IOC Radar
IPMediumSignal 74/100

176.65.148.254

Location
GermanyGermany
Eygelshoven, Limburg
ASN
AS51396
Pfcloud UG
First Seen
Apr 12, 2025
Last Seen
Jun 2, 2026
Apr 12
First Seen
424d ago
Jun 2
Last Seen
8d ago
22
Reports
source reports
74%
Confidence
medium
Found in 22 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
74%
Signal Score
74 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

73 techniques

Network Information

CountryDEGermany
RegionEygelshoven, Limburg
ASNAS51396
OrganizationPfcloud UG

IP Category

Proxy
Proxy server

Feed Intelligence Summary

22 reports74% confidence
22
Source reports
74%
Confidence score
Category tags
abuseabusech-threatfox-c2caccess controlaccount compromiseactive scanactive scanningadbandroidasyncratattackaustraliaautomated attackbad reputationbad web botbankingblacklist candidateblacklist ipbotnetbotnet activitybotnet iocsbotnet miraibotnet propagationbrute forcebrute force attackbrute force attacksbrute force attemptbrute force attemptsbrute-forcebruteforcec2certcnccobalt-strikecobaltstrikecode executioncommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcommunication securitycompromised hostconnected devicescowriecowrie activitycowrie honeypotcowrie interactionscredential accesscredential brute-forcingcredential harvestingcredential stuffingcredit card servicesdata encryptiondata exfiltrationdata store exposuredatabase securityddosddos attackddos attacksddos preparationddos probededecoy systemdenial of servicedevice managementdionaeadionaea activitydionaea attacksdionaea honeypotdionaea interactionsdirectory traversal attemptdistributed attacksdropperencryptionenumerationeuropeexfiltrationexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploitationexploitation activityexploitation of vulnerabilityexploited hostextortionfattfatt analysisfatt signaturesfinancefinance and insurancefinancial servicesfinancial technologyfinlandfranceftpftp attackftp attacksftp brute forcegermanyhackinghoneynet connecthoneytrap activityhoneytrap eventshoneytrap honeypothoneytrap interactionshttp attackhttp brute forcehttp probinghttp scannerhttp scanningicmpidentity & access exploitationindicatorindustrial iotinformation gatheringinfostealerinitial accessinjection activityinjection attacksinternet of thingsintrusion detectioniociocbottestiocsiot analyticsiot applicationsiot botnetiot platformsiot securityiot targetediot/ics attackipv4irckaspersky lablamplateral movementlinuxloginlogin attemptmailoney activitymailoney attacksmailoney honeypotmailoney interactionsmalicious activitymalicious ipmalicious payloadmalicious scanmalicious softwaremalwaremalware activitymalware analysismalware behaviourmalware capturemalware deliverymalware downloadmalware propagationmalware scanningmiraimirai botnetmirai internetmobilemobile securitymobile threatnetherlandsnetworknetwork attacksnetwork enumerationnetwork intrusionnetwork intrusion attemptsnetwork intrusion detectionnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnlnorth americaoceaniaopenctiosint-volleyoutlawp0fp0f fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword sprayingpayment processingphishingphishing attackphishing trappolandpolcertpotential malware uploadprobingprocess injectionprotocol exploitationproxyproxy protocolransomwarereconnaissancereconnaissance activityremote accessremote code executionremote service exploitationremote servicesresearchedresource developmentresource hijackingscams & fraudscanscannerscanningscanning activitysecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer eventssentrypeer interactionsservice probingservice scansftpsftp attackshell access attemptssip attackssip brute forceskypesmart devicessmb brute forcesmtpsmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsocradar honeypotsoftware exploitationsql injection attemptsql injection attemptssshssh attackssh attacksssh monitoringsuricata alertssystem disruptiont1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1027t1040t1041t1046t1053t1055t1059t1059.001t1059.003t1059.004t1064t1068t1071t1071.001t1076t1078t1078.001t1078.004t1083t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1195.002t1199t1202t1203t1204t1204.002t1210t1486t1490t1496t1497t1497.001t1499.001t1499.002t1499.003t1505t1555t1562t1563t1565t1566t1566.001t1566.002t1566.003t1573t1573.001t1588t1589t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner exploitstanner interactionstargeting databasetcptcp protocoltcp scantelecommunicationstelnettelnet threatthingsthreat actorthreat detectionthreat intelligencethreat preventionthreatfox iocstor nodetpottriagetwitterudp scanunauthorized accessunauthorized access attemptunited statesunknown-stealervoipvoip attackvulnerabilityvulnerability scanwealth managementweb app attackweb application attackweb exploitationweb scannerweb shell attemptweb shell uploadweb trafficwebscanwebscannerxmrigxworm

Activity Timeline

1 total obs
Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
74
SIGNAL
Signal Score
74%
Confidence
22
Reports
First seenApr 12, 2025
Last seenJun 2, 2026
GeolocationDE
CountryGermany
LocationEygelshoven, Limburg
ASNAS51396
OrgPfcloud UG
Coords51.2993, 9.4910
Proxy

VirusTotal

Not checked

WHOIS

description
Observed on T-Pot within last 24h; sensors=suricata; threshold?1; private IPs excluded.
raw
inetnum: 176.65.148.0 - 176.65.148.255 netname: PF-CLOUD-NET-1 country: DE org: ORG-PU39-RIPE admin-c: AA42303-RIPE tech-c: AA42303-RIPE status: ASSIGNED PA mnt-by: MNT-ZEXOTEK created: 2025-04-09T07:19:59Z last-modified: 2025-04-09T16:10:10Z source: RIPE organisation: ORG-PU39-RIPE org-type: OTHER org-name: Pfcloud UG address: Lilienstra�e 5 address: 94051 Hauzenberg country: DE abuse-c: AA42303-RIPE mnt-ref: MNT-NETERRA mnt-ref: pfcloud-mnt mnt-ref: WHITELABEL-MNT mnt-ref: DGTL-MNT mnt-ref: LV-VERNET-HM-MNT mnt-ref: lir-ae-royal-1-MNT mnt-ref: mnt-de-xsserver-1 mnt-ref: Mnt-zexotek mnt-by: pfcloud-mnt created: 2023-11-26T15:29:32Z last-modified: 2025-04-09T11:06:56Z source: RIPE # Filtered role: Admin address: Lilienstra�e 5, 94051 Hauzenberg abuse-mailbox: [email protected] nic-hdl: AA42303-RIPE mnt-by: pfcloud-mnt created: 2023-11-26T15:27:29Z last-modified: 2024-02-08T20:37:11Z source: RIPE # Filtered route: 176.65.148.0/24 origin: AS51396 mnt-by: MNT-ZEXOTEK created: 2025-04-09T07:22:39Z last-modified: 2025-04-09T07:22:39Z source: RIPE
references
https://github.com/telekom-security/tpotce, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://1275.ru/ioc/gs-25-19131-mirai-botnet-iocs_11023, https://1275.ru/ioc/gs-25-19129-mirai-botnet-iocs_11015, https://1275.ru/ioc/gs-25-19128-mirai-botnet-iocs_11001, https://1275.ru/ioc/gs-25-19127-mirai-botnet-iocs_10989, https://1275.ru/ioc/gs-25-19125-mirai-botnet-iocs_10956, https://1275.ru/ioc/gs-25-19126-mirai-botnet-iocs_10970

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 8 days ago
Appeared in 22 threat reports