IPMediumSignal 64/100

`171.25.193.78`

Location

Sweden

Stockholm, Stockholm County

ASN

AS198093

DFRI

First Seen

Aug 26, 2020

Last Seen

Jun 2, 2026

Aug 26

First Seen

2116d ago

Jun 2

Last Seen

10d ago

Reports

source reports

64%

Confidence

medium

Found in 54 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

64%

Signal Score

64 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

85 techniques

Network Information

Country

Sweden

RegionStockholm, Stockholm County

ASNAS198093

OrganizationDFRI

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

54 reports64% confidence

Source reports

64%

Confidence score

Category tags

access controlactive scanactive scanningadbhoney honeypotanonymity network abuseanonymization networkanonymization network activityanonymization network iocsanonymization network trafficanonymization_network_originanonymization_service_trafficanonymized attack activityanonymous proxiesanonymous proxyanonymous_proxyapplication layer protocolasiaattackaustraliaautomated attackautomated attacksautomated feedautomated_attackbad reputationbad web botblog spambotnetbotnet activitybotnet c2botnet indicatorsbrute forcebrute force attackbrute force attacksbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackbruteforcec2c2 addressesc2 communicationc2 infrastructurec2 servercalls-wmicdn77certchecks-bioschecks-network-adapterschecks-user-inputcisco asacisco asa targetingcisco devicecisco exploitation attemptcisco exploitation attemptscommand & controlcommand and controlcommunication protocolcompromised credentialscompromised hostcompromised host indicatorscompromised hostscompromised infrastructure indicatorscowriecowrie honeypotcowrie interactionscowrie ssh honeypotcredential accesscredential attackcredential guessingcredential harvestingcredential stuffingcredential_accesscredential_attackcredential_guessingcredential_stuffingcsvcyber securitydata encryptiondata exfiltrationdata store exposuredata theftdatabase attacksdatabase probingdatabase securityddosddos attackdecoy systemdenial of servicedetect-debug-environmentdevice managementdionaeadionaea honeypotdirect-cpu-clock-accessdistributed attacksdnsdns attacke-commerceelasticpot honeypotelasticsearch monitoringelfencryptionenterprise networkingenumerationeuropeevasionexecutable fileexecutes-dropped-fileexit nodeexploitexploitation activityexploited hostexpressfattfeedfeed-harvestfeodofeodo trackerfeodo-trackerfireholfraudfraud ordersftpftp brute forceftp brute-forceftp protocolftp_attemptsftp_brute_forceftp_servicegenericglobalhackinghashhoneytrap honeypothttp brute forcehttp probinghttp scannerhttp scanninghttpshttps scanningidentity & access exploitationindicatorindicatorsindicators of compromiseindicators_of_compromiseinformation technologyinfrastructure acquisitionreconnaissanceinitial accessinitial access attemptsinitial_accessinitial_access_attemptinjection activityinjection attacksinsaneinternet_background_noiseintrusion detectioniociocsiot securityiot targetedit infrastructureja3ja3 fingerprintja3 fingerprintsja3 hashja3 hash iocja3 hashesja3 hashingjamaicakalikfsensor honeypotlamplamp server attacklamp server targetinglateral movementlinuxlog4jlog4shelllogin credentialslong-sleepslvmailoney activitymailoney honeypotmalicious activitymalicious domainmalicious domainsmalicious hashesmalicious ip addressesmalicious ipsmalicious linksmalicious softwaremalicious urlsmalicious_ipsmalicious_trafficmalwaremalware behaviourmalware capturemalware communicationmalware distributionmalware domainmalware domainsmalware downloadmalware indicatorsmalware urlsmediummobile threatmonthlynetworknetwork attacksnetwork device attacksnetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork trafficnetwork traffic analysisnetwork_attacknetwork_enumerationnetwork_indicatorsnetwork_reconnaissancenetwork_service_probingnetworkmonitoringnorth americaoceaniaopen proxyopenbl_org-benignopenctiopenphish feedopenphish iocos credential dumpingoverlayp0fpassword attackpassword attackspeexephishingphishing attackphishing campaignphishing campaignsphishing domainphishing domainsphishing trapphishing urlsphpping of deathpossible botnet activitypossible credential stuffingpossible malware propagationpossible reconnaissancepotential botnet activitypotential malicious activityprocess injectionprotocol exploitationprotocol scanningprotocol_scanningproxyproxy abuseproxy ip addressesproxy ipsproxy networkproxy serverproxy server activityproxy_trafficproxy_usageransomwarerdprdp protocolrdp_attemptsrdp_brute_forcerdp_servicereconnaissancereconnaissance activityreconnaissance_activityredis honeypotremote accessremote servicesresearchedresource hijackingretailruntime-modulesscams & fraudscannerscanning activityscripting attackssesecurity operationssecurity policyself-deletesensor-taggedsentrypeer botnetserverservice enumerationservice scansftp access attemptssftp attacksftp attackssftp attemptshadowshared-libsip attackssip scanslugsmb_enumerationsmb_servicesmtpsmtp probingsocial engineeringsoftware developmentspamspam campaignsspam domainsspam sourcespamhausspamhaus dropspamhaus drop feedspamhaus drop iocspamhausdropsql injectionsshssh attackssh monitoringssh protocolssh-communicationssh_attemptsssh_brute_forcessh_servicessl blacklistssl certificatessl certificatessslblsslblackliststixstix feedsurface websuspicious-udpsuspicioustrafficswedensyn scansystem discoveryt1001t1005t1016t1018t1021t1021.001t1021.002t1021.004t1040t1041t1046t1048t1053t1055t1059t1059.003t1059.004t1059.007t1068t1071t1071.001t1071.002t1071.004t1076t1077t1078t1083t1087t1090t1090 proxyt1090.002t1105t1110t1110 brute forcet1110.001t1110.002t1110.003t1110.004t1132.002t1133t1189t1190t1192t1195t1195.001t1195.002t1203t1204t1204.001t1204.002t1486t1496t1499.001t1499.002t1499.003t1563t1564.003t1564.004t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1583.001t1583.006t1584t1587.001t1588t1588.002t1588.004t1588.006t1589t1589.001t1590t1590.001t1590.005t1592t1592.004t1595t1595 active scanningt1595.001t1595.002t1595.003tannertanner interactionstargeting databasetcp protocoltcp scantcp scanningtelecommunicationtelecommunicationstelnettelnet threattelnet_attemptstextthreat activitythreat actorthreat detectionthreat feedthreat infrastructurethreat intelligencethreat intelligence aggregationthreat intelligence feedthreat preventionthreat-intelthreat_activitythreat_actor_activitythreat_intelligencethreat_intelligence_feedtls fingerprinttortor activitytor exit nodetor exit nodestor networktor network activitytor nodetor node indicatorstor_exit_nodetor_traffictorexittorexitnodestpottsecturkeyudp scanunattributed_threat_activityunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized_accessunited statesunixurlhausverified-benignvoipvoip attackvpnvpn ipvpn ip addressesvpn servicevpn trafficvpn_trafficvulnerability scanvulnerability-exploitationweb app attackweb application attackweb application attacksweb application scanweb attackweb exploitationweb securityweb shell uploadsweb spamweb trafficweb_service_scanningwindowsxml

Activity Timeline

1 total obs

Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Intelligence SummaryAI Generated

This IOC, an IPv4 address 171.25.193.78, carries a high threat score of 64.46, indicating a significant risk to organizational security. Its presence in numerous prominent threat intelligence feeds, including AbuseIPDB, AlienVault OTX, and SOCRadar feeds, strongly suggests its involvement in malicious activities. This IP address has been linked to anonymization networks, specifically Tor exit nodes, which are frequently exploited by threat actors to mask their origins and evade detection. The at…

Threat ScoreMedium Risk

SIGNAL

Signal Score

64%

Confidence

Reports

First seenAug 26, 2020

Last seenJun 2, 2026

GeolocationSE

CountrySweden

LocationStockholm, Stockholm County

ASNAS198093

OrgDFRI

Coords59.3327, 18.0656

ProxyVPN

VirusTotal

Not checked

WHOIS

description: Anonymization_Network indicators. Date: Apr 8, 2026. Part 1/5. For more threat intelligence visit https://ltna.com.au/cyber
raw: inetnum: 171.25.193.0 - 171.25.193.255 netname: SE-TORNET country: SE org: ORG-DFRI1-RIPE admin-c: ER6905-RIPE admin-c: EJ1830-RIPE admin-c: JN9999 tech-c: JN9999 tech-c: ER6905-RIPE tech-c: EJ1830-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: DFRI-MNT mnt-routes: DFRI-MNT mnt-domains: DFRI-MNT created: 2012-01-13T14:21:25Z last-modified: 2023-02-26T08:58:54Z source: RIPE # Filtered sponsoring-org: ORG-KA113-RIPE organisation: ORG-DFRI1-RIPE org-name: Foreningen for digitala fri- och rattigheter country: SE descr: DFRI remarks: https://dfri.se/ org-type: OTHER address: Box 3644 address: SE-103 59 STOCKHOLM phone: +460700178928 abuse-c: DA4271-RIPE mnt-ref: DFRI-MNT mnt-by: DFRI-MNT created: 2011-09-23T08:15:50Z last-modified: 2022-12-01T16:22:10Z source: RIPE # Filtered person: Erik Jaderberg address: Box 3644 address: SE-103 59 STOCKHOLM phone: +46767874761 mnt-by: DFRI-MNT created: 2023-02-26T08:29:33Z last-modified: 2023-02-26T08:29:33Z source: RIPE # Filtered nic-hdl: EJ1830-RIPE person: Elias Rudberg address: Box 3644 address: SE-103 59 STOCKHOLM phone: +46704990412 created: 2023-02-26T08:26:53Z last-modified: 2023-02-26T08:26:53Z source: RIPE # Filtered nic-hdl: ER6905-RIPE mnt-by: DFRI-MNT person: Johan Nilsson address: Box 3644 address: SE-103 59 STOCKHOLM phone: +46700178928 nic-hdl: JN9999 mnt-by: DFRI-MNT created: 2012-06-09T13:39:59Z last-modified: 2014-03-31T16:23:52Z source: RIPE # Filtered route: 171.25.193.0/24 descr: DFRI origin: AS198093 org: ORG-DFRI1-RIPE mnt-by: DFRI-MNT created: 2012-01-20T13:28:05Z last-modified: 2012-01-20T13:28:05Z source: RIPE organisation: ORG-DFRI1-RIPE org-name: Foreningen for digitala fri- och rattigheter country: SE descr: DFRI remarks: https://dfri.se/ org-type: OTHER address: Box 3644 address: SE-103 59 STOCKHOLM phone: +460700178928 abuse-c: DA4271-RIPE mnt-ref: DFRI-MNT mnt-by: DFRI-MNT created: 2011-09-23T08:15:50Z last-modified: 2022-12-01T16:22:10Z source: RIPE # Filtered

`171.25.193.78`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy