IPMediumSignal 39/100
23.129.64.143
Location
United StatesSeattle, Washington
ASN
AS396507
Emerald Onion
First Seen
Jun 8, 2021
Last Seen
Jun 7, 2026
Found in 44 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
39%
Signal Score
39 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionSeattle, Washington
ASNAS396507
OrganizationEmerald Onion
IP Category
⟲
Proxy
Proxy server
⊕
VPN
VPN exit node
Feed Intelligence Summary
44 reports39% confidence
44
Source reports
39%
Confidence score
Category tags
access controlaccount compromiseactive scanactive scanningadb attacksadbhoney activityadbhoney honeypotaerospace & defenseandroid device attacksanonymity network abuseanonymization networkanonymization network trafficanonymization servicesanonymization toolsanonymization_network_originanonymization_service_trafficanonymous proxiesapi servicesaptattackaustraliaauthentication abuseauthentication attemptsautomated attacksautomated feedautomated threatautomated_attackautomated_attacksautomotive manufacturingbad reputationbad web botblacklisted ip addressesbotnetbotnet activitybotnet activity detectedbotnet c2botnet communicationbotnet indicatorsbrute forcebrute force attackbrute force attacksbrute force attemptsbrute-forcebrute-force-attackbrute_forcebrute_force_attackbruteforcec&c communicationc2c2 addressesc2 communicationc2 servercisco asacisco devicecisco device attackscisco exploitationcisco_devicescivil servicescloud infrastructurecloud infrastructure attackcloud servicescommand & controlcommand and controlcommunication protocolcompromised hostcompromised infrastructure indicatorscompromised systemconpot activityconpot honeypotcontent deliverycowrie activitycowrie honeypotcredential accesscredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential stuffingcredential theftcredential-stuffingcredential_accesscredential_access_attemptcredential_access_attemptscredential_attackcredential_guessingcredential_stuffingdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase brute forcedatabase securityddosddos attackddos participationddos potentialdecoy systemdefensedefense contractingdefense logisticsdefense systemsdefense technologydenial of servicedevice managementdionaea activitydionaea honeypotdistributed attackselectronics manufacturingencryptionenterprise networkingenumerationeuropeexit nodeexploit activityexploit kit activityexploit_attemptsexploitationexploitation activityexploited hostexposed_portsexternal access attemptsexternal_scanningfattfeed-harvestfeodofeodo trackerfeodo-trackerfin scanfinlandfireholfranceftpftp attacksftp brute forceftp_attemptsftp_brute_forceftp_protocolftp_servicegermanygovernment technologyhackinghashheralding activityhoneynet connecthoneytrap honeypothttp brute forcehttp scannerhttp scanninghttp/shttp_brute_forcehttpsicsics securityics/scada attacksidentity & access exploitationindicatorindicatorsindicators of compromiseindicators_of_compromiseindustrial automationindustrial control systemsindustrial iotindustrial productioninformation technologyinfrastructure acquisitionreconnaissanceinitial accessinitial_accessinitial_access_attemptinjection activityinjection attacksiociocsiot attacksiot securityiot/ics attackit infrastructureja3ja3 fingerprintja3 fingerprintsja3 hashja3 hash iocja3 hashesja3 hashinglamplamp exploitationlamp exploitation attemptlamp stack targetinglateral movementlinux serverslinux systemslinux_serversloginlogin attemptmailoney honeypotmalicious activitymalicious domainmalicious domainsmalicious hashesmalicious ip activitymalicious ipsmalicious linksmalicious softwaremalicious trafficmalicious urlsmalicious-activitymalicious_ipmalicious_trafficmalwaremalware behaviourmalware capturemalware communicationmalware delivery attemptmalware distributionmalware domainsmalware download attemptsmalware indicatorsmalware urlsmanufacturing technologymilitary operationsmobile threatmodbus attacksnational securitynetworknetwork activitynetwork attacksnetwork device attacksnetwork device probingnetwork devicesnetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork servicesnetwork trafficnetwork traffic analysisnetwork-devicesnetwork_attacknetwork_devicenetwork_enumerationnetwork_indicatorsnetwork_reconnaissancenextraynorth americanull scanobfuscated_originoceaniaopenphish feedopenphish iocopportunistic attackp0fpassword attackpassword attackspassword-guessingperimeter devicesphishingphishing attackphishing campaignsphishing domainphishing domainsphishing trappolandport-scanningpossible botnet infectionpossible credential stuffingpossible malware distributionpotential botnet activitypotential_intrusion_attemptprocess injectionprocess manufacturingprotocol exploitationprotocol scanningprotocol_scanningproxyproxy abuseproxy ipsproxy server detectionproxy serversproxy serviceproxy_trafficpublic administrationpublic infrastructurepublic policyquality controlrdp_attemptsrdp_brute_forcerdp_protocolrdp_servicereconnaissancereconnaissance activityregulatory agenciesremote accessremote servicesresearchedresource hijackings7comm attacksscannerscannersscanning activitysecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetservice discoveryservice enumerationservice scanservice scanningservice_discoverysftp attacksip attackssip brute forcesip scanningsmb attackssmb brute forcesmb_brute_forcesmtpsmtp abusesmtp brute forcesmtp scanningsocial engineeringsoftware developmentspamspam campaignsspam domainsspam sourcespamhausspamhaus dropspamhaus drop feedspamhaus drop iocspamhausdropsshssh attackssh monitoringssh_attemptsssh_brute_forcessh_protocolssh_servicessl blacklistssl certificatessl certificatessslblsslblackliststix feedsupply chain attacksupply chain managementsyn scansystem accesst1005t1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1021.008t1040t1041t1046t1053t1053.005t1055t1059t1059.001t1059.003t1059.004t1068t1071t1071.001t1071.002t1071.004t1076t1077t1078t1083t1090t1090 proxyt1090.002t1090.003t1105t1110t1110 brute forcet1110.001t1110.002t1110.003t1110.004t1133t1189t1190t1192t1195t1195.001t1195.002t1203t1204t1204.001t1204.002t1486t1496t1497t1499.001t1499.002t1499.003t1539t1555t1563t1564.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1583.001t1583.006t1584t1587t1587.001t1588t1588.002t1588.004t1588.006t1589t1589.001t1590t1590.001t1590.005t1590.006t1592t1592.002t1592.004t1595t1595 active scanningt1595.001t1595.002t1595.003tannertanner activitytargeting databasetcp protocoltcp scantcp scanningtelecommunicationstelnet threattelnet_attemptstelnet_protocolthreat actorthreat detectionthreat feedthreat infrastructurethreat intelligencethreat intelligence aggregationthreat intelligence feedthreat preventionthreat-intelthreat_activitythreat_actor_activitythreat_actor_group_unknownthreat_intelligencethreat_intelligence_feedtls fingerprinttortor activitytor exit nodetor exit nodestor networktor network activitytor nodetor_activitytor_exit_nodetorexittorexitnodestpotudp scanunattributed threat actorunattributed_threat_activityunauthorized access attemptunauthorized access attemptsunited statesurlhaususvoipvoip attackvpnvpn activityvpn trafficvpn_activityvulnerability scanvulnerability-scanningweb apisweb app attackweb application attackweb applicationsweb attacksweb crawlerweb crawlingweb developmentweb exploitweb exploitationweb hostingweb infrastructureweb securityweb server attacksweb service scanningweb servicesweb spamweb technologiesweb trafficweb-serversweb_applicationweb_attacksxmas scan
Activity Timeline
Jun 7Jun 7
Threat Activity Heatmap
· Peak: 2026-06-07LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
39
SIGNAL
Signal Score
39%
Confidence
44
Reports
First seenJun 8, 2021
Last seenJun 7, 2026
GeolocationUS
CountryUnited States
LocationSeattle, Washington
ASNAS396507
OrgEmerald Onion
Coords47.6043, -122.3298
ProxyVPN
VirusTotal
Not checked
WHOIS
- description
- Anonymization_Network indicators. Date: Apr 8, 2026. Part 1/5. For more threat intelligence visit https://ltna.com.au/cyber
- raw
- NetRange: 23.129.64.0 - 23.129.64.255 CIDR: 23.129.64.0/24 NetName: EMERALD-ONION-TOR1 NetHandle: NET-23-129-64-0-1 Parent: NET23 (NET-23-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Emerald Onion (EO-95) RegDate: 2017-07-19 Updated: 2021-02-27 Comment: https://emeraldonion.org/ Ref: https://rdap.arin.net/registry/ip/23.129.64.0 OrgName: Emerald Onion OrgId: EO-95 Address: 600 1ST AVE STE 330 Address: PMB 279488 City: Seattle StateProv: WA PostalCode: 98104 Country: US RegDate: 2017-06-20 Updated: 2025-04-30 Ref: https://rdap.arin.net/registry/entity/EO-95 OrgAbuseHandle: ABUSE7315-ARIN OrgAbuseName: Abuse Management OrgAbusePhone: +1-206-739-3390 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE7315-ARIN OrgTechHandle: TECHN1592-ARIN OrgTechName: Technical Support OrgTechPhone: +1-206-739-3390 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/TECHN1592-ARIN OrgNOCHandle: NETWO8737-ARIN OrgNOCName: Network Operations OrgNOCPhone: +1-206-739-3390 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/NETWO8737-ARIN
- references
- https://purplesynapz.com/, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://check.torproject.org/torbulkexitlist, Exit_Nodes.csv, https://github.com/telekom-security/tpotce, https://redpiranha.net, https://jamesbrine.com.au/vultrparis-ssh-bruteforce-ip-list-2024-02-12/, https://jamesbrine.com.au
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 5 years ago · Last seen 14 days ago
Appeared in 44 threat reports