IPMediumSignal 75/100
185.208.159.170
Location
SwitzerlandHouston, TX
First Seen
Jan 25, 2025
Last Seen
Apr 16, 2026
Found in 19 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
75%
Signal Score
75 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountrySwitzerland
SwitzerlandRegionHouston, TX
OrganizationGlobal-Data System IT Corporation
IP Category
⟲
Proxy
Proxy server
⊕
VPN
VPN exit node
Feed Intelligence Summary
19 reports75% confidence
19
Source reports
75%
Confidence score
Category tags
abuseabusech-threatfox-c2cactive scanactive scanningaggahanonymity serviceanonymization networkanonymization network trafficanonymization networksanonymization servicesanonymization_network_originanonymization_service_trafficanonymous proxiesanonymous proxy networkanonymous_proxyapplication layer protocolaptasyncratattackattack infrastructureattack-vector:brute-forceattack-vector:port-scanaustraliaauthentication attemptsautomated network attacksautomated_attackbad reputationbad web botbotnetbotnet activitybrute forcebrute force attackbrute force attacksbrute_forcebrute_force_attackc2censyscisco devicecisco exploit attemptscivil servicescommand & controlcommand and controlcommand executioncommunication protocolcowrie honeypotcowrie ssh attackscredential accesscredential attackcredential harvestingcredential stuffingcredential theftcredential_accesscredential_attackcredential_guessingcredential_stuffingcyber threatsdata encryptiondata exfiltrationdata store exposuredatabase attacksdatabase securityddosdecoy systemdenial of servicedevice managementdionaea honeypotdionaea malware samplesdistributed attacksencryptionenterprise networkingenumerationenumeration activityeuropeevent-type:credential-accessevent-type:initial-accessevent-type:reconnaissanceexploit attemptsexploitation activityexploited hostexternal threatfailed login attemptsfattfilefinancefinancial servicesfraudftpftp brute forceftp_attemptsftp_brute_forcegovernment impersonationgovernment technologyhackinghigher educationhmrchoneytrap exploit attemptshoneytrap honeypothttp brute forcehttp scannerhttp/shttp_httpshttpsi2p networkidentity & access exploitationindicatorindicatorsindicators of compromiseindicators_of_compromiseinformation technologyinfostealerinfrastructure acquisitionreconnaissanceinitial accessinitial_accessinitial_access_attemptinjection activityinjection attacksiocit infrastructurelamplateral movementmailoney honeypotmalicious activitymalicious file transfermalicious powershell activitymalicious softwaremalicious_activitymalicious_ip_activitymalwaremalware behaviourmalware capturemalware deliverymalware propagationmanualmetastealermygovnetworknetwork attacksnetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork traffic analysisnetwork_attacknetwork_enumerationnetwork_indicatorsnetwork_reconnaissancenorth americaoceaniap0fp0f network fingerprintingpassword attackpassword attacksphishingphishing attackphishing trappossible credential stuffingpotential botnet activitypotential malware activityprocess injectionprotocol exploitationprotocol scanningprotocol:ftpprotocol:httpprotocol:httpsprotocol:rdpprotocol:smtpprotocol:sshprotocol:telnetprotocol_scanningproxyproxy networkproxy serverproxy serverspublic administrationpublic infrastructurepublic policyransomwarerdp_attemptsrdp_brute_forcereconnaissancereconnaissance activityregulatory agenciesremote accessremote servicesresearchedresource hijackingrevolutrevolut accountscscams & fraudscannerscanning activityscripting attackssecurity operationssecurity_eventsensor-taggedsentrypeer botnetservice discoveryservice enumerationservice scanservice scanningseychellessftp activitysftp attacksip brute forcesmtpsmtp brute forcesocial engineeringsoftware developmentspamssh attackssh monitoringssh_attemptsssh_brute_forcesuricata alertssuspected malicious activitysyn scant1005t1016t1018t1021t1021.001t1021.002t1040t1041t1046t1055t1059t1059.001t1059.003t1071t1071.001t1076t1077t1078t1083t1086t1087t1090t1090 - proxyt1090 proxyt1090.002t1090.003t1110t1110 brute forcet1110.001t1110.002t1110.003t1110.004t1133t1190t1195t1203t1204.002t1486t1496t1499.001t1499.002t1499.003t1563t1564.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1572t1583t1587.001t1589t1589.001t1589.002t1590t1590.001t1590.005t1592t1595t1595 active scanningt1595.001t1595.002t1595.003tannertargeting databasetax-themed phishingtcp protocoltcp scanningtelecommunicationstelnet threattelnet_attemptsthreatthreat actorthreat detectionthreat infrastructurethreat intelligencethreat-actor:unattributedthreat_activitythreat_actor_activitythreat_indicatorthreat_intelligencethreat_intelligence_feedthreatfox iocstortor networktor network activitytor nodetor_exit_nodetpotunattributed_threat_activityunauthorized accessunauthorized access attemptunauthorized access attemptsunidentified threat actorunitedunited kingdomunited statesunknown threat actorurlsvenomratvoipvoip attackvpnvpn networkvpn servicevpn trafficvulnerability scanweb application attackweb application attacksweb exploitationweb shell detectionweb spamweb trafficxwormzgrat
Activity Timeline
Apr 16Apr 16
Threat Activity Heatmap
· Peak: 2026-04-16LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
75
SIGNAL
Signal Score
75%
Confidence
19
Reports
First seenJan 25, 2025
Last seenApr 16, 2026
GeolocationCH
CountrySwitzerland
LocationHouston, TX
OrgGlobal-Data System IT Corporation
Coords29.9359, -95.4014
ProxyVPN
VirusTotal
Not checked
WHOIS
- description
- Anonymization_Network indicators. Date: Apr 8, 2026. Part 3/5. For more threat intelligence visit https://ltna.com.au/cyber
- raw
- NetRange: 185.0.0.0 - 185.255.255.255 CIDR: 185.0.0.0/8 NetName: RIPE-185 NetHandle: NET-185-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2011-01-04 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/185.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN
- references
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account, https://github.com/telekom-security/tpotce, https://threatfox.abuse.ch/export/csv/recent/, https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account?utm_source=social_organic&utm_social_network=twitter&utm_campaign=2025&utm_post_id=ea59ad2c-af76-4242-9e8d-3947e3db8856
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 2 months ago
Appeared in 19 threat reports