IOC Radar
IPMediumSignal 59/100

185.247.137.243

Location
TurkeyTurkey
Manchester, 16
ASN
AS211298
Constantine Cybersecurity LTD
First Seen
Dec 12, 2024
Last Seen
Jun 22, 2026
Dec 12
First Seen
561d ago
Jun 22
Last Seen
5d ago
30
Reports
source reports
59%
Confidence
medium
Found in 30 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
59%
Signal Score
59 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

67 techniques

Network Information

CountryTRTurkey
RegionManchester, 16
ASNAS211298
OrganizationConstantine Cybersecurity LTD

IP Category

VPN
VPN exit node

Feed Intelligence Summary

30 reports59% confidence
30
Source reports
59%
Confidence score
Category tags
abuseactive scanactive scanningadbadb scanadbhoney honeypotapplication layer protocolaptattackaustraliaauthentication abuseauthentication attemptauthentication attemptsauthentication failureauto-generated securityautomated attackbad reputationbad web botbeningbening scannerblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcec2 communicationciscocisco devicecisco exploitation attemptscommand & controlcommand and controlcommand executioncommunication protocolcompromised credentialscompromised hostcompromised hostscowriecowrie activitycowrie honeypotcowrie interactionscredential accesscredential harvestingcredential stuffingcredential_stuffingdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase securityddosddos attackddos attacksdecoy systemdenial of servicedevice managementdigital oceandionaeadionaea activitydionaea honeypotdionaea interactionsdionaea malware collectiondistributed attacksdriftnet-benignelasticpot activityelasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingeuropeeurope/asiaexploitexploit attemptexploit attemptsexploit kitexploit probingexploitationexploitation activityexploited hostfattfatt signaturesfinlandfranceftpftp brute forceftp scanftp_attackgbgermanyhackingheralding activityhoneynet connecthoneytrap honeypothoneytrap interactionshttp brute forcehttp probinghttp scanneridentity & access exploitationindicatorinfrastructure acquisitionreconnaissanceinitial accessinjection activityinjection attacksinternet_measurement-benigniot securityiot targetedipmi scanipphoney honeypotkill-chain exploitationkill-chain reconnaissancelamplateral movementlogin attacklogin attemptlogin failurelow-riskmailoney activitymailoney honeypotmailoney interactionsmalicious activitymalicious code detectionmalicious login attemptsmalicious softwaremalicious sshmalicious trafficmalicious_trafficmalwaremalware attemptmalware behaviourmalware capturemalware distributionmalware downloadmalware payloadmalware-related botnet activitymanualmssqlmysqlnetworknetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnorth americaoceaniaopenctiosintp0fp0f signaturespassword attackpassword attacksphishingphishing attackphishing trappolandportscanpossible botnet infectionpossible malware propagationpotential malware distributionprocess injectionprotocol exploitationransomwarerdprdp_attackreconnaissancereconnaissance_activityredisredis honeypotredishoneypot activityremote accessremote servicesresearchedresource hijackingsansscannerscannersscanning activityscripting attackssensor-taggedsentrypeer activitysentrypeer botnetsentrypeer interactionsserver exploitationservice scansftpsftp access attemptssftp attacksftp attemptsingle source ipsipsip brute forcesip scansmb brute forcesmb_attacksmtpsmtp attackersmtp brute forcesmtp probingsocial engineeringsocradar honeypotspamsql injectionsql_attacksshssh attackssh monitoringssh scanssh_attacksuricata alertst1016t1016.001t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1040t1041t1046t1055t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1071t1071.001t1071.002t1076t1077t1078t1078.002t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1190t1203t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1505.002t1505.004t1550t1550.003t1563t1565t1566.001t1566.002t1566.003t1566.004t1573t1573.001t1587.001t1589t1589.002t1590t1590.001t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner interactionstargeting databasetcp scantcp/3306telecommunicationstelnet threattelnet_attackthreat actorthreat detectionthreat intelligencetor nodetpottpotcetrturkeyudp scanunauthorized access attemptunauthorized loginunited kingdomunited statesus ip addressus sourceverified-benignvnc protocolvoipvoip attackvpnvpn ipvulnerability scanvultrweb app attackweb application attackweb application attacksweb attackweb exploitationweb shell uploadsweb spamweb trafficweb_application_attack

Activity Timeline

1 total obs
Jun 22Jun 22

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
59
SIGNAL
Signal Score
59%
Confidence
30
Reports
First seenDec 12, 2024
Last seenJun 22, 2026
GeolocationTR
CountryTurkey
LocationManchester, 16
ASNAS211298
OrgConstantine Cybersecurity LTD
Coords40.2024, 29.0398
VPN

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw
inetnum: 185.247.137.128 - 185.247.137.255 netname: DRIFTNET-IPV4-F remarks: +----------------------------------------------------------- remarks: | This IP range is not attacking your network. remarks: | Visit https://internet-measurement.com for more details. remarks: | View data collected at https://driftnet.io. remarks: +----------------------------------------------------------- country: GB admin-c: DH9005-RIPE tech-c: DH9005-RIPE abuse-c: DH9005-RIPE status: LIR-PARTITIONED PA mnt-by: lir-uk-driftnet-1-MNT created: 2024-11-27T15:42:56Z last-modified: 2024-12-09T15:47:14Z source: RIPE # Filtered role: Driftnet Hostmaster address: Unit 72465, PO Box 6945 address: W1A 6US address: London address: UNITED KINGDOM phone: +442037450350 abuse-mailbox: [email protected] nic-hdl: DH9005-RIPE mnt-by: lir-uk-driftnet-1-MNT created: 2024-10-30T18:00:18Z last-modified: 2024-10-31T10:49:52Z source: RIPE # Filtered route: 185.247.137.0/24 origin: AS211298 mnt-by: lir-uk-driftnet-1-MNT created: 2024-11-27T15:33:43Z last-modified: 2024-11-28T11:34:21Z source: RIPE
references
https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-05/, https://jamesbrine.com.au, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 5 days ago
Appeared in 30 threat reports