IPMediumSignal 53/100

`198.235.24.202`

Location

United States

Santa Clara, California

ASN

AS396982

Palo Alto Networks, Inc

First Seen

Apr 18, 2023

Last Seen

Jun 19, 2026

Apr 18

First Seen

1163d ago

Jun 19

Last Seen

6d ago

Reports

source reports

53%

Confidence

medium

Found in 34 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

53%

Signal Score

53 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

117 techniques

Network Information

Country

United States

RegionSanta Clara, California

ASNAS396982

OrganizationPalo Alto Networks, Inc

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

34 reports53% confidence

Source reports

53%

Confidence score

Category tags

abuseaccess attemptaccess controlaccount compromiseaccount securityackack scanactive scanactive scanningadbadb-attacksadbhoney activityadbhoney attackadbhoney honeypotadbhoney interactionsadministrative accessandroidapacheapache attackerapplication layer protocolapplication scanningaptasaasiaattackattack preparatoryattack sourceattack surface discoveryattack vector: networkattack vectorsattacker ipattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptsauthentication_attackauthentication_bypassautomated activityautomated attackautomated attack activityautomated attacksautomated scanautomated threatautomated threatsautomated-attackautomated_attackbad reputationbad web botbanner grabbing attemptbebelgiumblacklist candidateblacklist ipblacklisted ipblacklisted ip addressblock listblocklist_allblog spambotnetbotnet activitybotnet-activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebrute_force_attemptbruteforcec2 communicationc2 servercanadachinachina mobilecisco activitycisco asacisco attackcisco attackscisco devicecisco device scanningcisco device targetingcisco exploit attemptcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscisco exploitation probecisco network devicescisco_device_attackcisco_exploitcitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securitycloud environmentcloud infrastructurecloud infrastructure attackcloud providercloud servicescloud_infrastructurecode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommon vulnerabilitiescommunication protocolcommunication securitycompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised host detectioncompromised hostscompromised systemsconnect scanconnected devicesconpotconpot activityconpot attackconpot emulationconpot honeypotconpot ics exploitationconpot ics/scada honeypotconpot interactionconpot interactionscontainer securitycowriecowrie activitycowrie attackscowrie datacowrie emulationcowrie honeypotcowrie honeypot detectioncowrie interactioncowrie interactionscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie_attackcredential accesscredential attackcredential attackscredential brute forcecredential brute forcingcredential brute-forcingcredential compromisecredential compromise attemptcredential guessingcredential harvestingcredential stuffingcredential-accesscredential-guessingcredential-stuffingcredential_accesscredential_stuffingctacurlcvedata encryptiondata exfiltrationdata store exposuredata theftdatabase attackdatabase attacksdatabase brute forcedatabase enumerationdatabase exploitationdatabase exploitation attemptdatabase exploitation attemptsdatabase login attemptdatabase probingdatabase securitydatabase-serverdatabase_serverdcerpcdcom exploitationddosddos attackddos attacksddos attemptddos preparationddos probeddos reflectionddospotdecoy systemdefault credentialsdefense evasiondenial of servicedenial-of-servicedevice managementdictionary attackdictionary_attackdigital oceandigitalocean environmentdigitalocean ipsdionaeadionaea activitydionaea attacksdionaea capturedionaea emulationdionaea exploitsdionaea honeypotdionaea interactionsdionaea malware analysisdionaea malware collectiondionaea malware samplesdionaea malware trapdionaea payloadsdirectory traversaldirectory traversal attemptdistributed attacksdnp3dnsdns attackdockerdropperelasticpot activityelasticpot attackselasticpot dataelasticpot honeypotelasticsearchelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationeu cyber policieseuropeexfiltrationexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploit scanexploit targetingexploit-attemptsexploit: web applicationexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploitation_attemptexploited hostexport-to-otxexposed servicesexternal access attemptsexternal scanexternal scanningexternal threatexternal-scanningexternal_threatextortionfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinfin port scanfin scanfinlandfirewall evasionfrancefraud voipftpftp attackftp attacksftp brute forceftp brute-forcegalahgermanygithubgluttongopothackinghellpotheralding activityheralding behaviorheralding probeshk abusehandlerhoneynet connecthoneypot 24h activityhoneytrap activityhoneytrap attackhoneytrap datahoneytrap emulationhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probehttp probinghttp request anomalieshttp requestshttp scannerhttp scanninghttp-attackshttp/httpshttp/shttpshttps probehttps probinghttps scanningicmpicmp scanics securityics-scada-attacksics/scadaics/scada attackidentity & access exploitationimapimap attackimap brute forceinbound scanindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinfrastructure acquisitionreconnaissanceinitial accessinitial access vectorinitial-access-attemptsinitial_accessinitial_access_attemptinjection activityinjection attacksinput validationinternet facing systemsinternet of thingsinternet-facinginternet-facing assetsinternet-facing serviceinternet-scanninginternet-wide scaninternet_scannersintrusion attemptintrusion detectioniociocsiot analyticsiot applicationsiot attackiot botnetiot device targetingiot exploit attemptsiot exploitationiot platformsiot securityiot targetediot/ics attackiot_attackip-address-iocippipphoney activityipphoney honeypotipv4ipv4 activityipv4 addressipv4 addressesipv4 attacksipv4 threatsipv4-scanningipv4_activityipv4_addressjapankibanakill-chain exploitationkill-chain reconnaissanceknown malicious iplamplamp activitylamp attacklamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptslamp server attacklamp server targetedlamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability exploitationlamp vulnerability scanlamp-attackslamp_exploitlamp_stack_attacklateral movementlateral movement attemptlcialinux serverslinux systemslinux-server-attacklinux-systemload balancerlog4potloginlogin attacklogin attemptlogin attemptslow-riskmail protocol attacksmailoney activitymailoney attacksmailoney eventsmailoney honeypotmailoney interactionsmalaysiamalicious activitymalicious activity detectedmalicious file transfermalicious ipmalicious ip activitymalicious ip addressesmalicious ipsmalicious loginmalicious network activitymalicious payloadmalicious payload attemptsmalicious payload detectionmalicious scanmalicious script executionmalicious softwaremalicious software detectionmalicious ssh activitymalicious trafficmalicious-login-attemptsmalicious_activitymalwaremalware activitymalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware delivery attemptsmalware detectionmalware distributionmalware distribution attemptmalware distribution attemptsmalware downloadmalware probingmalware propagationmanualmass scanningmass scanning activitymass-scanningmasscanmedpotmelbourne regionmicrosoft technologiesmiraimirai botnetmispmobilemobile securitymobile threatmodbusmonthlymssqlmssql brute forcemysql brute forcenetworknetwork activitynetwork attacksnetwork device exploitationnetwork device probingnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork mappingnetwork monitoringnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service discoverynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-devicenetwork-reconnaissancenetwork_discoverynetwork_protocolnetwork_reconnaissancenetwork_scannetwork_scanningnetwork_service_exploitationnetworkscanningnmapnmap scannorth americanull port scannull scanoceaniaopen port detectionopen port discoveryopen port enumerationopen port identificationopen proxyoperating systemoperating system securityopportunistic attackos credential dumpingos detectionos fingerprintingosintp0fp0f fingerprintingp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespaloaltonetwors_com-benignpassword attackpassword attackspassword crackingpassword cracking attemptspassword sprayingperimeter securitypgp signphishingphishing attackphishing trapping of deathpolandpop3 brute forceport-scanningportscanpossible botnet activitypossible credential reusepossible exploit attemptpossible malware distributionpossible malware dropperpossible malware probingpossible malware propagationpossible mirai variantpossible reconnaissance activitypossible vulnerability probingpossible vulnerability scanpotential botnetpotential botnet activitypotential compromisepotential credential compromisepotential credential theftpotential exploitpotential exploit activitypotential intrusionpotential malicious activitypotential malware deploymentpotential malware distributionpotential malware downloadpotential reconnaissancepotential threat activitypotential vulnerability exploitationpotential vulnerability probingpotential vulnerability scanpre-attackprivilege escalationprocess injectionprotocol abuseprotocol exploitationprotocol-abuseproxyproxy accessproxy protocolpythonransomwarerdp scanningreconnaissancereconnaissance activityredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredis honeypot attackredishoneypot activityregional securityremote accessremote access attemptsremote code executionremote serviceremote service exploitationremote servicesremote_accessremote_access_serviceresearchedresource developmentresource hijackingrpcrtbhsansscams & fraudscanscannerscanner ipsscannersscanning activityscanning_activityscripting attackssecurity eventsecurity operationssecurity policysecurity probingsensor-taggedsentrypeer activitysentrypeer attacksentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer targetingserver exploitationserver securityservice detectionservice discoveryservice enumerationservice probingservice scanservice scanningsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp exploitation attemptsftp exploitation attemptssftp probingsftp protocolsftp scanningsftp-attacksftp-attackssftp-brute-forcesftp-bruteforcesftp_attackshell accessshell access attemptshell upload attemptsip activitysip attackssip brute forcesip enumerationsip heraldingsip probingsip protocolsip scansip scanningsip vulnerability scansip-attackssip_attacksippslugsmart devicessmb brute forcesmb scanningsmtpsmtp attackersmtp attackssmtp brute forcesmtp probesmtp probingsmtp scanningsnaresocial engineeringsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssshssh activityssh attackssh attacksssh brute-forcessh brute-force activityssh bruteforcessh monitoringssh protocolssh-attacksssh-brute-forcessh-bruteforcessh_bruteforcestealthstealth scanstealth scan techniquessurface websuricata alertsuricata alertssuspected malicious activitysynsyn port scansyn scansystem accesssystem discoverysystem disruptiont1005t1016t1016.001t1016.002t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1027t1040t1041t1046t1047t1048t1048.003t1053t1053.005t1055t1056t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1064t1065t1068t1069.001t1071t1071.001t1071.004t1076t1077t1078t1078.001t1078.002t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1134t1187t1189t1190t1195t1199t1202t1203t1204t1204.002t1210t1213t1486t1490t1496t1497t1497.001t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1539t1550t1550.002t1550.003t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1587.001t1588t1588.002t1588.004t1588.006t1589t1589.002t1590t1590.001t1590.002t1590.003t1590.004t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003t1608tannertanner activitytanner attacktanner eventstanner exploit kittanner exploitstanner honeypot activitytanner interactionstargeted scantargeting databasetcptcp protocoltcp scantcp-scanningtcp/23tcp/3306tcp/5900tcp/80tcp/iptelecommunicationstelnet attemptstelnet threattelnet-brute-forcethreat actorthreat detectionthreat intelligencethreat intelligence feedthreat preventionthreat_intelligencetimeouttokyotor nodetorontotpotudp port scanudp scanudp-scanningunattributed activityunattributed threat actorunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized activityunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized probingunauthorized-access-attemptunidentified threat actorunited kingdomunited statesunknown threat actorusus noneus sourcevalid accountsverified-benignvnc protocolvoipvoip attackvoip systemsvpnvpn ipvulnerability scanvulnerability-scanningvultrvultr infrastructure targetedvultr parisvultr tokyovultr_platform_activitywafweak credentialsweb app attackweb application attackweb application attacksweb application scanningweb attackweb attacksweb exploitweb exploitationweb exploitsweb login attemptweb scannerweb server attacksweb serversweb service scanningweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-application-attacksweb-serverweb_attackweb_serverwgetwordpotwordpress attackwordpress attackswordpress exploit attemptswordpress targeted attackswordpress-exploitation-attemptsxmasxmas port scanxmas scanxss

Activity Timeline

1 total obs

Jun 19Jun 19

Threat Activity Heatmap

· Peak: 2026-06-19

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

Minimal

30d

Minimal

3mo

Minimal

Threat ScoreMedium Risk

SIGNAL

Signal Score

53%

Confidence

Reports

First seenApr 18, 2023

Last seenJun 19, 2026

GeolocationUS

CountryUnited States

LocationSanta Clara, California

ASNAS396982

OrgPalo Alto Networks, Inc

Coords37.3833, -121.9830

ProxyVPN

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw: NetRange: 198.235.24.0 - 198.235.24.255 CIDR: 198.235.24.0/24 NetName: PAN-22 NetHandle: NET-198-235-24-0-1 Parent: NET198 (NET-198-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Palo Alto Networks, Inc (PAN-22) RegDate: 2021-12-20 Updated: 2021-12-20 Ref: https://rdap.arin.net/registry/ip/198.235.24.0 OrgName: Palo Alto Networks, Inc OrgId: PAN-22 Address: Palo Alto Networks Address: 3000 Tannery Way Address: Santa Clara, CA 95054 City: Santa Clara StateProv: CA PostalCode: 95054 Country: US RegDate: 2017-11-22 Updated: 2024-11-25 Ref: https://rdap.arin.net/registry/entity/PAN-22 OrgAbuseHandle: IPABU42-ARIN OrgAbuseName: IP Abuse OrgAbusePhone: +1-408-753-4000 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/IPABU42-ARIN OrgTechHandle: GNS20-ARIN OrgTechName: Global Network Services OrgTechPhone: +1-408-753-4000 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/GNS20-ARIN
references: https://github.com/telekom-security/tpotce, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://list.rtbh.com.tr/output.txt, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt

`198.235.24.202`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey