IOC Radar
IPMediumSignal 69/100

79.124.40.86

Location
BulgariaBulgaria
Sopot, Plovdiv
ASN
AS50360
Tamatiya EOOD
First Seen
Jan 19, 2025
Last Seen
Jun 16, 2026
Jan 19
First Seen
521d ago
Jun 16
Last Seen
7d ago
18
Reports
source reports
69%
Confidence
medium
Found in 18 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
69%
Signal Score
69 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

100 techniques

Network Information

CountryBGBulgaria
RegionSopot, Plovdiv
ASNAS50360
OrganizationTamatiya EOOD

Feed Intelligence Summary

18 reports69% confidence
18
Source reports
69%
Confidence score
Category tags
abuseaccess controlaccount compromiseactive scanactive scanningadbadb protocoladbhoney honeypotand exploitation attemptsapi keyaptasiaattackattack attemptattack vectorsattacker ipattempted exploitationaustraliaauthenticationautomated attackautomated attacksautomated_attackbad reputationbad web botbgblacklisted ip addressblog spambotnetbotnet activitybotnet activity detectedbotnet activity detectionbotnet indicatorsbrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_force_attackbruteforcebulgariac&c communicationc2c2 communicationcanadacisco devicecisco device targetingcisco exploitation attemptcisco exploitation attemptscloud environmentcloud infrastructurecloud infrastructure attackcloud servicescommand & controlcommand and controlcommand injectioncommunication protocolcompromised credentialscompromised hostscompromised systemcompromised systemsconnected devicesconpot honeypotcowriecowrie detectioncowrie honeypotcredential accesscredential attackcredential brute forcingcredential harvestingcredential stuffingcredential theftdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase securityddosddos activityddos attackddos botnetdecoy systemdefault companydenial of servicedevice managementdictionary attackdigital oceandigitalocean infrastructuredionaeadionaea detectiondionaea honeypotdirectory traversaldistributed attacksdnsdns attackencryptionenterprise networkingenumerationenumeration activityeuropeexploitexploit attemptexploit attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal attack surfaceexternal scanexternal threatexternal_threatfattfingerprintingfirstftpftp attacksftp brute forcegeneric exploitgraph summaryhackinghoneytrap honeypothttp brute forcehttp scanhttp scannerhttp scanninghttpsics attacksics securityics/scada systemsidentity & access exploitationidsinbound scanindicatorindicators of compromiseindustrial control systemsindustrial iotinfrastructure acquisitionreconnaissanceinfrastructure scanninginitial accessinitial access attemptinjection activityinjection attacksinternet facinginternet of thingsinternet-facinginternet-wide scanintrusion detectioniociot analyticsiot applicationsiot attacksiot platformsiot securityiot systemsiot/ics attackipv4ipv4_addressjapanjoinlamplamp attackslamp exploit attemptslamp exploitation attemptslamp vulnerability scanlateral movementlinuxmailoney activitymailoney honeypotmalicious activitymalicious ipsmalicious softwaremalwaremalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmalware downloadmalware indicatorsmanualmodbusmodbus protocolmsp-ctimssqlmssql brute forcemulti-protocol network scanningnetworknetwork attacksnetwork devicesnetwork discoverynetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork servicesnetwork trafficnetwork traffic analysisnetwork-based attack attemptsnetwork_reconnaissancenorth americaoceaniaopenctiot attacksp0fpassword attackpassword attackspassword crackingphishingphishing attackphishing campaignphishing trapping of deathportscanpossible credential reusepossible exploit attemptspossible malware distributionpossible malware propagationpotential credential stuffingprocess injectionprotocol exploitationransomwarerdp attacksrdp scanrdp scanningreconnaissancereconnaissance activityremote accessremote servicesresearchresearchedresource hijackings7comms7comm protocolscanscannerscannersscanning activityscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer botnetserver exploitationservice detectionservice enumerationservice scansftp access attemptsftp access attemptssftp attacksftp attackssftp attemptsftp protocolsip attackssip brute forcesip protocolsip scanningsmart devicessmb attackssmb brute forcesmb scansmtpsmtp attackssocial engineeringsocradar honeypotspamspam botnetspam campaignsspam sendingsql injectionsshssh attackssh attacksssh monitoringssh protocolssh scanssh scanningssh-brutesynsystem accesst-pott1003t1003.001t1003.002t1003.003t1003.004t1003.005t1003.006t1003.007t1003.008t1005t1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1021.008t1040t1041t1046t1047t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.006t1059.007t1070t1070.001t1070.002t1070.003t1071t1071.001t1071.004t1076t1077t1078t1078.002t1078.003t1083t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1203t1204.002t1486t1496t1499.001t1499.002t1499.003t1505.002t1555t1555.001t1555.002t1555.003t1555.004t1555.005t1555.006t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1568t1568.002t1571t1573t1573.001t1573.002t1583t1587.001t1588t1588.002t1588.003t1588.004t1589t1589.002t1590t1590.001t1592t1595t1595.001t1595.002t1595.003tannertargeting databasetcp protocoltcp scantcp scanningtelecommunicationstelnet attackstelnet threatthreat actorthreat detectionthreat intelligencethreat intelligence feedthreat preventiontokyotor nodetpottraffic anomalyudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized loginunknown threat actorurlsvalue avnc protocolvoipvoip attackvoip attacksvulnerability scanvultrweb app attackweb application attackweb attackweb attacksweb exploitweb exploitationweb serverweb server attacksweb serversweb service scanningweb shell uploadsweb spamweb trafficwhois lookups

Activity Timeline

1 total obs
Jun 16Jun 16

Threat Activity Heatmap

· Peak: 2026-06-16
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
69
SIGNAL
Signal Score
69%
Confidence
18
Reports
First seenJan 19, 2025
Last seenJun 16, 2026
GeolocationBG
CountryBulgaria
LocationSopot, Plovdiv
ASNAS50360
OrgTamatiya EOOD
Coords42.6539, 24.7548

VirusTotal

Not checked

WHOIS

description
Monitoring systems have identified a massive infrastructure linked to the domain blockmmms.[eu] and mmms.[eu] This network utilizes 300+ rotating IP addresses (A-Records) to maintain persistence. This behavior is consistent with high-level botnet Command & Control (C2) activity, potentially linked to malware delivery (e.g., Mirai, QakBot).2. Technical DetailsTarget Domain: mmms.eu / network.block.mmms.euInfrastructure Pattern: Fast-Flux DNS (IPs rotate every 59 seconds).Hosting Providers: High density across DigitalOcean, AWS, Linode, and various offshore VPS providers. The classification as "Vehicles" on alphaMountain.ai is a significant detail, as it likely represents a category cloaking tactic designed to bypass web filters that allow benign traffic. By masquerading as an automotive-related site, the domain can maintain its Command & Control connections while hiding in plain sight from automated security tools. Network Team: Implement an immediate DNS-level block for [block.mmms.eu] [mmms.eu]

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 7 days ago
Appeared in 18 threat reports