IOC Radar
IPMediumSignal 71/100

167.94.138.50

Location
United StatesUnited States
Ann Arbor, Michigan
First Seen
Jan 25, 2022
Last Seen
Jun 2, 2026
Jan 25
First Seen
1599d ago
Jun 2
Last Seen
10d ago
41
Reports
source reports
71%
Confidence
medium
Found in 41 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
71%
Signal Score
71 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

108 techniques

Network Information

CountryUSUnited States
RegionAnn Arbor, Michigan
OrganizationCensys, Inc

IP Category

Proxy
Proxy server

Feed Intelligence Summary

41 reports71% confidence
41
Source reports
71%
Confidence score
Category tags
abuseaccess attemptsaccess controlaccount compromiseactive scanactive scanningadbhoney activityadbhoney attacksadbhoney exploitationadbhoney honeypotanomalous network connectionsapacheapache attackerapplication layer protocolapplication scanningaptasiaatif feedattackattacker ipsattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication bypassauthentication failureauthentication_failuresauto-generated securityautomated attackautomated attack activityautomated attacksautomated enumerationautomated reconnaissance activityautomated threatautomated-attackbad reputationbad web botbanlist feedbbcbbc newsbinary defenseblock listblock.txtblocklist_allblog spambotnetbotnet activitybotnet infectionsbrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute force authenticationbrute-forcebrute-force attackbrute_forcec2c2 communicationc2 servercalls-wmicensys-benignchinachina cyber activitychina mobilecisco asa vulnerabilitycisco attackcisco devicecisco device attackcisco device attackscisco device targetingcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscisco-device-targetingcisco_exploitcitrix attack attemptcitrix brute forcecitrix exploitation attemptcitrix securityclosecloud infrastructurecloud infrastructure attackcloud servicescode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommercial sexcommercial spamcommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised hostscompromised system attemptcompromised system detectioncompromised systemsconnected devicesconpot activityconpot attackconpot attacksconpot exploitationconpot exploitation attemptconpot honeypotconpot ics attackscontainer securitycowrie activitycowrie attackcowrie attackscowrie datacowrie detectioncowrie honeypotcowrie interactioncowrie interactionscowrie logscowrie ssh activitycowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie_attackcredential accesscredential attackcredential attackscredential brute forcecredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential stuffingcredential stuffing attemptscredential-stuffingcredential_accesscredential_stuffingcredentialaccessctacurlcve exploitationd-link vulnerabilitiesdaily_sourcesdata encryptiondata exfiltrationdata exfiltration attemptdata harvesting attemptsdata store exposuredata theftdatabase activitydatabase attackdatabase attacksdatabase exploitationdatabase exploitation attemptsdatabase login attemptdatabase probingdatabase securitydcerpcddosddos attackddos attack indicatorsddos attemptddos preparationddos probeddospotdecoy systemdelhidenial of servicedenial-of-servicedenial-of-service attemptdevice managementdictionary attackdigital oceandionaea activitydionaea attackdionaea attacksdionaea capturedionaea detectiondionaea honeypotdionaea interactionsdionaea malware collectiondionaea malware sampledionaea malware samplesdionaea payloadsdirectory traversaldirectory traversal attemptdistributed attacksdnsdns attackdockerelasticpot honeypotelasticsearchelasticsearch monitoringemailemailattackencryptionenterprise networkingenterprise securityenumerationeu cyber policieseuropeexcelexecutable fileexfiltrationexploitexploit attemptexploit attemptsexploit kitexploit kit activityexploit probingexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploited hostexternal access attemptsextortionfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinlandfrancefraud voipftpftp activityftp attackftp attacksftp brute forceftp brute-forceftp bruteforceftp scangalahgeckogermanygluttongopotgpon router vulnerabilitiesgurgaonhackinghellohellpotheralding activityheralding scanhk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap detectionhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp exploitationhttp probinghttp request anomalieshttp scannerhttp scanninghttp/shttpshttps scanninghurricane usicmpics securityics/scada attackidentity & access exploitationillegal servicesimapindiaindia cyber activityindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinitial accessinitial access attemptsinitial_accessinjection activityinjection attacksinput validationintel macinternet of thingsinternet-facinginternet-facing serviceintrusion detectioniociocsiot analyticsiot applicationsiot attackiot device targetingiot platformsiot securityiot targetediot/ics attackipphoney activityipphoney honeypotit infrastructurekfsensor honeypotkhtmlkibanakill-chain exploitationkill-chain reconnaissanceknown malicious iplamplamp attacklamp attack attemptlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetinglamp vulnerability scanlamp_exploitlateral movementlateral movement techniqueslcialinuxlinux malwarelinux serverslinux systemslinux x8664linux-server-attacklinux-server-targetinglinux_server_attacksload balancerlog4potloginlogin attacklogin attemptlogin attemptsmail protocol abusemailoney activitymailoney attackmailoney attacksmailoney detectionmailoney eventsmailoney honeypotmailoney interactionsmalaysiamalicious activitymalicious activity detectedmalicious email detectionmalicious file transfermalicious ip activitymalicious ip detectedmalicious login attemptsmalicious network activitymalicious payloadmalicious payload detectionmalicious payload distributionmalicious softwaremalicious software detectionmalicious ssh activitymalicious trafficmalicious-login-attemptsmalicious_activitymalwaremalware activitymalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware deploymentmalware detectionmalware distributionmalware distribution attemptsmalware downloadmalware download attemptsmalware hostingmalware propagationmalware scanningmalware_activitymanualmedium-riskmedpotmobilemobile securitymssqlmssql brute forcemysql brute forcenetworknetwork activitynetwork attacksnetwork device attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork monitoringnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork_intrusionnoidanorth americanull scanoceaniaopen port detectionopen proxyos credential dumpingos fingerprintingos xp0fp0f fingerprintingp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingpassword_guessingperimeter securitypgp signphishingphishing attackphishing trapphp injection attemptspolandport-scanningpossible botnet activitypossible exploit attemptpossible malicious activitypossible malware activitypossible malware distributionpossible malware dropperpossible malware propagationpossible mirai variantpotential botnetpotential botnet activitypotential compromisepotential credential theftpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malwarepotential malware activitypotential malware deliverypotential malware distributionpotential malware propagationpotential vulnerability exploitationprivilege escalationprocess injectionprotocol abuseprotocol exploitationprotocol-abuseproxyproxy accesspublicly accessible infrastructureransomwareransomware activityrce vulnerabilitiesrdp attacksreconnaissancereconnaissance activityreconnaissance-activitiesredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredishoneypot activityregional securityremote accessremote access abuseremote access attacksremote access attemptremote access attemptsremote code executionremote service exploitationremote servicesremote_accessresearchedresource developmentresource hijackingsansscams & fraudscannerscanner detectionscannersscanning activitiesscanning activityscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer datasentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationserver securityservice enumerationservice scanservice scanningsftp access attemptsftp activitysftp attacksftp attackssftp attemptsftp attemptssftp brute-forcesftp bruteforcesftp exploitsftp exploitation attemptsftp intrusion attemptsftp probingsftp scanningsftp-attacksftp-brute-forcesftp_attackshell accessshell access attemptshell access attemptssingaporesip attackssip brute forcesip brute-forcesip probingsip scansip scanningsip vulnerability scansip-scanningsip_attacksippsmart devicessmb attackssmb brute forcesmb exploitationsmtpsmtp attackssmtp brute forcesmtp probingsmtp scanningsnaresocial engineeringsoftware developmentsoftware exploitationspamspam advertisementspam advertisement campaignsql injectionsql injection attemptsql injection attemptsssh attackssh attacksssh brute-forcessh bruteforcessh monitoringssh scanssh-brute-forcessh_bruteforcesurface websuricata alertsuricata alertssyn scansystem discoverysystem disruptionsystembc botnett-pott1003t1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1048t1053t1053.005t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1064t1065t1068t1070t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1192t1195t1199t1203t1204t1204.002t1210t1486t1490t1496t1497t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1550t1550.002t1550.003t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1583.001t1587.001t1588t1588.002t1588.006t1589t1589.002t1590t1590.001t1590.004t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003t1598t1598.003t1608tannertanner activitytanner attackstanner eventstanner exploitstanner incidenttanner interactionstargeting databasetcp protocoltcp scantcp/23telecommunicationstelnet attackstelnet attemptstelnet threattelnet-brute-forcetextthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventiontimeouttop10.txttopips.txttor nodetpottpotcettpsubuntuudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized probingunauthorized-access-attemptunited kingdomunited statesunited states of americaunknown threat actorunsolicited communicationunsolicited contactunsolicited contentunusual network trafficusus abuseus cyber activityus noneus sourceus source ipuser enumerationvalid accountsverified-benignvnc protocolvoipvoip attackvulnerability scanwafwazuhweb application attackweb application attacksweb application scanningweb attackweb attacksweb crawling detectionweb exploit attemptweb exploitationweb exploitsweb login attemptweb scannerweb serverweb server attacksweb server exploitationweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-application-attacksweb_attackwgetwindows malwarewindows ntwordpotxlsxmas scanxss

Activity Timeline

1 total obs
Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Intelligence SummaryAI Generated

This Indicator of Compromise (IOC) holds significant importance as it is strongly associated with hostile network activities, including widespread scanning, brute-force attempts, and consistent honeypot detections, indicative of an active threat. Its high score of 71.4096 underscores the serious nature of the associated risk. If this IP address is found interacting with organizational assets, it could signal an ongoing compromise, an attempted breach, or preparatory reconnaissance for a targeted…

Threat ScoreHigh Risk
71
SIGNAL
Signal Score
71%
Confidence
41
Reports
First seenJan 25, 2022
Last seenJun 2, 2026
GeolocationUS
CountryUnited States
LocationAnn Arbor, Michigan
OrgCensys, Inc
Coords42.2809, -83.7489
Proxy

VirusTotal

Not checked

WHOIS

description
Observed on T-Pot within last 24h; sensors=honeytrap, p0f, suricata; threshold?1; private IPs excluded.
raw
NetRange: 167.94.138.0 - 167.94.138.255 CIDR: 167.94.138.0/24 NetName: CENSY NetHandle: NET-167-94-138-0-1 Parent: NET167 (NET-167-0-0-0-0) NetType: Direct Allocation OriginAS: AS398324 Organization: Censys, Inc. (CENSY) RegDate: 2021-09-13 Updated: 2024-03-29 Ref: https://rdap.arin.net/registry/ip/167.94.138.0 OrgName: Censys, Inc. OrgId: CENSY Address: 116 1/2 S Main Street City: Ann Arbor StateProv: MI PostalCode: 48104 Country: US RegDate: 2018-08-06 Updated: 2019-08-03 Comment: https://censys.io Ref: https://rdap.arin.net/registry/entity/CENSY OrgTechHandle: COT12-ARIN OrgTechName: Censys Operations Team OrgTechPhone: +1-248-629-0125 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/COT12-ARIN OrgAbuseHandle: CAT20-ARIN OrgAbuseName: Censys Abuse Team OrgAbusePhone: +1-248-629-0125 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/CAT20-ARIN OrgNOCHandle: COT12-ARIN OrgNOCName: Censys Operations Team OrgNOCPhone: +1-248-629-0125 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/COT12-ARIN
references
https://github.com/telekom-security/tpotce, https://blocklist.greensnow.co/greensnow.txt, https://www.binarydefense.com/banlist.txt, https://lists.blocklist.de/lists/all.txt, https://rules.emergingthreats.net/blockrules/compromised-ips.txt, https://www.linkedin.com/posts/starlightintel_cybersecurity-cyberattack-rce-activity-7265732335654830081-bUUh?utm_source=share&utm_medium=member_desktop

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 10 days ago
Appeared in 41 threat reports