864913221, https://x.com/drb_ra/status/1889567469741724138, https://x.com/drb_ra/status/1889567490096656837, https://x.com/drb_ra/status/1889567511097614627, https://x.com/drb_ra/status/1889567531129585975, https://x.com/drb_ra/status/1889567551677456487, https://x.com/drb_ra/status/1889568068138872878, https://x.com/drb_ra/status/1889568086086254614, https://x.com/drb_ra/status/1889568103396163961, https://x.com/drb_ra/status/1889568121259749570, https://x.com/drb_ra/status/1889568137265197455, https://x.com/drb_ra/status/1889630848091127846, https://x.com/drb_ra/status/1889630868076949527, https://x.com/drb_ra/status/1889630888071196879, https://x.com/drb_ra/status/1889630907738337664, https://x.com/drb_ra/status/1889630926285496708, https://x.com/drb_ra/status/1889631950803005857, https://x.com/drb_ra/status/1889631970553913412, https://x.com/drb_ra/status/1889631989927456861, https://x.com/drb_ra/status/1889632011502916003, https://x.com/drb_ra/status/1889632029517430814, https://x.com/drb_ra/status/1889632050543485178, https://x.com/drb_ra/status/1889747869206184029, https://x.com/drb_ra/status/1889747887032090866, https://x.com/drb_ra/status/1889747904450941130, https://x.com/drb_ra/status/1889747921836327043, https://x.com/drb_ra/status/1889747938521305444, https://x.com/drb_ra/status/1889748455498625137, https://x.com/drb_ra/status/1889748474142375970, https://x.com/drb_ra/status/1889748493331231037, https://x.com/drb_ra/status/1889748513304564132, https://x.com/drb_ra/status/1889748532527014145, https://x.com/drb_ra/status/1889748632053669888, https://x.com/drb_ra/status/1889748652521857422, https://x.com/drb_ra/status/1889748673258545494, https://x.com/drb_ra/status/1889748695031087183, https://x.com/drb_ra/status/1889748716677939324, https://x.com/drb_ra/status/1889748738530275412, https://x.com/drb_ra/status/1889748760206377095, https://x.com/drb_ra/status/1889748781916160332, https://x.com/drb_ra/status/1889748804066238670, https://x.com/drb_ra/status/1889748826572878318, https://x.com/drb_ra/status/1889748852086894795, https://x.com/drb_ra/status/1889748871884018055, https://x.com/drb_ra/status/1889748894155743397, https://x.com/drb_ra/status/1889748916159000938, https://x.com/drb_ra/status/1889748937621266549, https://x.com/drb_ra/status/1889756829019750873, https://x.com/drb_ra/status/1889777085637378263, https://x.com/drb_ra/status/1889777216025669651, https://x.com/drb_ra/status/1889777365133250850, https://x.com/drb_ra/status/1889811325368390043, https://x.com/drb_ra/status/1889811361229680719, https://x.com/drb_ra/status/1889811395543237064, https://x.com/drb_ra/status/1889811411192135958, https://x.com/drb_ra/status/1889811424538476684

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 23 days ago
Appeared in 17 threat reports