IOC Radar
IPMediumSignal 78/100

89.248.172.139

Location
NetherlandsNetherlands
Utrecht, UT
ASN
AS202425
Quasi Networks LTD.
First Seen
Aug 26, 2020
Last Seen
Mar 23, 2026
Aug 26
First Seen
2118d ago
Mar 23
Last Seen
83d ago
19
Reports
source reports
78%
Confidence
medium
Found in 19 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
78%
Signal Score
78 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

71 techniques

Network Information

CountryNLNetherlands
RegionUtrecht, UT
ASNAS202425
OrganizationQuasi Networks LTD.

Feed Intelligence Summary

19 reports78% confidence
19
Source reports
78%
Confidence score
Category tags
aerospace & defenseattackautomotive manufacturingbotnetcanadacertcivil servicescl0pcl0p ransomware attackcleocleo vulnerabilityclopcommand and controlconsumer goodscredential harvestingcyber securitydata encryptiondata exfiltrationdefensedefense contractingdefense logisticsdefense systemsdefense technologydistributed attackselectronics manufacturingeu cyber policieseuropeevil corpextortionfleet managementfreight servicesgovernment technologyindicatorindustrial automationindustrial iotindustrial productioninterlockiocknightmalicious activitymalicious softwaremalloxmalwaremanufacturing technologymaritime transportmedusamedusalockermilitary operationsnational securitynetherlandsnetworknextraynlopenporsts_com-benignpassenger transportationpatch managementphishing attackprocess injectionprocess manufacturingpublic administrationpublic infrastructurepublic policyquality controlrail transportransomhubransomwareregional securityregulatory agenciesresearchedretailretail tradesecurity operationssocial engineeringstorm-1567supply chain managementsurface websystem disruptiont1003.001t1005t1010t1012t1016t1018t1020t1021.002t1027t1027.003t1033t1036.001t1041t1047t1053.005t1055t1055.001t1057t1059t1059.001t1068t1069t1070.001t1070.004t1071t1071.001t1078t1078.002t1078.003t1082t1083t1105t1106t1114t1114.001t1140t1190t1195t1195.003t1199t1202t1204t1204.002t1213t1482t1484.001t1486t1490t1491t1496t1499.002t1499.003t1518.001t1535t1543.003t1547t1547.001t1550.002t1562.001t1565t1566.001t1566.002t1566.003t1567t1567.002t1570t1573t1573.001t1574t1595t1595.002ta505team undergroundthreat actorthreat intelligencetransportation and warehousingtransportation infrastructuretransportation technologyturkeyunited states of americaverified-benign

Activity Timeline

1 total obs
Mar 23Mar 23

Threat Activity Heatmap

· Peak: 2026-03-23
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
78
SIGNAL
Signal Score
78%
Confidence
19
Reports
First seenAug 26, 2020
Last seenMar 23, 2026
GeolocationNL
CountryNetherlands
LocationUtrecht, UT
ASNAS202425
OrgQuasi Networks LTD.
Coords52.0922, 5.1268

VirusTotal

Not checked

WHOIS

description
The Cl0p ransomware group has recently targeted 43 organizations across various industries, with a focus on Manufacturing, Retail, and Transportation sectors. The majority of victims are located in the US, Canada, and Europe. The attackers likely exploited the Cleo vulnerability (CVE-2024-50623) for initial access. Over 1.6 million assets are potentially vulnerable to this exploit. The report provides IOCs, MITRE ATT&CK techniques, and YARA rules for detection. Cl0p is associated with the Russian cybercriminal group TA505/Evil Corp, known for custom malware development and sophisticated attack techniques. Recommendations include prioritizing patch management, implementing robust email filtering, and strengthening overall security posture.
raw
inetnum: 89.248.172.0 - 89.248.172.255 netname: NET-2-172 descr: IPV NETBLOCK country: NL geoloc: 52.370216 4.895168 org: ORG-IVI1-RIPE admin-c: IVI24-RIPE tech-c: IVI24-RIPE status: ASSIGNED PA mnt-by: IPV mnt-lower: IPV mnt-routes: IPV created: 2019-02-03T20:55:31Z last-modified: 2019-02-03T20:55:31Z source: RIPE organisation: ORG-IVI1-RIPE org-name: IP Volume inc country: SC org-type: OTHER address: Seychelles abuse-c: IVNO1-RIPE mnt-ref: IPV mnt-by: IPV created: 2018-05-14T11:46:50Z last-modified: 2023-09-08T14:13:20Z source: RIPE # Filtered role: IPV address: BZ nic-hdl: IVI24-RIPE mnt-by: IPV created: 2018-05-16T13:28:41Z last-modified: 2023-09-08T14:14:36Z source: RIPE # Filtered route: 89.248.172.0/24 origin: AS202425 remarks: +----------------------------------------------- remarks: | For abuse e-mail [email protected] remarks: | We do not always reply to abuse. remarks: | But we do take care your report is dealt with! remarks: +----------------------------------------------- mnt-by: IPV created: 2019-02-08T15:47:32Z last-modified: 2019-02-08T15:47:32Z source: RIPE
references
https://www.cyfirma.com/research/cl0p-ransomware-latest-attacks/, https://www.rapid7.com/blog/post/2024/12/10/etr-widespread-exploitation-of-cleo-file-transfer-software-cve-2024-50623/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 2 months ago
Appeared in 19 threat reports