IPMediumSignal 73/100

`62.210.114.25`

Location

France

Paris, Île-de-France

ASN

AS12876

Online SAS

First Seen

Oct 24, 2025

Last Seen

Jun 12, 2026

Oct 24

First Seen

245d ago

Jun 12

Last Seen

14d ago

Reports

source reports

73%

Confidence

medium

Found in 15 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

73%

Signal Score

73 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

31 techniques

Network Information

Country

France

RegionParis, Île-de-France

ASNAS12876

OrganizationOnline SAS

IP Category

⟲

Proxy

Proxy server

Feed Intelligence Summary

15 reports73% confidence

Source reports

73%

Confidence score

Category tags

abuseaccess controlactive scanactive scanningadbadb exploitadbhoney honeypotapi keyapplication layer protocolaptattackattacker ipaustraliabad reputationbad web botblacklist ipblacklisted ip addressbotnetbotnet activitybrute forcebrute force attackbrute force attacksbrute force attemptbrute-forcebruteforcecisco devicecisco device attackcommand and controlcommunication protocolconpot activityconpot honeypotcowrie activitycowrie honeypotcredential accesscredential stuffingdata exfiltrationdata store exposuredatabase attackdatabase securityddosddos attackddos attacksdecoy systemdefault companydenial of servicedevice managementdionaea activitydionaea honeypotdistributed attacksdropperenterprise networkingeuropeexploitexploit attemptexploitation activityexploitation of vulnerabilityexploited hostfattfilefirstfrfrancefraud voipftp attacksftp brute forcegraph summaryhackingheralding activityhoneytrap honeypothttp brute forcehttp scannerhttp scanningics securityics/scada attackidentity & access exploitationindicatorindustrial control systemsinjection activityinjection attacksinternet of thingsintrusion detectioniociot botnetiot securityiot targetediot/ics attackjoinkill-chain exploitationkill-chain reconnaissancelamplamp exploitation attemptslamp stack attacklateral movementlow-riskmailoney honeypotmalicious activitymalicious adb activitymalicious file uploadsmalicious scanmalwaremalware behaviourmalware capturemirai botnetmobilemobile securitynetworknetwork attacksnetwork infrastructurenetwork intrusion attemptsnetwork intrusion detectionnetwork probingnetwork scanningnetwork securityoceaniaosintp0fpassword attacksphishingphishing attackphishing trapphp exploitpossible mirai variantprotocol exploitationproxyproxy protocolransomwarereconnaissancereconnaissance activityremote access attemptsresearchedresource hijackingscams & fraudscanscannerscripting attackssecurity operationssecurity policysensor-taggedsentrypeer botnetservice scansftp activitysftp attacksip attackssip brute forcesmtp brute forcesocradar honeypotssh attackssh monitoringt1021t1021.004t1040t1041t1046t1059t1059.003t1059.004t1059.007t1064t1071.001t1078t1083t1110t1110.001t1110.002t1110.003t1110.004t1190t1203t1204.002t1486t1496t1499.001t1499.002t1499.003t1592t1595t1595.001t1595.002t1595.003tannertargeting databasetcp protocoltelecommunicationstelnet threatthreat actorthreat detectionthreat intelligencethreat preventiontor nodetpotudp port scanunauthorized accessvalue avoipvoip attackvulnerability scanweb application attackweb application attacksweb attackweb exploitationweb trafficwhois lookups

Activity Timeline

1 total obs

Jun 12Jun 12

Threat Activity Heatmap

· Peak: 2026-06-12

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

73%

Confidence

Reports

First seenOct 24, 2025

Last seenJun 12, 2026

GeolocationFR

CountryFrance

LocationParis, Île-de-France

ASNAS12876

OrgOnline SAS

Coords48.9065, 2.3334

Proxy

VirusTotal

Not checked

WHOIS

description: Monitoring systems have identified a massive infrastructure linked to the domain blockmmms.[eu] and mmms.[eu] This network utilizes 300+ rotating IP addresses (A-Records) to maintain persistence. This behavior is consistent with high-level botnet Command & Control (C2) activity, potentially linked to malware delivery (e.g., Mirai, QakBot).2. Technical DetailsTarget Domain: mmms.eu / network.block.mmms.euInfrastructure Pattern: Fast-Flux DNS (IPs rotate every 59 seconds).Hosting Providers: High density across DigitalOcean, AWS, Linode, and various offshore VPS providers. The classification as "Vehicles" on alphaMountain.ai is a significant detail, as it likely represents a category cloaking tactic designed to bypass web filters that allow benign traffic. By masquerading as an automotive-related site, the domain can maintain its Command & Control connections while hiding in plain sight from automated security tools. Network Team: Implement an immediate DNS-level block for [block.mmms.eu] [mmms.eu]

`62.210.114.25`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey