IOC Radar
IPMediumSignal 70/100

213.159.247.134

Location
UkraineUkraine
Kyiv, Kyivska oblast
ASN
AS6703
Vega Kiev
First Seen
Dec 16, 2023
Last Seen
Jun 8, 2026
Dec 16
First Seen
924d ago
Jun 8
Last Seen
19d ago
22
Reports
source reports
70%
Confidence
medium
Found in 22 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
70%
Signal Score
70 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

50 techniques

Network Information

CountryUAUkraine
RegionKyiv, Kyivska oblast
ASNAS6703
OrganizationVega Kiev

Feed Intelligence Summary

22 reports70% confidence
22
Source reports
70%
Confidence score
Category tags
1049h7zabuseabuseipdbacademic institutionsaccess controlactive scanactive scanningakamaiasn1amadeyapkaptarmasciiasiaasyncratattackauto-generated securityazorultbackdoorbad reputationbankerbase64base64-loaderbatbitbucketblankgrabberbotnetbotnet activitybotnetdomainbraodobrute forcebrute force attackbrute force attemptbruteforcebxratc2casdetcensyscerbucivil servicescobaltstrikecode injectioncoinminercommand & controlcommand and controlcommand executioncommunication protocolcommunication technologiesconnected devicescraxsratcredential accesscredential harvestingcredential stuffingcryptbotcryptocurrencycubadata encryptiondata exfiltrationdata store exposuredbatloaderdcratddosddos attackddos attacksdecoydecoy systemdefault credentialsdevice managementdistributed attacksdlldonutloaderdownloaderdropped-by-idatdroppereducationeducational resourceseducational serviceseducational technologyelectronic health recordselfencodedencryptioneuropeexeexecutable fileexploitation activityextortiongafgytgeoipgh0stratghostgithubglobalgooglegovernment technologyguloaderhajimehavocc2health care and social assistancehealth information technologyhealthcare information systemshigher educationhospital managementhtaidatdropperidentity & access exploitationigzin-github-full-with-malwareindicatorindonesiaindustrial iotinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinternet of thingsintrusion detectioniociot analyticsiot applicationsiot botnetiot platformsiot securityiot/ics attackit infrastructurejanelaratjsk-12 educationkfsensor honeypotlatamlazaruslevel3lnklnk-commandlineloginlokiloregunlummastealermalicious activitymalicious domainmalicious ipmalicious linksmalicious network activitymalicious powershell activitymalicious softwaremalwaremalware capturemalware.heuristicmalware.heuristicsmanualmartemasjesumassloggermediamedical servicesmeduzastealermetasploitmeterpretermexicominimintsloadermipsmiraimirai botnetmirai variantmobile carriersmobile networksmobile threatmodiloadermoobotmozimsinetsupportratnetworknetwork attacksnetwork intrusionnetwork probingnetwork scanningnetwork securitynetwork service scanningnjratnorth americaopendirousabanpandastealerpassword attackspatient carepdfphemedronestealerphishingphishing attackpowershellprocess injectionprotocol exploitationprotonps1public administrationpublic infrastructurepublic policypublic urlpythonpythonstealerransomwarerarratrdpreconnaissanceredlinestealerregulatory agenciesremcosremcos trojanremcosratremote accessremote servicesresearchedrev-base64-loaderreverseshellrouter exploitationrtbhsaint helena, ascension and tristan da cunhascams & fraudscanscannerscanning activityscripting attackssecurity policyservice scanseznamshellcodesliversliver-c2smart devicessnakekeyloggersocial engineeringsocradarsocradar honeypotsoftware developmentspywaresshssh attackstealcstealerstrelastealerstrratsurface websystem disruptiont1021t1021.001t1021.002t1027t1040t1046t1055t1056.001t1059.001t1059.003t1059.007t1068t1071t1071.001t1076t1078t1086t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1190t1204t1204.001t1204.002t1486t1490t1496t1497.001t1499.001t1499.002t1499.003t1550.002t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1573t1587.001t1590.001t1595t1595.001t1595.002t1595.003tcptcp protocoltcp/23telecomtelecom servicestelecommunicationstelnettelnet threatthreat actorthreat intelligencethreat preventiontor nodetrojabtrojantrojan malwaretwitterua-wgetukraineurlhausursnifvbsvirusvoipweak passwordsweb exploitationweb securitywebdavwin32 malwarewindows malwarex86-64xml-opendirzip

Activity Timeline

1 total obs
Jun 8Jun 8

Threat Activity Heatmap

· Peak: 2026-06-08
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
70
SIGNAL
Signal Score
70%
Confidence
22
Reports
First seenDec 16, 2023
Last seenJun 8, 2026
GeolocationUA
CountryUkraine
LocationKyiv, Kyivska oblast
ASNAS6703
OrgVega Kiev
Coords50.3892, 30.3681

VirusTotal

Not checked

WHOIS

description
Security researchers have uncovered a global botnet campaign targeting VoIP- enabled routers that are configured with default or weak Telnet passwords. This botnet exhibits characteristics similar to the Mirai botnet. It was initially detected in rural New Mexico and later traced to over 500 infected systems worldwide. The threat highlights how exposed and poorly secured VoIP infrastructure is being exploited to power large-scale botnets. Organizations that rely on VoIP technology especially utilities and ISPs face an immediate risk if their devices are internet facing and not properly secured.
raw
inetnum: 213.159.246.0 - 213.159.247.255 netname: FLP-DHCP-KV descr: DHCP Kiev country: UA admin-c: FLPI-RIPE tech-c: FLPO-RIPE status: ASSIGNED PA mnt-by: VEGA-UA-MNT created: 2013-05-21T08:02:50Z last-modified: 2013-05-21T08:02:50Z source: RIPE role: Farlep Invest PrJSC remarks: ****************************************************** remarks: Farlep Invest PrJSC - ADMINISTRATIVE CONTACTS remarks: ****************************************************** address: Farlep Invest PrJSC address: 6 Gavela str. address: Kiev, 03680, Ukraine abuse-mailbox: [email protected] admin-c: GIA-RIPE tech-c: FLPO-RIPE nic-hdl: FLPI-RIPE mnt-by: FARLEP-MNT created: 2007-10-10T09:40:04Z last-modified: 2023-08-23T17:37:17Z source: RIPE # Filtered role: Vega Telecom Group - TEAM OF OPERATION remarks: ****************************************************** remarks: Farlep Invest PrJSC - TECHNICAL CONTACTS remarks: ****************************************************** address: Farlep Invest PrJSC address: 6 Gavela Str. admin-c: FLPI-RIPE nic-hdl: FLPO-RIPE mnt-by: FARLEP-MNT created: 2011-03-10T09:04:27Z last-modified: 2023-09-27T05:03:11Z source: RIPE # Filtered route: 213.159.246.0/23 descr: Vega Kiev origin: AS6703 mnt-by: VEGA-UA-MNT created: 2013-05-21T08:03:48Z last-modified: 2013-05-21T08:03:48Z source: RIPE
references
https://list.rtbh.com.tr/output.txt, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1, https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c, https://n0paste.eu/UH6n5pD/, https://urlhaus.abuse.ch/browse/, https://urlhaus.abuse.ch/feeds/country/UA/, https://github.com/borestad/blocklist-abuseipdb/blob/main/abuseipdb-s100-3d.ipv4, https://www.linkedin.com/posts/starlightintel_cybersecurity-cyberattack-rce-activity-7207018975610691584-f86H?utm_source=share&utm_medium=member_desktop

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 19 days ago
Appeared in 22 threat reports