IPMediumSignal 73/100

`195.47.238.178`

Location

Sweden

Stockholm, Stockholm County

ASN

AS30893

No ACK Group Holding AB

First Seen

Feb 2, 2025

Last Seen

Jun 17, 2026

Feb 2

First Seen

508d ago

Jun 17

Last Seen

7d ago

Reports

source reports

73%

Confidence

medium

Found in 43 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

73%

Signal Score

73 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

120 techniques

Network Information

Country

Sweden

RegionStockholm, Stockholm County

ASNAS30893

OrganizationNo ACK Group Holding AB

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

43 reports73% confidence

Source reports

73%

Confidence score

Category tags

abuseacademic institutionsaccess controlaccess tokenaccommodation and food servicesaccommodation servicesaccount compromiseaccount discoveryaccount profilingaccount takeoveractive scanactive scanningadbhoney activityadbhoney honeypotadreconakiaamazon webandroid device attacksanonymity network abuseanonymization networkanonymization network trafficanonymization_service_trafficantispamapacheapache attackerapi abuseapi keyapi keys leakapi servicesapplication layer protocolaptarticleasaattackattack sourceattack_patternaustraliaauthenticationautomated attacksautomated threatautomated-attackautomated_attackautomated_attacksbad reputationbad web botbankingbbcbitcoinblacklisted domainblacklisted ipblacklisted ip addressblacklisted urlblockchainblocklistblog spambotnetbotnet activitybotnet c2botnet communicationbrute forcebrute force attackbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcec2 communicationc2 servercasecase wherecertciscocisco asacisco devicecisco exploitationcisco exploitation attemptcisco_devicescobalt strikecode injectioncommand & controlcommand and controlcomments fromcommodity contracts intermediationcommunication protocolcommunication technologiescompromised accountscompromised credentialscompromised hostcompromised hostscompromised librarycompromised system detectionconnected devicesconpotconpot activityconpot honeypotconsumer goodscontent deliverycowriecowrie activitycowrie attackscowrie honeypotcowrie interactionscowrie ssh honeypotcredential accesscredential attackscredential brute forcecredential guessingcredential harvestingcredential stuffingcredential theftcredential-stuffingcredential_accesscredential_access_attemptscredential_guessingcredential_stuffingcredentialscredentials leakcredit card servicescross-site scriptingcrypto exchangecrypto miningcrypto walletcryptocurrencycti weeklycustomer data breachdarkforumsdata breachdata encryptiondata exfiltrationdata exfiltration attemptdata exfiltration attemptsdata leak incidentdata store exposuredata theftdatabase attacksdatabase brute forcedatabase securityddosddos activityddos attackdecentralized financedecoy systemdenial of servicedevice managementdga domaindictionary attackdigest articledigital currencydionaeadionaea activitydionaea attacksdionaea honeypotdionaea interactionsdistributed attacksdns attackdriftdrift integrationeducational resourceseducational serviceseducational technologyemailencryptionenterprise networkingenumerationeuropeexfiltrationexit nodeexit node threatexploit attemptsexploit public-facing applicationexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploited hostexternal access attemptsextortionfailed authenticationfattfatt signaturesfbi salesforce iocsfinancefinancial servicesfinancial technologyfinlandfireholfleet managementfood servicesfrancefreight servicesfrontend attackftpftp attacksftp brute forceftp_attemptsftp_brute_forcegc3 ctigermanygithubgooglegoogle cloudgroupgtigguest serviceshackingheralding activityhigher educationhoneynet connecthoneytrap honeypothoneytrap interactionshospitality technologyhotelshttp brute forcehttp communicationhttp probinghttp scannerhttp scanninghttp/shttpshttps communicationhttps scanninghuman elementicmpicsics securityics/scada attacksidentity & access exploitationimapimap attackindicatorindicatorsindicators of compromiseindicators_of_compromiseindustrial control systemsindustrial iotinformation technologyinitial accessinitial_accessinitial_access_attemptinjection activityinjection attacksinternet of thingsintrusion detectioniociocsiot analyticsiot applicationsiot platformsiot securityiot/ics attackipv4irc communicationit infrastructurejavascript vulnerabilityk-12 educationknown attacker iplamplamp attacklamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stack attacklamp stack exploitationlamp stack targetinglateral movementlimitlinuxlinux serverslinux systemslinux-server-attacklinux_serverslog4jlogin attacklogin attemptmailoney honeypotmailoney interactionsmalicious activitymalicious activity detectedmalicious domainsmalicious email trafficmalicious ip activitymalicious login attemptsmalicious payload attemptmalicious sftp trafficmalicious softwaremalicious ssh trafficmalicious-login-attemptsmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmanualmaritime transportmobile carriersmobile networksmobile threatmodbus attacksmonthlymssqlnation-state activitynetworknetwork activitynetwork attacksnetwork device attacksnetwork device probingnetwork devicesnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork servicesnetwork trafficnetwork traffic analysisnetwork-based attack attemptsnetwork_attacknetwork_devicenetwork_indicatorsnetwork_reconnaissancenorth americaoauthoauth abuseoauth tokenoauth tokensoceaniaopen proxyopportunistic attackp0fp0f signaturesp2p communicationpandorapassenger transportationpassword attackpassword attackspayment processingperimeter devicesphishingphishing attackphishing trapphp-cgipolandport-scanningportalpossible ddos activitypossible malware distributionpossible mirai variantpossible reconnaissancepossible vulnerability exploitationpotential credential compromisepotential intrusionprocess injectionprotocol exploitationprotocol-abuseprotocol: emailprotocol: sftpprotocol: sshprotocol_scanningproxyproxy ipspythonrail transportransomwarerdp attacksrdp_attemptsrdp_brute_forcereconnaissancereconnaissance activityredis honeypotredishoneypotremote accessremote servicesresearchedresource hijackingrestaurant operationsretail tradereverse sshs7comm attackssaas attacksaas securitysalesloft driftsalesloft trustscannerscanning activitysesecurity operationssecurity policyselect idsensor-taggedsentrypeer activitysentrypeer botnetsentrypeer interactionsserver exploitationservice enumerationservice scanservice scanningservice: lampsftpsftp activitysftp attacksftp attackssftp attemptsftp-attackshinyhunterssipsip attackssip brute forcesip scanningsmart devicessmb attackssmb brute forcesmtpsmtp attackersmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsocradarsocradar honeypotsoftware developmentspamspam botspamhaussql injectionsshssh attackssh attacksssh monitoringssh-brute-forcessh_attemptsssh_brute_forcesubjectsupply chainsupply chain attacksurface websuricata alertssuspicious-udpswedensystem disruptiont-pott1003t1005t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1027t1029t1040t1041t1046t1047t1053t1053.005t1055t1059t1059.001t1059.003t1059.004t1059.007t1068t1070t1070.004t1071t1071.001t1071.002t1071.003t1071.004t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1090t1090 proxyt1090.002t1102t1105t1110t1110 brute forcet1110.001t1110.002t1110.003t1110.004t1113t1114t1119t1133t1134t1187t1189t1190t1195t1199t1203t1204t1204.001t1204.002t1213t1486t1490t1496t1499.001t1499.002t1499.003t1505.002t1526t1528t1530t1534t1535t1539t1550t1550.001t1552t1555t1556t1557t1558t1563t1564.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1568.002t1569t1569.002t1571t1572t1573t1573.001t1573.002t1583.001t1585t1586t1587t1588t1588.002t1589t1590t1590.001t1590.005t1590.006t1592t1592.002t1595t1595 active scanningt1595.001t1595.002t1595.003tannertanner activitytanner interactionstaowutargeting databasetargeting:japantcp protocoltcp scantelecom servicestelecommunicationstelnet attackstelnet threattelnet-brute-forcetelnet_attemptsthird-party applicationthird-party breachthird-party riskthreat actorthreat detectionthreat infrastructurethreat intelligencethreat intelligence feedthreat preventionthreat_actor_activitythreat_intelligencetiffanytoken thefttortor activitytor exittor exit nodetor networktor nodetor_exit_nodetourismtpottpotcetransportation and warehousingtransportation infrastructuretransportation technologytriggertrust portaludp port scanudp scanunattributed threat actorunattributed_threat_activityunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptsunauthorized-access-attemptunc5537unc6040unc6240unc6395united kingdomunited statesuser-agent stringsvnc protocolvoipvoip attackvpnvpn ipvulnerability scanwealth managementweb apisweb applicationweb application attackweb application scanningweb applicationsweb attacksweb developmentweb exploitationweb hostingweb infrastructureweb serverweb server attacksweb service scanningweb servicesweb spamweb technologiesweb trafficweb-application-attackweb_applicationweb_attacksweekly digest

Activity Timeline

1 total obs

Jun 17Jun 17

Threat Activity Heatmap

· Peak: 2026-06-17

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

73%

Confidence

Reports

First seenFeb 2, 2025

Last seenJun 17, 2026

GeolocationSE

CountrySweden

LocationStockholm, Stockholm County

ASNAS30893

OrgNo ACK Group Holding AB

Coords59.3247, 18.0560

ProxyVPN

VirusTotal

Not checked

WHOIS

description: The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions. Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense.
raw: inetnum: 195.47.238.0 - 195.47.238.255 netname: SE-NOACKHOSTING descr: Information: Most of this subnet is used for tor-exit related services. country: SE org: ORG-NAHA3-RIPE admin-c: NOC257-RIPE tech-c: NOC257-RIPE status: ASSIGNED PI mnt-by: MNT-NOACKHOSTING mnt-by: RIPE-NCC-END-MNT created: 2021-06-24T09:16:11Z last-modified: 2025-05-06T12:22:51Z source: RIPE organisation: ORG-NAHA3-RIPE org-name: No ACK Group Holding AB country: SE org-type: LIR address: C/o Krantz gamla kronv�gen 70 address: 43339 address: Partille address: SWEDEN phone: +46767876500 admin-c: MK20951-RIPE tech-c: MK20951-RIPE abuse-c: AR43808-RIPE mnt-ref: MNT-NOACKHOSTING mnt-by: RIPE-NCC-HM-MNT mnt-by: MNT-NOACKHOSTING created: 2017-11-09T08:46:23Z last-modified: 2024-12-06T11:51:31Z source: RIPE # Filtered role: Network Operations Center address: No Ack Group Holding AB,gamla kronvagen 70A address: 433 39 Partille,Sweden mnt-by: MNT-NOACKHOSTING admin-c: SP16787-RIPE tech-c: SP16787-RIPE nic-hdl: NOC257-RIPE abuse-mailbox: [email protected] created: 2017-09-23T15:19:56Z last-modified: 2024-11-16T04:06:42Z source: RIPE # Filtered route: 195.47.238.0/24 descr: No Ack Hosting AB origin: AS30893 mnt-lower: MNT-NOACKHOSTING mnt-routes: MNT-NOACKHOSTING mnt-by: MNT-NOACKHOSTING created: 2004-01-21T15:06:46Z last-modified: 2021-06-24T09:32:07Z source: RIPE
references: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift, https://trust.salesloft.com/?uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations, https://www.seqrite.com/blog/google-salesforce-breach-unc6040-threat-research/, https://www.ic3.gov/CSA/2025/250912.pdf, Sep week2.pdf, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://socradar.io/salesloft-drift-breach-everything-you-need-to-know/, https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Notification, https://github.com/telekom-security/tpotce, https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift/, https://redpiranha.net, https://check.torproject.org/torbulkexitlist, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt

`195.47.238.178`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey