IOC Radar
IPMediumSignal 82/100

176.120.22.13

Location
Russian FederationRussian Federation
Moscow, Moscow
ASN
AS198953
Proton66 OOO
First Seen
Jan 16, 2026
Last Seen
May 20, 2026
Jan 16
First Seen
146d ago
May 20
Last Seen
22d ago
22
Reports
source reports
82%
Confidence
medium
Found in 22 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
82%
Signal Score
82 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

55 techniques

Network Information

CountryRURussian Federation
RegionMoscow, Moscow
ASNAS198953
OrganizationProton66 OOO

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

22 reports82% confidence
22
Source reports
82%
Confidence score
Category tags
abuseaccess controlactive scanactive scanningand injection attemptsapacheapache attackerapplication layer protocolaptasiaattackattacker infrastructureattacker ipattacker ip addressesattacker ip: confirmedattacker ip: detectedattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attemptautomated attackautomated attack attemptsautomated attacksautomated-attackbad reputationbad web botblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebruteforcec2cisco devicecisco device attackcode executioncode injectioncode-injectioncommand & controlcommand and controlcommand executioncommunication protocolcompromise attemptcompromised credentialscompromised hostcompromised hostscompromised systemcowriecowrie datacowrie honeypotcredential accesscredential attackcredential brute forcecredential harvestingcredential stuffingcredential-abusecredential-accesscredential-stuffingdata exfiltrationdata store exposuredatabase securityddosddos attackdecoy systemdenial of servicedenial-of-servicedevice managementdistributed attacksenterprise networkingeurope/asiaexploit probingexploitationexploitation activityexploitation attemptsexploited hostexternal attackfailed loginfilefraud ordersfraud voipftpftp brute forceftp brute-forceftp bruteforcehackinghttp attackhttp probinghttp scannerhttp scanninghttpshttps scanningidentity & access exploitationindiainitial accessinitial-accessinitial-access-attemptinjection activityinjection attacksintrusion detectioniociot securityiot targetedip-addressip-addressesipv4kill-chain exploitationkill-chain reconnaissancelateral movementlogin attacklogin attemptlow-riskmalicious activitymalicious file transfermalicious network activitymalicious softwaremalicious-ipmalwarenetworknetwork attacksnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork sniffingnetwork-reconnaissancenorth americaoceaniaopen proxyopenctiosintpassword attackpassword attackspassword crackingpassword sprayingphishingphishing attackping of deathport-scanport-scanningpotential vulnerability exploitationprobing and exploitationprocess injectionprotocol exploitationproxyransomwarereconnaissanceremote accessremote access attemptremote access attemptsremote servicesresearchedrurussiascams & fraudscanscannerscanner detectionscanning activityscripting attackssecurity operationssecurity policyservice scansftpsftp attacksftp exploitation attemptssipsmtpsocial engineeringspamsql-injectionsshssh attackssh monitoringt1016t1021t1021.001t1021.004t1040t1041t1046t1055t1056t1059t1059.003t1059.004t1059.007t1068t1071t1071.001t1071.002t1076t1078t1078.002t1078.003t1078.004t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1199t1203t1486t1496t1499.001t1499.002t1499.003t1563t1565t1566.001t1566.002t1566.003t1588t1588.004t1589t1589.001t1589.002t1590.002t1592t1595t1595.001t1595.002t1595.003targeting databasetcp protocoltelecommunicationstelnet threattftpthreat activitythreat actorthreat intelligencethreat preventionthreat-intelligencetor nodeunauthorized accessunauthorized access attemptsunauthorized login attemptsunited statesvalid accountsvoidtrapvoipvpnvpn ipvulnerability scanvulnerability-scanningweb application attackweb application attacksweb application scanningweb attackweb exploitationweb spamweb trafficweb-application-attackweb-vulnerability

Activity Timeline

1 total obs
May 20May 20

Threat Activity Heatmap

· Peak: 2026-05-20
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
82
SIGNAL
Signal Score
82%
Confidence
22
Reports
First seenJan 16, 2026
Last seenMay 20, 2026
GeolocationRU
CountryRussian Federation
LocationMoscow, Moscow
ASNAS198953
OrgProton66 OOO
Coords37.7510, -97.8220
ProxyVPN

VirusTotal

Not checked

WHOIS

description
Score: 79/100 | Detector: threat_feed | Label: reported_abuse | Tags: compromised_host, reported_abuse
raw
inetnum: 176.120.22.0 - 176.120.22.255 netname: RU-PROTON66-20240827 country: RU org: ORG-PO84-RIPE admin-c: TD6653-RIPE tech-c: TD6653-RIPE status: ALLOCATED PA mnt-by: lir-ru-proton66-1-MNT mnt-by: RIPE-NCC-HM-MNT created: 2024-08-27T06:51:36Z last-modified: 2024-08-27T06:51:36Z source: RIPE organisation: ORG-PO84-RIPE org-name: Proton66 OOO country: RU org-type: LIR address: DISTRICT No. 54, ISKROVSKY PR-KT, D. 21, LIT. U, kv.218 address: 193230 address: ST. PETERSBURG address: RUSSIAN FEDERATION phone: +7 999 528 52 71 admin-c: TD6653-RIPE tech-c: TD6653-RIPE abuse-c: AR70098-RIPE mnt-ref: lir-ru-proton66-1-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: lir-ru-proton66-1-MNT created: 2023-03-27T12:26:54Z last-modified: 2023-03-27T12:26:54Z source: RIPE # Filtered role: Tech dept. address: RUSSIAN FEDERATION address: ST. PETERSBURG address: 193230 address: DISTRICT No. 54, ISKROVSKY PR-KT, D. 21, LIT. U, kv.218 phone: +7 999 528 52 71 nic-hdl: TD6653-RIPE mnt-by: lir-ru-proton66-1-MNT created: 2023-03-27T12:26:52Z last-modified: 2023-03-27T12:26:53Z source: RIPE # Filtered route: 176.120.22.0/24 origin: AS198953 created: 2026-01-14T10:30:14Z last-modified: 2026-01-14T10:30:14Z source: RIPE mnt-by: lir-ru-proton66-1-MNT
references
https://purplesynapz.com/, https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/bruteforce-ip-list-2026-03-15/, https://jamesbrine.com.au, https://jamesbrine.com.au/bruteforce-ip-list-2026-03-13/, https://voidvendor.com/intel

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 months ago · Last seen 22 days ago
Appeared in 22 threat reports