IPMediumSignal 64/100

`86.54.31.40`

Location

United Kingdom

Amsterdam, North Holland

ASN

AS12989

MISTRAL

First Seen

Apr 9, 2025

Last Seen

Jun 16, 2026

Apr 9

First Seen

438d ago

Jun 16

Last Seen

5d ago

Reports

source reports

64%

Confidence

medium

Found in 34 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

64%

Signal Score

64 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

109 techniques

Network Information

Country

United Kingdom

RegionAmsterdam, North Holland

ASNAS12989

OrganizationMISTRAL

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

34 reports64% confidence

Source reports

64%

Confidence score

Category tags

abuseaccess attemptsaccess controlaccount compromiseaccount securityackactive reconnaissanceactive scanactive scanningadbadb protocoladbhoney activityadbhoney attackadbhoney exploitationadbhoney honeypotadministrative accessandroid devicesanomalous network connectionsapacheapache attackerapplication layer protocolaptasiaasset discoveryattackattack activityattack attemptattacker ipattacker ipsattacker-ipaustraliaauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication brute forceauthentication_failuresautomated attackautomated attacksautomated botautomated-attackautomated_attackback orificebad reputationbad web botbankingblacklisted ip addressblock listblock.txtblocked connectionblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackbruteforcec2c2 communicationc2 servercacanadachinachina mobilecisco asacisco attackcisco devicecisco device attackcisco device attackscisco device targetingcisco exploit attemptcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscisco targetedcisco vulnerability exploitationcloud computingcloud environmentcloud hostingcloud infrastructurecloud infrastructure attackcloud infrastructure targetcloud migrationcloud providercloud securitycloud servicescloud storagecloud_infrastructurecode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised host activitycompromised host detectioncompromised hostscompromised system attemptcompromised system detectioncompromised systemsconfig manipulationconnect scanconpot activityconpot attackconpot honeypotconpot ics exploitationcontainer securitycowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie datacowrie emulationcowrie honeypotcowrie honeypot datacowrie honeypot detectioncowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential access attemptscredential attackcredential attackscredential brute forcecredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential stuffingcredential theftcredential-accesscredential-bruteforcingcredential-stuffingcredential_accesscredential_attackcredential_stuffingcredentialaccesscredit card servicescron injectionctrlscurlcvecve exploitationcyber threatcyberattackd-link hnapd-link vulnerabilitydaily_sourcesdasan gpondata encryptiondata exfiltrationdata exfiltration attemptdata store exposuredata theftdatabase attackdatabase attacksdatabase exploit attemptsdatabase login attemptdatabase probingdatabase scandatabase securitydcerpcdcom exploitationddosddos attackddos attack indicatorsddos attacksddos preparationddos probeddospotdecoy systemdenial of servicedenial-of-servicedenial-of-service attemptdevice managementdictionary attackdictionary_attackdigital oceandigitalocean environmentdigitalocean infrastructuredigitalocean ipsdigitaloceanasndionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea exploitsdionaea honeypotdionaea interactionsdionaea logsdionaea malware analysisdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory traversal attemptdistributed attacksdnsdns attackdockerdropperelasticpot attackselasticpot honeypotelasticsearchelasticsearch monitoringencryptionenterprise networkingenumerationeu cyber policieseuropeexecutable fileexfiltrationexploitexploit activityexploit attemptexploit attemptsexploit kitexploit kit activityexploit probingexploit public-facing applicationexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal access attemptsexternal attackexternal reconnaissanceexternal threatexternal-scanningexternal-threatexternal_threatfailed loginfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinancefinance and insurancefinancial servicesfinancial technologyfingerprintingfinlandfrancefraud voipftpftp attackftp attacksftp brute forceftp brute-forceftp scanftp_scangalahgbgermanygluttongopotgpon router exploitsgpon vulnerabilityhackinghellpotheralding activityheralding behaviorheralding probeshk abusehandlerhoneynet connecthoneytrap activityhoneytrap attackhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttphttp attackhttp brute forcehttp probinghttp request anomalieshttp scanhttp scannerhttp scanninghttp_scanhttpshttps attackshttps scanninghurricane ushydraicmpics securityidentity & access exploitationidsimapimap attackinbound scanindiaindicatorindicators of compromiseindustrial control systemsinformation gatheringinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access attemptinitial access preparationinitial access vectorinitial_accessinjection activityinjection attacksinternet exposedinternet exposureinternet facing assetinternet facing assetsinternet facing systemsinternet of thingsinternet wide scaninternet-facinginternet-facing assetsinternet-facing serviceinternet-wide observationinternet-wide scaninternet_scannersinternet_wide_scanintrusion detectioniocioc.ipiocsiot botnetiot device targetingiot securityiot targetediot/ics attackip-addressesipphoney activityipphoney honeypotipv4ipv4 addressesipv4 attacksipv4 indicatorsipv4 iocipv4 port scanningipv4 scanningipv4 trafficipv4-iocipv4_activityipv4_addressipv4_indicatorsipv4_scanningjapankibanakill-chain exploitationkill-chain reconnaissanceknown malicious iplamplamp attacklamp attackslamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetedlamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability scanlateral movementlcialinux serverslinux system targetinglinux systemslinux-server-attacklinux_server_attackslog4potloginlogin attacklogin attemptlogin attemptslogin_attemptloginattacklondonlow-riskmail service probingmailoney activitymailoney attackmailoney eventsmailoney honeypotmailoney interactionsmalaysiamalicious activitymalicious activity detectedmalicious emailsmalicious file transfermalicious infrastructuremalicious ipmalicious ip activitymalicious ip addressesmalicious ip blockedmalicious ip listmalicious ipsmalicious ipv4malicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptsmalicious payload detectionmalicious payload distributionmalicious scanmalicious softwaremalicious trafficmalicious-login-attemptsmalicious-scanmalicious_activitymalwaremalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware downloadmalware droppermalware propagationmalware_activitymasscanmedpotmicrosoft technologiesmiraimirai botnetmobilemobile securitymobile threatmodule loadingmonthlymsp-ctimssqlmulti-cloud managementmysql brute forcenetherlandsnetworknetwork activitynetwork attacksnetwork device attacknetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork threat activitynetwork traffic analysisnetwork-based attack attemptsnetwork-discoverynetwork-reconnaissancenetwork_activitynetwork_discoverynetwork_enumerationnetwork_probingnetwork_reconnaissancenetwork_scannlnmapnorth americanull scanoceaniaopenctioperating systemoperating system securityopportunistic attackopportunistic attackeropportunistic-attackos command injectionosintoutbound communication blockingp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturesparispassword attackpassword attackspassword crackingpassword_attackpassword_guessingpayment processingperimeter securitypgp signphishingphishing attackphishing trapping of deathpolandport-scanningportscanpossible botnet activitypossible credential stuffingpossible exploit attemptpossible exploit attemptspossible malware activitypossible malware deliverypossible malware deploymentpossible malware distributionpossible malware dropperpossible malware propagationpossible mirai variantpotential botnetpotential botnet activitypotential credential stuffingpotential exploitpotential exploit activitypotential intrusionpotential malicious activitypotential malwarepotential malware deliverypotential threat actorpotential vulnerability probingpotential vulnerability scanprivilege escalationprobingprocess injectionprotocol exploitationprotocol-abuseproxyproxy accesspublic cloud targetingransomwareransomware activityrcerdp attacksrdp scanrdp scanningrdp_scanreconnaissancereconnaissance activityredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot attackredishoneypot activityregional securityremote accessremote access abuseremote access attackremote access attemptremote access attemptsremote code executionremote command executionremote servicesremote_accessresearchresearchedresource hijackingrpcsansscams & fraudscanscannerscanner activityscanner ipscanner ipsscannersscanningscanning activityscript kiddiescripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attacksentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer targetingserver exploitationserver securityservice detectionservice discoveryservice enumerationservice scanservice scanningservice-discoveryservice_enumerationsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp brute-forcesftp credential attacksftp exploitationsftp exploitation attemptsftp probingsftp-attackshellshell accessshodan_io-benignsingaporesipsip attackssip brute forcesip brute-forcesip scansip scanningsip vulnerability scansippslaveofsmb scanningsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scansmtp scanningsnaresoapsocial engineeringsocradar honeypotsoftware exploitationsora botnetspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh brute-forcessh key injectionssh monitoringssh scanssh scanningssh-brutessh-brute-forcessh_scansuricata alertsuricata alertssynsyn scansyn_scansystem reconnaissancet-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1048t1053t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1064t1065t1068t1069.001t1071t1071.001t1071.002t1076t1077t1078t1078.001t1078.002t1078.004t1083t1087t1088t1090t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1136.001t1187t1189t1190t1195t1199t1202t1203t1204t1204.002t1210t1486t1496t1497t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1550t1550.002t1550.003t1555t1555.003t1555.004t1555.005t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1574.001t1583t1583.001t1588t1588.002t1588.006t1589t1589.002t1590t1590.002t1590.003t1590.004t1590.005t1592t1592.002t1593t1595t1595.001t1595.002t1595.003t1598tannertanner activitytanner attacktanner eventstanner exploit kittanner honeypot activitytanner incidenttanner interactionstargeting databasetcptcp protocoltcp scantcp scanningtcp-scantcp-scanningtcp/iptelecommunicationstelnettelnet attackstelnet scantelnet scanningtelnet threattelnet-brute-forcethreat actorthreat actor activitythreat actor: unknownthreat detectionthreat feedthreat indicatorthreat intelligencethreat intelligence feedthreat preventionthreat-intelligencethreat_actor_unknownthreat_intelligencetimeouttokyotop10.txttopips.txttor nodetorontotpottpotcettpsudp port scanudp scanudp-scanudp-scanningunattributed activityunauthenticated access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized-access-attemptunidentified threat actorunitedunited kingdomunited statesunknown actorunknown threat actorus abuseus noneverified-benignvnc protocolvoipvoip attackvpnvpn ipvulnerabilityvulnerability scanvultrvultr cloud infrastructurevultr infrastructurevultr-platformvultr_platform_activitywarsawwealth managementweb app attackweb application attackweb application attacksweb application probingweb application scanweb application scanningweb attackweb attacksweb exploit attemptsweb exploitationweb exploitsweb login attemptweb scannerweb service probingweb service scanningweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb_attackwebscanwebscannerwgetwindows system targetingwordpotxmas scanxmas_scanzgrabzgrab scanner

Activity Timeline

1 total obs

Jun 16Jun 16

Threat Activity Heatmap

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

Minimal

30d

Minimal

3mo

Minimal

Threat ScoreMedium Risk

SIGNAL

Signal Score

64%

Confidence

Reports

First seenApr 9, 2025

Last seenJun 16, 2026

GeolocationGB

CountryUnited Kingdom

LocationAmsterdam, North Holland

ASNAS12989

OrgMISTRAL

Coords51.4964, -0.1224

ProxyVPN

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw: NetRange: 86.0.0.0 - 86.255.255.255 CIDR: 86.0.0.0/8 NetName: 86-RIPE NetHandle: NET-86-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2004-04-01 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/86.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN
references: https://github.com/telekom-security/tpotce

`86.54.31.40`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey