IOC Radar
IPMediumSignal 67/100

196.189.155.89

Location
EthiopiaEthiopia
Addis Ababa, Addis Ababa
ASN
AS24757
Ethiotelecom
First Seen
Jul 3, 2025
Last Seen
Jun 13, 2026
Jul 3
First Seen
355d ago
Jun 13
Last Seen
10d ago
26
Reports
source reports
67%
Confidence
medium
Found in 26 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
67%
Signal Score
67 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

80 techniques

Network Information

CountryETEthiopia
RegionAddis Ababa, Addis Ababa
ASNAS24757
OrganizationEthiotelecom

IP Category

VPN
VPN exit node

Feed Intelligence Summary

26 reports67% confidence
26
Source reports
67%
Confidence score
Category tags
abuseaccess controlaccount compromiseactive scanactive scanningaggressive-detectionanomalous network connectionsapacheapache attackeraptasiaattackattack source analysisattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication failureauthentication failuresauthentication monitoringauthentication-attemptsauthentication_bypassautomated attackautomated attacksautomated multi-vector probingbad reputationbad web botbanned ip addressesbanner-grabbingblacklisted ipblock listblock.txtblocked accessblocked ipblocklistblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebruteforcec2c2 communicationcanadachina mobileciscocisco devicecisco device attackcisco exploitation attemptcloud environmentcloud infrastructurecloud infrastructure attackcloud servicecloud servicescode executioncode injectioncode-injectioncolumnscommand & controlcommand and controlcommand executioncommand injection attemptcommunication protocolcommunity-sharedcompany limitedcompromised credentialscompromised hostcompromised systemsconnection-resetcowriecowrie datacowrie honeypotcowrie interactionscredential accesscredential attackcredential brute forcingcredential brute-forcingcredential guessingcredential harvestingcredential stuffingcredential-stuffingcredentialsdaily_sourcesdata exfiltrationdata exfiltration attemptdata store exposuredatabase attackdatabase securityddosddos attackdecoy systemdenial of servicedenial-of-service attemptdevice managementdictionary attackdigital oceandigitalocean environmentdigitalocean securitydionaeadionaea activitydionaea honeypotdionaea interactionsdirectory traversal attemptdistributed attacksenterprise networkingenumerationeteuropeexecutable fileexfiltrationexploitexploit attemptexploit probingexploit public-facing applicationexploitationexploitation activityexploitation attemptsexploited hostexport-to-otxexternal remote servicesfail2ban alertsfail2ban detectedfail2ban detectionfail2ban eventfail2ban triggeredfail2ban_eventfailed authenticationfailed login attemptsfattfatt analysisfatt signaturesfilefinlandfranceftpftp attackftp attacksftp brute forceftp brute-forceftp_brute_forcegeneric brute forcegermanyhackinghk abusehandlerhoneynet connecthoneypot 24h activityhoneytrap activityhoneytrap honeypothoneytrap interactionshong konghttp brute forcehttp probinghttp request anomalieshttp scannerhttp scanninghttpshurricane usidentity & access exploitationindiaindicatorinfoinformation gatheringinformation technologyinitial accessinitial access attemptinitial-accessinjection activityinjection attacksinternet-facingintrusion detectioniociot securityiot targetedip-addressipv4ipv4 iocipv4_addressit infrastructurekill-chain exploitationkill-chain reconnaissancelamplamp exploitation attemptlamp server targetinglateral movementlinuxlinux-server-attackslogin attacklogin attemptlogin attemptslogin brute forcelogin failurelow-riskmailmailoney activitymailoney honeypotmailoney interactionsmalaysiamalicious activitymalicious file transfermalicious ip activitymalicious loginmalicious payloadmalicious script executionmalicious sftp activitymalicious softwaremalicious ssh activitymalicious trafficmalicious-activitymalwaremalware behaviourmalware capturemalware deliverymalware distributionmalware downloadmispmod securitymultiple failed loginsnetworknetwork accessnetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnetwork-attacknetwork_reconnaissancenetwork_service_exploitationnorth americanoticeoceaniaopencanaryopenctiosintp0fp0f passive fingerprintingp0f signaturesparispassword attackpassword attackspassword crackingpassword sprayingpassword-guessingpassword_attackpgp signphishingphishing attackphishing trapping of deathpolandport-scanport-scanningportscanpossible botnet activitypossible malware distributionprocess injectionprotocol exploitationprotocol-probingpublicly accessible infrastructureransomwareraspberry-pireconnaissancereconnaissance activityredis honeypotredishoneypotremote accessremote access attemptremote access serviceremote service attackremote servicesremote_accessresearchresearchedresource developmentresource hijackingscannerscannersscanning activityscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer interactionsserver attackservice discoveryservice scansftpsftp access attemptsftp attacksipsip attackssmb brute forcesmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsoftware developmentsoftware exploitationspamsql injectionsql injection attemptsql-injectionsshssh attackssh attacksssh brute-forcessh bruteforcessh monitoringssh protocolssh-brutessh_brute_forcesuricata alertsswedensyn scansystem accesst-pott1003t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1021.008t1027t1040t1041t1046t1047t1048t1053t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1065t1068t1071t1071.001t1076t1078t1078.001t1078.002t1078.004t1083t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1189t1190t1203t1204.002t1486t1496t1497t1499.001t1499.002t1499.003t1505t1535t1550t1552.001t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1573t1573.001t1588t1588.002t1588.004t1589t1589.002t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner interactionstargeting databasetcp protocoltcp scantelecommunicationstelnettelnet threatthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventiontimeouttop10.txttopips.txttor nodetorontotpotudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized login attemptunauthorized login attemptsunited kingdomunited statesus abuseus noneuser executionvalid accountsvoidtrapvoipvoip attackvpnvpn ipvps securityvulnerability scanvulnerability-scanvultrweb app attackweb application attackweb attackweb exploitweb exploitationweb shell attemptweb spamweb trafficweb-attack

Activity Timeline

1 total obs
Jun 13Jun 13

Threat Activity Heatmap

· Peak: 2026-06-13
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
67
SIGNAL
Signal Score
67%
Confidence
26
Reports
First seenJul 3, 2025
Last seenJun 13, 2026
GeolocationET
CountryEthiopia
LocationAddis Ababa, Addis Ababa
ASNAS24757
OrgEthiotelecom
Coords7.9959, 38.0003
VPN

VirusTotal

Not checked

WHOIS

description
Banned by Fail2Ban [sshd]
raw
inetnum: 196.189.144.0 - 196.189.159.255 netname: To__BRAS_DHCP_SK-10800E descr: To__BRAS_DHCP_SK-10800E country: ET admin-c: ET4-AFRINIC tech-c: ETID1-AFRINIC status: ASSIGNED PA mnt-by: ETC-MNT source: AFRINIC # Filtered parent: 196.188.0.0 - 196.191.255.255 person: Ethio Telecom nic-hdl: ET4-AFRINIC address: Churchill Road address: Addis Ababa 1047 address: Ethiopia phone: tel:+251-93-001-1682 phone: tel:+251-91-110-7398 phone: tel:+251-91-124-3521 phone: tel:+251-91-121-7654 phone: tel:+251-11-531-7220 phone: tel:+251-91-151-0433 mnt-by: GENERATED-GRXPERJUPKL2DTQEXFFNEHRZHJZDFRJ7-MNT source: AFRINIC # Filtered person: Ethio Telecom IS Division address: Ethio telecom address: Legehar Information System division address: Addis Ababa, Ethiopia address: Addis Ababa address: Ethiopia phone: tel:+251-91-125-6562 fax-no: tel:+251-11-552-3296 nic-hdl: ETID1-AFRINIC mnt-by: GENERATED-ZPSFE1E8AGHQZZFKT4YYQSIX58FJ1MZ4-MNT source: AFRINIC # Filtered route: 196.189.155.0/24 origin: AS24757 descr: Ethiotelecom mnt-by: ETC-MNT source: AFRINIC # Filtered
references
https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/bruteforce-ip-list-2025-09-02/, https://jamesbrine.com.au, https://feeds.dshield.org/feeds/topips.txt, https://feeds.dshield.org/feeds/top10.txt, https://feeds.dshield.org/feeds/block.txt, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://redpiranha.net

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 11 months ago · Last seen 10 days ago
Appeared in 26 threat reports