IOC Radar
IPMediumSignal 73/100

45.91.64.6

Location
Russian FederationRussian Federation
Moscow, Moskva
ASN
AS214664
TopTeleCom LLC
First Seen
Dec 18, 2025
Last Seen
Jun 19, 2026
Dec 18
First Seen
183d ago
Jun 19
Last Seen
today
25
Reports
source reports
73%
Confidence
medium
Found in 25 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
73%
Signal Score
73 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

109 techniques

Network Information

CountryRURussian Federation
RegionMoscow, Moskva
ASNAS214664
OrganizationTopTeleCom LLC

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

25 reports73% confidence
25
Source reports
73%
Confidence score
Category tags
#supportsitewebsiteabuse #rootcertificatefailure #cryptographicf50 ip addressesabuseabuseipdbaccess attemptsaccess controlaccount compromiseaccount securityackactive reconnaissanceactive scanactive scanningadb_protocoladbhoney activityadbhoney exploitsadbhoney honeypotadminadministrative accessafricaand exploitation attemptsandorraapple security bypassapplication layer protocolaptas path poisoningasiaasp.net core vulnerabilityasp.net reflective loaderasset discoveryattackattack activityattack preparatoryattack vectorattacker ipattacker ip addressesattacker ip: confirmedattacker ipsattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication failureauto blockedauto-blockedauto-generatedauto-updatedautomated attackautomated attacksautomated blockingautomated threatautomated threat blockingautomated-attackautomated_attackazure resource hijackingbad reputationbad web botbde 80bde scorebde score 80bde score 80+bde score analysisbde score highbde score: 80bde score: highbelgiumbgpblacklisted ipblocked-ipsblocklistblocklist_allblog spambotnetbotnet activitybr originbrand weaponizationbrazilbroad-spectrum malicious activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebrute_force_attackbruteforcec2c2 communicationcanadacertificate authority compromisechinacisco activitycisco brute forcecisco devicecisco device attackcisco device targetingcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco exploitation probecloud environmentcloud infrastructurecloud infrastructure attackcloud infrastructure targetcloud providercloud servicescloud-infrastructurecloud_infrastructurecode executioncode injectioncode-injectioncommand & controlcommand and controlcommand executioncommunication protocolcommunication protocolscommunication technologiescompromise assessmentcompromise attemptcompromise indicatorscompromised credentialscompromised hostcompromised host detectioncompromised hostscompromised infrastructurecompromised ip addresscompromised systemconfiguration manipulationconfiguration modificationconnect scanconpot activityconpot honeypotcore network compromisecowriecowrie activitycowrie attackscowrie datacowrie emulationcowrie honeypotcowrie logscowrie ssh attackcowrie ssh attackscredential accesscredential access attemptcredential access attemptscredential attackcredential attackscredential brute forcecredential compromisecredential guessingcredential harvestingcredential stealercredential stuffingcredential-accesscredential-bruteforcingcredential-harvestingcredential-stuffingcredential_accesscredential_attackcredential_guessingcron injectioncryptocurrencycryptocurrency threatscryptojackingcyber threatscyberattackcymtdata encryptiondata exfiltrationdata exfiltration attemptsdata interceptiondata serializationdata store exposuredatabase attackdatabase attacksdatabase brute forcedatabase exploitationdatabase exploitation attemptsdatabase probingdatabase scandatabase securityddosddos attackddos attacksddos attemptddos preparationddos reflectionde origindecoy systemdenial of servicedenial-of-servicedenmarkdevice managementdictionary_attackdigital oceandigitalocean environmentdigitalocean infrastructuredigitalocean ipdigitalocean ipsdigitalocean platformdionaeadionaea activitydionaea attacksdionaea capturedionaea honeypotdionaea malware collectiondiscovery phasedistributed attackdistributed attacksdll injectiondnsdns attackdominican republicdugganusa threat inteledge communicationedge infrastructure exploitelasticpot activityelasticpot honeypotelasticsearch monitoringelectronic health recordsencryptionenterprise networkingenumerationenv-huntingeu cyber policieseuropeeurope/asiaeuropean nationsexecutable fileexploitexploit attemptexploit attemptsexploit public-facing applicationexploitationexploitation activityexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploitation_attemptexploited hostexport-to-otxexposed servicesexternal access attemptsexternal attackexternal communicationexternal reconnaissanceexternal remote serviceexternal scanningexternal threatexternal-scanningexternal-threatexternal_threatfattfilefin scanfinancefinancial servicesfinlandfirmware attackfr ip addressfr ipsfr originfrancefraud voipftpftp brute forceftp brute-forceftp scanftp scanningftp_protocolgeo-distributed attackgeo-locationgeofencing malwaregeographic distributiongeographic origingeographically diversegeographically diverse attacksgeoipgermanygithubglobal activityglobal threat landscapegreat britainhackinghealth care and social assistancehealth information technologyhealthcare information systemsheralding activityhigh bde scorehigh confidence indicatorhigh-risk ip activityhoneypot 24h activityhoneytrap activityhoneytrap datahoneytrap honeypothong konghospital managementhttp brute forcehttp scanhttp scannerhttp scanninghttp/shttp_protocolhttpshttps scanninghwrn nameserverhydraicelandics securityidentity & access exploitationidmsa abuseimapinbound scanindiaindicators of compromiseindonesiaindustrial control systemsinformation technologyinfostealerinfrastructure attackinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access attemptinitial access preparationinitial access vectorinitial-accessinitial_accessinitial_access_attemptinjection activityinjection attacksinter-as route manipulationinternet background noiseinternet exposedinternet facing assetinternet facing assetsinternet of thingsinternet scaninternet wide scaninternet-facinginternet-facing assetsinternet-facing serviceinternet-facing systemsinternet-scanninginternet-wide monitoringinternet-wide observationinternet-wide scaninternet_scanintrusion attemptintrusion detectioniocioc.ipiocsiocs: 50 ipsiocs: ip addressesiot botnetiot device targetingiot securityiot targetediot/ics attackip-addressesip-blocklistipp_protocolipphoney activityipphoney honeypotipv4ipv4 activityipv4 addressipv4 addressesipv4 hostsipv4 indicatorsipv4 iocipv4 port scanningipv4 scanningipv4 threatsipv4 trafficipv4-addressesipv4-scanningipv4_activityipv4_addressirelandisp-reputationisraelit infrastructureitalyjapanjtag exploitationkestrel request smugglingkill-chain exploitationkill-chain reconnaissancekoreakorea, republic ofkyrgyzstanlamplamp activitylamp attacklamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp stack attacklamp stack targetinglamp vulnerability scanlateral movementlateral movement attemptslateral movement detectionlateral network movementlcialiechtensteinlinux malwarelinux systemslithuanialoaderloginlogin attacklogin attemptlogin attemptslogin_attemptlondonlow-risklte trialmail protocol abusemailoney activitymailoney attackmailoney honeypotmalaysiamalicious activitymalicious activity detectedmalicious emailmalicious email activitymalicious email detectionmalicious filemalicious infrastructuremalicious ipmalicious ip activitymalicious ip listmalicious ipsmalicious ipv4malicious network activitymalicious network communicationmalicious payloadmalicious payload detectionmalicious probemalicious softwaremalicious trafficmalicious-ipmalspammalwaremalware behaviourmalware capturemalware communicationmalware delivery attemptmalware distributionmalware installationmalware probingmalware propagationmalware_distribution_attemptmariadbmass scanningmass-scanningmasscanmedical servicesmelbourne regionmexicomiraimirai botnetmispmitre-attackmobile carriersmobile networksmodule loadingmsi installermssqlmssql brute forcemulti-country activitymulti-country originmulti-national attackmulti-vector attackmultiple countriesmultiple geographic originsmultiple origin countriesmysqlnation-state activitynemucodnetherlandsnetworknetwork activitynetwork activity analysisnetwork attacksnetwork communicationnetwork device probingnetwork discoverynetwork enumerationnetwork infrastructurenetwork infrastructure attacknetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork servicenetwork service discoverynetwork service enumerationnetwork service scanningnetwork servicesnetwork trafficnetwork traffic analysisnetwork traffic monitoringnetwork-reconnaissancenetwork_activitynetwork_discoverynetwork_probingnetwork_reconnaissancenetwork_scannetwork_scanningnginxnl ip addressnl originnmapno-sql databasenorth americanorwaynosqlnull scanoceaniaopen port detectionopen proxyopen_port_discoveryopencanaryopenctioperating systemoperating system securityopportunistic attackopportunistic attackeropportunistic-attackoriginating iposintp0fparispassword attackpassword attackspassword crackingpassword sprayingpassword_attackpatient carepattern-32pattern-38pdfperimeter securitypersistence mechanismphishingphishing attackphishing trapping of deathpl originpmic manipulationpolandport-scanningportscanpossible botnet activitypossible exploit attemptspossible malware distributionpossible mirai variantpotential apt activitypotential attack originpotential botnetpotential botnet activitypotential credential accesspotential credential stuffingpotential intrusionpotential malicious activitypotential malware distributionpotential reconnaissancepotential threatpotential threat actorpotential threat actorspotential vulnerability exploitationpotential vulnerability probingpre-attackpreparatory activitiesprivilege escalationprocess id 2356process id 2812process injectionprotocol exploitationproxypublic cloudpublic cloud targetingpublicly accessible infrastructureransomwareraspberry-pircerdprdp scanrdp scanningreconnaissancereconnaissance activityredisredis brute forceredis exploitationredis honeypotredishoneypot activityregional securityremote accessremote access attemptremote access attemptsremote loginremote service exploitationremote servicesreplication attackrepublic ofreputation parasitismresearchresearchedresidential proxyresource hijackingromaniarouting protocolruru ip addressru originrussiarussia-linked activityrussian federationrussian ipsrussian originscams & fraudscanscannerscanner activityscanner ipscanner ipsscannersscanning activityscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionserbiaserver exploitationserver securityservice detectionservice discoveryservice enumerationservice probingservice scanservice_enumerationsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp exploitationsftp exploitation attemptsftp scanningsftp_protocolsingaporesipsip activitysip attackssip brute forcesip scansip scanningsip vulnerability scansip_protocolslaveofsmb brute forcesmb_protocolsmtpsmtp brute forcesmtp probingsmtp scansmtp scanningsmtp_protocolsocial engineeringsocradar honeypotsoftware developmentsoftware exploitationsomaliasophisticated firmware persistencesouth africasouth americaspainspamspynoonsql injectionsql-injectionsshssh activityssh attackssh bruteforcessh key injectionssh monitoringssh scanssh scanningssh-brutessh_protocolsslssl certificate enrichmentssl-certificate-analysisssl-enrichmentssl/tls enrichmentstealcstix 2.1stix-2.1supply chain attacksupply chain compromisesupply-chainswedensynsyn scansyn_scansystem discoveryt-pott1003t1005t1016t1016.001t1018t1021t1021.001t1021.002t1021.004t1027t1033t1036t1036.006t1040t1041t1046t1049t1053.005t1055t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1069.001t1070.004t1071t1071.001t1071.004t1071.005t1072t1076t1077t1078t1082t1083t1087t1088t1090t1095t1102t1105t1110t1110.001t1110.002t1110.003t1110.004t1113t1133t1140t1187t1189t1190t1195t1195.002t1199t1202t1203t1204.002t1210t1486t1496t1499t1499.001t1499.002t1499.003t1505.002t1505.003t1505.004t1531t1542.001t1542.005t1547.001t1550t1555t1555.003t1563t1564.001t1565t1566t1566.001t1566.002t1566.003t1566.004t1568t1569t1571t1572t1573t1573.001t1573.002t1583t1583.006t1584t1585t1586t1589t1590t1590.003t1590.005t1590.006t1592t1595t1595.001t1595.002t1595.003tannertanner activitytargeting databasetcptcp port 6379tcp port scanningtcp protocoltcp scantcp scanningtcp-scanningtcp/iptcp_scanteam cymrutelecom servicestelecommunicationstelnettelnet scantelnet scanningtelnet threattelnet_protocoltftpthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat-intelthreat-intelligencethreat_discoverythreat_intelligencetier-1 network vulnerabilitytokyotor nodetorontotpottraffic analysistraffic anomalyttpturkeyudp port scanudp port scanningudp scanudp-scanningudp_scanunattributed activityunattributed threat actorunauthorized accessunauthorized access attemptunauthorized loginunauthorized login attemptsunauthorized probingunauthorized_access_attemptunited arab emiratesunited kingdomunited statesunknown actorunknown threat actorus ip addressus originvalid accountsverizon basebandverizon ltevnc protocolvoidtrapvoipvoip attackvpnvpn ipvulnerability scanvulnerability-scanningvultrvultr cloud infrastructurevultr infrastructurevultr infrastructure targetedvultr ip addressvultr parisvultr tokyoweb app attackweb application attackweb application attacksweb application scanweb application scanningweb attackweb attacksweb exploit attemptweb exploitationweb hostingweb service scanningweb spamweb trafficweb-application-attackweb_application_attackwinwindowswixxmas scanxmas_scan

Activity Timeline

1 total obs
Jun 19Jun 19

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
1
Minimal
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
73
SIGNAL
Signal Score
73%
Confidence
25
Reports
First seenDec 18, 2025
Last seenJun 19, 2026
GeolocationRU
CountryRussian Federation
LocationMoscow, Moskva
ASNAS214664
OrgTopTeleCom LLC
Coords55.7523, 37.6155
ProxyVPN

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw
inetnum: 45.91.64.0 - 45.91.64.255 descr: F6 netname: RU-TOPTELECOM-20190626 country: RU org: ORG-TL905-RIPE admin-c: AA43330-RIPE tech-c: AA43330-RIPE status: ALLOCATED-ASSIGNED PA mnt-by: TTK-MNT mnt-by: RIPE-NCC-HM-MNT created: 2024-07-24T11:54:12Z last-modified: 2025-12-18T08:08:54Z source: RIPE abuse-c: AH15420-RIPE organisation: ORG-TL905-RIPE org-name: TopTeleCom LLC country: RU org-type: LIR address: Marshala Rybalko st., 2, k.6 address: 123060 address: Moscow address: RUSSIAN FEDERATION phone: +7 495 147-0370 admin-c: AA43330-RIPE tech-c: AA43330-RIPE abuse-c: AR75721-RIPE mnt-ref: TTK-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: TTK-MNT created: 2024-06-03T10:50:22Z last-modified: 2024-06-03T10:50:22Z source: RIPE # Filtered role: admin-c address: RUSSIAN FEDERATION address: Moscow address: 123060 address: Marshala Rybalko st., 2, k.6 phone: +7 495 147-0370 nic-hdl: AA43330-RIPE mnt-by: TTK-MNT created: 2024-06-03T10:50:21Z last-modified: 2024-06-03T10:50:21Z source: RIPE # Filtered route: 45.91.64.0/24 origin: AS214664 mnt-by: TTK-MNT created: 2025-07-30T09:31:30Z last-modified: 2025-07-30T09:31:30Z source: RIPE

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 6 months ago · Last seen today
Appeared in 25 threat reports