IPMediumSignal 64/100

`64.62.156.94`

Location

United States

Minneapolis, Minnesota

ASN

AS6939

The Shadow Server Foundation

First Seen

Apr 5, 2024

Last Seen

Jun 18, 2026

Apr 5

First Seen

808d ago

Jun 18

Last Seen

4d ago

Reports

source reports

64%

Confidence

medium

Found in 40 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

64%

Signal Score

64 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

138 techniques

Network Information

Country

United States

RegionMinneapolis, Minnesota

ASNAS6939

OrganizationThe Shadow Server Foundation

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

40 reports64% confidence

Source reports

64%

Confidence score

Category tags

abuseaccessaccess attemptaccess attemptsaccess controlaccess managementaccount compromiseaccount securityactive scanactive scanningadbadb attacksadb brute forceadb exploitadb exploit attemptsadb exploitationadb honeypot activityadb protocoladb-attacksadbhoney activityadbhoney attackadbhoney attacksadbhoney honeypotadbhoney interactionsadbhoney related activityadministrative accessadvertising campaignadvertising spamagentalertandroidandroid devicesandroid_attackanomalous network connectionsapacheapache attackerapi servicesapplication layer protocolasiaattackattack preparatoryattack sourceattacker ipattacker ipsattacker-ipattacker_ipattempted initial accessaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication failureauthentication failuresauthentication-attemptsauthentication_bypassauthentication_failuresautomated attackautomated attack activityautomated attack attemptsautomated attacksautomated enumerationautomated reconnaissance activityautomated-attackautomated_attackbad reputationbad web botbankingbeningbening scannerblacklist ipblock listblock.txtblocklist_allblog spambotnetbotnet activitybotnet-activitybotnet_activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackbrute_force_attemptbruteforcebulk messagingc2c2 communicationc2 servercanadacertchina mobilecins activecisco activitycisco asacisco asa targetedcisco attackcisco attackscisco brute forcecisco devicecisco device attackcisco device targetedcisco device targetingcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscisco exploitation probecisco network devicescisco scanningcisco targetedcisco targetingcisco vulnerability exploitationcitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securityclosecloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud-infrastructurecode executioncode-injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommon vulnerabilitiescommunication protocolcommunication technologiescompany limitedcompromise attemptcompromise attemptscompromised credentialscompromised credentials attemptcompromised hostcompromised host activitycompromised host detectioncompromised hostscompromised system attemptcompromised systemsconnectconnected devicesconpotconpot activityconpot attackconpot attacksconpot exploitationconpot honeypotconpot ics attackconpot ics attacksconpot interactionscontainer securitycontent deliverycowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie datacowrie detectedcowrie detectioncowrie emulationcowrie honeypotcowrie honeypot detectioncowrie interactioncowrie interactionscowrie loginscowrie logscowrie ssh activitycowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh loginscowrie ssh logscredential accesscredential attackcredential brute forcecredential brute-forcingcredential compromisecredential compromise attemptcredential guessingcredential harvestingcredential stuffingcredential theftcredential-harvestingcredential-stuffingcredential_accesscredential_attackcredential_stuffingcredit card servicescurlcvecve exploitationcyberattackdaily_sourcesdata encryptiondata exfiltrationdata exfiltration attemptdata harvesting attemptsdata scrapingdata store exposuredata theftdatabase access attemptdatabase activitydatabase attackdatabase attacksdatabase brute forcedatabase enumerationdatabase exploitdatabase exploit attemptsdatabase exploitationdatabase intrusion attemptdatabase login attemptdatabase probedatabase probingdatabase scandatabase securitydatabase-serverdatabase_attackdcerpcddosddos attackddos attack indicatorsddos attacksddos attemptddos preparationddos probeddos reflectionddospotdecoy systemdelhidenial of servicedenial-of-servicedenial-of-service attemptdevice managementdictionary attackdictionary_attackdigital oceandigitalocean infrastructuredionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detecteddionaea detectiondionaea exploitsdionaea honeypotdionaea interactionsdionaea logsdionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea malware trapdionaea payloadsdirectory traversal attemptdistributed attacksdnp3dnsdns attackdockerdropperdropper activitydshield blockelasticpot activityelasticpot detectedelasticpot exploitationelasticpot honeypotelasticsearchelasticsearch monitoringemailemail-protocolsencryptionenterprise networkingenterprise securityenumerationenv-huntinget dropeu cyber policieseuropeexecutable fileexfiltrationexotic portsexploitexploit activityexploit attemptexploit attemptsexploit kitexploit kit activityexploit kitsexploit probingexploit public-facing applicationexploit targetingexploit-attemptexploit-attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploitation_attemptexploited hostexport-to-otxexposed services exploitationexternal access attemptsexternal ipexternal reconnaissanceexternal remote servicesexternal threatexternal-threatexternal_threatextortionfail2ban triggeredfailed authenticationfailed loginfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinancefinance and insurancefinancial servicesfinancial technologyfinlandfrancefraudfraud voipfraudulent activityftpftp activityftp attackftp attacksftp brute forceftp brute-forceftp scanftp scanningftp_brute_forcegalahgeckogermanygithubgluttongopotgroupshackinghellohellpotheralding activityheralding behaviorheralding probingheralding scan activityherolding attackshigh-riskhk abusehandlerhoneylabshoneynet connecthoneypot 24h activityhoneypot triggeredhoneytrap activityhoneytrap datahoneytrap detectionhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp exploitationhttp probinghttp request anomalieshttp scannerhttp scanninghttp/httpshttp/shttpshttps scanninghurricane ushydraicmpics attackics attacksics securityics-scada-attacksics/scadaics/scada attackidentity & access exploitationillegal service advertisingimapimap attackimap brute forceinbound scanindiaindia phone numbersindia spamindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure attackinfrastructure reconnaissanceinitial accessinitial access attemptinitial access attemptsinitial-accessinitial-access-attemptsinitial_accessinjection activityinjection attacksintel macinternet background noiseinternet facinginternet of thingsinternet-facinginternet-facing serviceinternet-wide scanintrusion detectioniocioc.ipiocsiot analyticsiot applicationsiot attackiot attacksiot botnetiot device attackiot device attacksiot device targetingiot exploit attemptsiot exploitationiot exploitation attemptsiot platformsiot securityiot targetediot/ics attackip-addressip-address-iocippipphoney activityipphoney honeypotipv4ipv4 attacksipv4 iocipv4 port scanningipv4-addressesipv4_addressit infrastructurejapankfsensor honeypotkhtmlkibanakill-chain exploitationkill-chain reconnaissanceknown malicious iplajpat nagarlamplamp activitylamp attacklamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server probelamp server targetedlamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability scanlateral movementlateral movement techniqueslcialinuxlinux exploitlinux malware probelinux serverslinux system attackslinux system exploitationlinux system targetinglinux systemslinux x8664linux-server-attacklinux-server-attackslinux-systemlinux_server_attackslisted sourcelog analysislog4potloginlogin attacklogin attemptlogin attemptslogin enumerationlogin failurelondonlow-riskmail protocol abusemail service attackmailoney activitymailoney attackmailoney capturemailoney detectionmailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney trafficmalaysiamalicious activitymalicious activity detectedmalicious adb activitymalicious campaignmalicious code detectionmalicious emailmalicious email activitymalicious emailsmalicious file transfermalicious file uploadsmalicious hostmalicious ip activitymalicious ip detectedmalicious ip listmalicious loginmalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptsmalicious payload detectionmalicious payload distributionmalicious scanmalicious script executionmalicious sftp activitymalicious softwaremalicious software detectionmalicious sshmalicious ssh activitymalicious trafficmalicious-activitymalicious-login-attemptsmalicious_activitymalwaremalware activitymalware analysismalware behaviourmalware capturemalware communicationmalware deliverymalware delivery attemptmalware delivery attemptsmalware detectionmalware distributionmalware distribution attemptmalware downloadmalware download attemptmalware download attemptsmalware droppermalware heraldingmalware infectionmalware landingmalware probesmalware probingmalware propagationmalware propagation attemptsmalware_activitymanualmasscanmedpotmelbourne regionmirai botnetmispmobilemobile carriersmobile networksmobile securitymobile threatmodbusmonthlymssqlmssql brute forcemultiple port scanmysql brute forcenetworknetwork activitynetwork attacksnetwork device attacknetwork device attacksnetwork device compromisenetwork device probingnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork traffic analysisnetwork-based attack attemptsnetwork-devicenetwork-device-exploitationnetwork-reconnaissancenetwork-servicenetwork_device_attacknetwork_discoverynetwork_intrusionnetwork_probingnetwork_reconnaissancenetwork_scannetwork_scanningnetwork_service_exploitationnginxnmapnorth americanull scanoceaniaopen port detectionopen proxyopen source databaseopencanaryopenctioperating systemoperating system securityopportunistic attackopportunistic attackeros fingerprintingos xosintp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingpassword-guessingpassword_attackpassword_guessingpayment processingperimeter securitypgp signphishingphishing attackphishing trapphone number spamphone spamphp exploitphp exploitation attemptspingping of deathpolandpoor reputationpop3 attackpop3 brute forceportport-scanport-scanningportscanpossible botnet activitypossible botnet communicationpossible credential stuffingpossible exploit attemptpossible lateral movementpossible malicious activitypossible malware activitypossible malware distributionpossible malware dropperpossible malware probingpossible malware propagationpossible mirai variantpossible reconnaissance activitypossible vulnerability exploitationpotential botnetpotential botnet activitypotential compromisepotential credential compromisepotential credential stuffingpotential credential theftpotential exploitpotential exploit activitypotential exploit attemptspotential intrusionpotential lateral movementpotential malicious activitypotential malware activitypotential malware deliverypotential malware deploymentpotential malware distributionpotential reconnaissancepotential vulnerability probingpotential vulnerability scanpotential_compromiseprivilege escalationprocess injectionprotoprotocol abuseprotocol exploitationprotocol-abuseprotocol_enumerationproxyproxy accessproxy protocolpythonransomwareransomware activityraspberry-pircerdprdp attacksrdp exploitationreconnaissancereconnaissance activityredisredis attacksredis brute forceredis exploit attemptredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredishoneypot activityregional securityremote accessremote access attacksremote access attemptremote access attemptsremote loginremote serviceremote service exploitationremote service interactionremote servicesremote_accessremote_serviceresearchresearchedresource developmentresource hijackingrtbhsansscada exploitation attemptsscamscams & fraudscanscannerscanner activityscanner detectionscanner ipscannersscanningscanning activityscanning_activityscriptscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attacksentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer exploitsentrypeer interactionssentrypeer p2p attacksentrypeer targetingserver exploitationserver securityservice detectionservice discoveryservice enumerationservice scanservice scanningservice_enumerationsex industrysex services advertisementsex worksftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp brute-forcesftp exploitationsftp exploitation attemptsftp exploitation attemptssftp intrusion attemptsftp intrusion attemptssftp probingsftp protocolsftp protocol abusesftp scanningsftp traffic analysissftp-attacksftp-attacksshadowsever_org-benignshell accessshell access attemptshell access attemptssipsip activitysip attackssip brute forcesip brute-forcesip enumerationsip heraldingsip probingsip protocolsip scansip scanningsip vulnerability exploitationsip vulnerability scansip-attackssip_attacksippslugsmart devicessmb attackssmb brute forcesmb exploitationsmssms spamsms spam campaignsmtpsmtp attacksmtp attackersmtp attackssmtp brute forcesmtp probesmtp probingsmtp scanningsmtp traffic analysissnaresocial engineeringsocradarsocradar honeypotsoftware developmentsoftware exploitationspamspam advertisementspam campaignsql injectionsql injection attemptsql injection attemptssql-injectionsshssh activityssh attackssh attacksssh brute-forcessh bruteforcessh monitoringssh protocolssh scanssh-attacksssh-brutessh-brute-forcessh_brute_forcesurface websuricata alertsuricata alertssynsyn scansyn_scansystem discoverysystem disruptionsystem reconnaissancet-pott1003t1005t1016t1016.001t1016.002t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1033t1040t1041t1046t1047t1048t1053t1053.005t1055t1056t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1064t1065t1068t1069.001t1070.004t1071t1071.001t1071.004t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1082t1083t1087t1087.001t1087.002t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1192t1195t1199t1203t1204t1204.002t1210t1486t1490t1496t1497t1498t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1547t1550t1550.002t1550.003t1552t1552.001t1555t1555.003t1555.004t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1569t1571t1572t1573t1573.001t1583t1583.001t1583.006t1583.007t1584t1584.004t1587.001t1588t1588.001t1588.002t1588.003t1588.004t1588.006t1589t1589.002t1590t1590.001t1590.002t1590.003t1590.004t1590.005t1591t1592t1592.001t1592.002t1592.003t1592.004t1595t1595.001t1595.002t1595.003t1598t1598.003t1598.004tannertanner activitytanner attacktanner attackstanner detectedtanner eventstanner interactionstanner web attacktargeting databasetcptcp protocoltcp scantcp scanningtcp/23tcp/iptelecom servicestelecommunicationstelephone harassmenttelnettelnet attackstelnet attemptstelnet threattelnet-brute-forcethreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat-intelligencethreat_intelligencetimeouttokyotop10.txttopips.txttor nodetorontotpottpotcettpstype osintubuntuudp port scanudp scanunattributed activityunattributed threat actorunauthenticated access attemptsunauthorised access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized-access-attemptunited kingdomunited statesunited states of americaunknown threat actorunsolicited communicationunsolicited contactunsolicited messagingunusual network trafficusus abuseus noneus source ipvalid accountsverified-benignvnc protocolvoidtrapvoipvoip attackvoip systemsvoip_attackvpnvpn ipvulnerability scanvulnerability-scanvulnerability-scanningvultrvultr infrastructurevultr infrastructure targetedwazuhweak credentialswealth managementweb apisweb app attackweb applicationweb application attackweb application attacksweb application probingweb application scanweb application scanningweb applicationsweb attackweb attacksweb brute forceweb crawling detectionweb developmentweb exploitweb exploit attemptweb exploit attemptsweb exploitationweb exploitsweb hostingweb infrastructureweb login attemptweb scannerweb serverweb server attacksweb server probingweb serversweb service scanningweb servicesweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb technologiesweb trafficweb-application-attackweb-attackweb-exploitationweb-serverweb_attackwgetwindows ntwindows system targetingwordpotxmas scanxmas_scan

Activity Timeline

1 total obs

Jun 18Jun 18

Threat Activity Heatmap

· Peak: 2026-06-18

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

Minimal

30d

Minimal

3mo

Minimal

Threat ScoreMedium Risk

SIGNAL

Signal Score

64%

Confidence

Reports

First seenApr 5, 2024

Last seenJun 18, 2026

GeolocationUS

CountryUnited States

LocationMinneapolis, Minnesota

ASNAS6939

OrgThe Shadow Server Foundation

Coords37.7510, -97.8220

ProxyVPN

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning Vultr Tokyo (Japan) honeypot
raw: Hurricane Electric LLC HURRICANE-4 (NET-64-62-128-0-1) 64.62.128.0 - 64.62.255.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-4295868A (NET-64-62-156-0-1) 64.62.156.0 - 64.62.156.255
references: https://github.com/telekom-security/tpotce

`64.62.156.94`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey