IPMediumSignal 53/100
85.208.96.207
Location
United StatesAshburn, VA
ASN
AS209366
Crawlers
First Seen
Aug 7, 2023
Last Seen
Jun 12, 2026
Found in 21 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
53%
Signal Score
53 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionAshburn, VA
ASNAS209366
OrganizationCrawlers
IP Category
⟲
Proxy
Proxy server
⊕
VPN
VPN exit node
Feed Intelligence Summary
21 reports53% confidence
21
Source reports
53%
Confidence score
Category tags
50 ip addresses50_iocabuseabuse scoreabuseipdbaccess attemptsaccess controlactive scanactive scanningactive-attackactive_threatadb attacksadbhoney honeypotadversarial zone activityafricaagent teslaalibabaalibaba cloudalibaba cloud hostingalibaba cloud ipsalibaba infrastructurealibaba ipalibaba network abuseapplication layer protocolaptasiaasyncratattackattack campaignattack sourceattack-vectorattack_type: brute_forceattack_type: port_scanningattacker ipaustraliaauthentication attemptsauto blockedauto-blockedauto-blocked ipauto-blocked ipsauto-generatedauto-updatedautomated attackautomated attack activityautomated blockingautomated threatautomated threat actorsautomated threat blockingautomated web attacksautomated-blockingautomated-threatautomated_attackbad reputationbad web botbangladeshbankingbde 80bde scorebde score 80bde score 80+bde score alertbde score analysisbde score: 80bde score: highbehavioral detection energybelgiumbeningbening scannerblacklist hostblacklisted ip addressesblacklisted ipsblocked-ipsblog spambot activitybothammerbotnetbotnet activitybotsbrand weaponizationbrazilbrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute force detectionbrute-forcebrute-force-attackbrute_forcebruteforcebulgariac&cc2c2 activityc2 beaconingc2 channelc2 communicationc2 over httpsc2 serverca ipscanadachinachina based ipschina ip addresseschina ipschina-linked activitychinese ipciscocisco devicecisco device attackscisco exploitation attemptcisco exploitation attemptscobaltstrikecode executioncommand & controlcommand and controlcommand executioncommand injectioncommon isp infrastructurescommunication protocolcompromise assessmentcompromise indicatorscompromised credentialscompromised hostcompromised host indicatorscompromised hostscompromised infrastructurecompromised ipcompromised systemcompromised systemsconpotconpot honeypotcowriecowrie activitycowrie honeypotcowrie interactionscredential accesscredential access attemptscredential attackscredential brute-forcecredential guessingcredential harvestingcredential stuffingcredential-stuffingcredential_stuffingcredit card servicescross-site scriptingcross-site scripting attackscryptocurrencycryptocurrency threatscryptojackingcyber threatscyberattackdaily-threat-feeddata encryptiondata enumerationdata exfiltrationdata exfiltration attemptdata store exposuredata theftdatabase attackdatabase probingdatabase securitydcratddosddos attackddos attacksddos attemptddos candidateddos preparationddos reflectionde ipsdecoy systemdenial of servicedenial-of-servicedenmarkdenmark ip addressdevice managementdionaeadionaea activitydionaea honeypotdirectory enumerationdirectory traversaldistributed attackdistributed attacksdistributed scanningdk ipsdnsdns attackdugganusa threat inteldugganusa threat intelligenceelasticpot honeypotelasticsearch monitoringelectronic health recordsemailemerging threat actorsemerging threat landscapeemerging threatsencryptionendpoint compromiseenterprise networkingenumerationeu cyber policieseuropeeurope/asiaeuropean nationsexfiltrationexploitexploit attemptsexploit kitsexploit public-facing applicationexploitationexploitation activityexploitation attemptexploitation attemptsexploited hostexternal attackexternal communicationexternal scanfattfinancefinance and insurancefinancial servicesfinancial technologyfinlandfranceftpftp attacksftp brute forcegeo-distributedgeo-distributed activitygeo-distributed attackgeo-distributed threatgeo-diverse attackgeo-diverse threat actorsgeo-locationgeographic distributiongeographic diversitygeographic locationgeographic origingeographic sourcegeographic source: usgeographic threatgeographically distributed attacksgeographically diversegeographically diverse attackgeographically diverse attacksgeographically diverse ipsgeographically diverse originsgeoipgeolocated ipsgermanyget requestgithubglobal threatglobal threat actorsglobal threat landscapegreat britainhackinghardhathealth care and social assistancehealth information technologyhealthcare information systemsheralding activityhigh bdehigh bde scorehigh confidencehigh confidence threathigh riskhigh risk scorehigh threat levelhigh threat potentialhigh threat scorehigh_bde_scorehk ipshoneynet connecthoneytrap honeypothong konghong kong originhospital managementhttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp-attackhttp/https attackshttpshttps attackhttps scanninghttps-attackhttps-serviceicelandics securityics/scada attacksidentity & access exploitationindiaindicatorindicator-of-compromiseindicators of compromiseindonesiaindustrial control systemsinformation technologyinfostealerinfrastructure acquisitionreconnaissanceinitial accessinitial access activityinitial access attemptsinitial-access-attemptinjection activityinjection attacksinternet scaninternet scanninginternet-scanninginternet-wideintrusion detectioniociocsiocs presentiocs: ip addressesiocs: ipv4_address_listiot attacksiot securityiot/ics attackipv4ipv4 addressesipv4 threatiraqirelandisp-reputationit infrastructureitalyjapanjapan ip addressjapan ip addressesjapan ipsjarmjordankeyloggerknown adversarykoreakorea, republic ofkr ipskyrgyzstanlamplamp server targetinglateral movementlateral movement potentiallatest spambotlayer 7 attackli ipsliechtensteinlithuanialogin attacklogin attemptlogin attemptslogin pagelt ipslummamailoney activitymailoney honeypotmalicious activitymalicious activity detectedmalicious actorsmalicious communicationmalicious emailmalicious hostingmalicious hostsmalicious infrastructuremalicious ip activitymalicious ip addressesmalicious ipsmalicious ipv4 addressmalicious linksmalicious network activitymalicious network communicationmalicious network trafficmalicious payloadmalicious softwaremalicious trafficmalicious-activitymalicious-ipmalicious-ip-addressmalicious_ipsmalwaremalware activitymalware analysismalware behaviourmalware c2malware capturemalware communicationmalware distributionmalware domainsmalware download attemptsmalware ipsmalware propagationmalware trafficmanualmassloggermedical servicesmexicomitre-attackmozimozi linkmulti-country activitymulti-country attackmulti-country ipsmulti-country originmulti-country_originmulti-national activitymulti-regional activitymultiple countriesmultiple countries affectedmultiple countries originmultiple geographic locationsmultiple geographic originsmultiple origin countriesmultiple originsmultiple regionsmultiple threat actorsnation-state activitynetherlandsnetherlands ip addressnetherlands ip addressesnetherlands ipsnetherlands originnetworknetwork activitynetwork anomaliesnetwork anomalynetwork attacksnetwork behavior analysisnetwork communicationnetwork enumerationnetwork exploitationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork intrusionsnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork security monitoringnetwork service scanningnetwork threatnetwork trafficnetwork traffic analysisnetwork-devicesnetwork-reconnaissancenetwork_intrusionnetwork_reconnaissancenl originnorth americanorwaynorway ip addressoceaniaopen portsopenctios credential dumpingp0fpassword attackpassword attackspassword sprayingpassword-guessingpatient carepattern-32pattern-38payment processingphishingphishing attackphishing trappinkpolandport-scanningpossible botnet activitypossible evasion tacticspossible exploitationpossible ftp brute-forcepossible intrusionpossible lateral movementpossible malwarepossible malware activitypossible malware distributionpossible rdp brute-forcepossible reconnaissancepossible reconnaissance activitypossible scanning activitypossible ssh brute-forcepossible threat actorpost requestpotential adversarial behaviorpotential apt activitypotential attackpotential attack preparationpotential botnetpotential botnet activitypotential c2 activitypotential compromisepotential coordinated activitypotential data exfiltrationpotential exploitpotential exploitationpotential initial accesspotential intrusionpotential intrusion attemptpotential lateral movementpotential malicious activitypotential malwarepotential malware activitypotential malware distributionpotential network reconnaissancepotential reconnaissancepotential reconnaissance activitypotential threatpotential threat activitypotential threat actorpotential threat actorspotential vulnerability exploitationpotential_compromiseprivilege escalationprobingprocess injectionprotocol exploitationprotocol: httpprotocol: httpsprotocol: tcpprotocol: udpproxyproxy activityransomhubransomwareransomware activityrdp-protocolrealtime-wafreconnaissancereconnaissance activityredis honeypotregional securityremcos trojanremote accessremote access attemptsremote access trojanremote code executionremote servicesremote_accessrepublic ofresearchedresidential proxyresource developmentresource hijackingromaniaromania ipromania ip addressromania ip addressesromania ipsru originrussiarussia iprussia ip addressrussia ip addressesrussia ipsrussia originrussia originating iprussia-based threat actorsrussia-linked activityrussian iprussian ipsrussian origin ipssalitysansscams & fraudscannerscanningscanning activityscheduled task/jobscripting attackssecurity monitoringsecurity operationssecurity policysemrush-benignsensor-taggedsentrypeer activitysentrypeer botnetserbiaservice scansftpsftp activitysftp attacksftp attackssiemsingaporesipsip attackssip brute forcesip scansip scanningsloveniasmb attackssmtpsmtp brute forcesmtp probingsnakekeyloggersocial engineeringsoftware developmentsoftware exploitationsouth africasouth americasouth koreaspace bearsspainspamspam campaignsspambotsql injection attemptssshssh attackssh monitoringssh-protocolsslssl certificatessl certificate analysisssl certificate enrichmentssl enrichmentssl-enrichmentssl-tls-analysisssl/tlsssl/tls enrichmentssl_certificate_verificationstealcsteamstix 2.1stix-2.1supply chain attacksupply-chainsuspected intrusionswedent1003t1005t1016t1016.001t1018t1021t1021.001t1021.002t1021.004t1027t1036.006t1040t1041t1043t1046t1047t1048t1053t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1071t1071.001t1071.002t1071.004t1075t1076t1077t1078t1078.004t1083t1086t1087t1090t1102t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1140t1187t1189t1190t1195t1195.002t1199t1203t1204t1204.001t1204.002t1219t1486t1496t1499.001t1499.002t1499.003t1547.001t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1570t1571t1573t1573.001t1573.002t1583t1583.006t1584t1585t1586t1587.001t1588t1589t1590t1590.001t1590.005t1592t1592.002t1592.004t1595t1595.001t1595.002t1595.003t1598tannertanner interactionstargeting databasetcp protocoltcp scanteam cymrutech mahindratelecommunicationstelnet threattencenttencent hostingtencent infrastructuretencent iptencent ipstencent network abusethreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat reportthreat-intelthreat-intelligencethreat-intelligence-feedthreat_actor: unknowntor nodetpottraffic analysistraffic anomaliestraffic monitoringturkeyudp scanuk ip addressuk ip addressesuk originuk originating ipukraineunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized_access_attemptunidentified threat actorunited kingdomunited statesunited states of americaunited states originunknown threat actoruruguayusus ip addressus ip addressesus originus originating ipus-linked activityvalid accountsvector: web_applicationvenezuela, bolivarian republic ofverified-benignvisitvoipvoip attackvpnvpn ipvulnerabilityvulnerability scanvulnerability-scanningwealth managementwebweb app attackweb applicationweb application attackweb application attacksweb application scanweb attackweb attack activityweb attacksweb brute forceweb exploitweb exploit attemptweb exploit attemptsweb exploitationweb reconnaissanceweb scannerweb securityweb serverweb serviceweb shellweb spamweb trafficweb-application-attackweb-serversweb_applicationweb_application_attackweb_bruteforce_and_scanningwebscanwebscannerxssxss attackxworm
Activity Timeline
Jun 12Jun 12
Threat Activity Heatmap
· Peak: 2026-06-12LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
53
SIGNAL
Signal Score
53%
Confidence
21
Reports
First seenAug 7, 2023
Last seenJun 12, 2026
GeolocationUS
CountryUnited States
LocationAshburn, VA
ASNAS209366
OrgCrawlers
Coords39.0180, -77.5390
ProxyVPN
VirusTotal
Not checked
WHOIS
- description
- IPv4 hosts detected performing web attacks against Cloudflare honeypot edge
- raw
- NetRange: 85.0.0.0 - 85.255.255.255 CIDR: 85.0.0.0/8 NetName: 85-RIPE NetHandle: NET-85-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2004-04-01 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/85.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN
- references
- https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-29/, https://jamesbrine.com.au, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-30/, https://analytics.dugganusa.com/api/v1/stix-feed/v2, https://www.abuseipdb.com, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-28/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-29/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-27/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-28/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-26/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-27/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-25/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-26/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-25/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-24/, https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-23/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-24/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-22/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-23/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-22/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-21/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-20/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-21/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-20/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-19/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-18/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-19/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-17/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-18/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-16/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-17/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-15/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-16/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-15/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-14/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-13/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-14/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-12/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-13/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-11/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-12/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-11/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-10/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-09/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-04-08/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-09/, https://jamesbrine.com.au/cfglobal-web-ip-list-2026-03-08/
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 2 years ago · Last seen 11 days ago
Appeared in 21 threat reports