IOC Radar
IPMediumSignal 56/100

91.191.209.46

Location
BulgariaBulgaria
Sofia, Sofia-Capital
ASN
AS57509
L&L Investment Ltd
First Seen
Apr 1, 2022
Last Seen
Jun 19, 2026
Apr 1
First Seen
1544d ago
Jun 19
Last Seen
4d ago
21
Reports
source reports
56%
Confidence
medium
Found in 21 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
56%
Signal Score
56 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

92 techniques

Network Information

CountryBGBulgaria
RegionSofia, Sofia-Capital
ASNAS57509
OrganizationL&L Investment Ltd

Feed Intelligence Summary

21 reports56% confidence
21
Source reports
56%
Confidence score
Category tags
abuseaccess controlaccount compromiseaccount securityactive scanactive scanningadministrative accessangelanydeskapplication layer protocolaptasyncratattackattacker ipattacker-ipauto-generated securitybad reputationbad web botbgblackbastablacklist candidatebotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attemptsbrute-forcebruteforcebulgariac2c2 frameworkcloudcloud computingcloud infrastructurecloud migrationcloud securitycloud servicescloud storagecobalt strikecobaltstrikecode executioncommand & controlcommand and controlcommand executioncommunication protocolcompromised credentials attemptconsumer goodscowriecredential accesscredential dumpingcredential harvestingcredential stuffingctadata encryptiondata exfiltrationdata store exposuredatabase attacksdcratddosddos attacksdecoy systemdeimosdenial of servicedesktopdictionary attackdigital oceandionaeadistributed attackseducationencryptionengineeringet exploiteuropeexfiltrationexploit probingexploitation activityexploited hostextortionfattftpftp brute forceftp brute-forcegbhackinghavochttp brute forcehttp scannerhttpsidentity & access exploitationimpactinbound scanindia educationinjection activityinput validation bypassinternet of thingsintrusion detectioniot botnetiot securityiot/ics attacklateral movementlegallsassmalicious activitymalicious powershell activitymalicious softwaremalwaremalware propagation attemptmediametasploitmeterpretermimicmimic ransomwaremirai botnetmulti-cloud managementmythicnetscannetsupportratnetworknetwork activitynetwork attacksnetwork enumerationnetwork intrusionnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnonamenorth americaoperating systemoperating system securityp0fpassword attackpassword attackspath traversalphasephishingphishing attackphishing toolpinkportscanpossible botnet activitypossible reconnaissancepost-exploitationpotential vulnerability scanprivilege escalationprocess injectionprotocol exploitationproxypythonqakbotransomwareratrcerdp scanningreconnaissanceremcos trojanremote accessremote access trojanremote code executionremote servicesresearchresearchedretail traderpcssscanscannerscannersscanning activityscripting attackssecurity operationssecurity policysensor-taggedserviceservice enumerationservice scanshellsigmasliversmb scanningsocial engineeringsoftware exploitationsshssh attackssh-brutesupershellsurface websyn scansysmonsystem accesssystem disruptiont1003t1003.001t1003.005t1007t1012t1016t1018t1021t1021.001t1021.002t1021.003t1027t1033t1036t1040t1041t1046t1047t1053t1053.005t1055t1056t1057t1059t1059.001t1059.003t1059.004t1068t1069.001t1070t1071t1071.001t1076t1077t1078t1078.002t1083t1086t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1112t1133t1134t1136t1136.001t1187t1189t1190t1199t1203t1204.002t1210t1219t1486t1490t1496t1497t1499.001t1499.002t1499.003t1543t1543.003t1547.001t1550.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1569t1569.002t1574t1574.002t1588t1588.002t1589t1589.002t1590t1592t1592.004t1595t1595.001t1595.002t1595.003tannertargeting databasetcp protocoltcp scanningtelnet threatthreat actorthreat intelligencethreat preventiontor nodetpottsecunauthorized accessunauthorized access attemptunauthorized access attemptsunited kingdomunited statesvalid accountsvoidtrapvulnerability scanvultrweb app attackweb application attackweb application exploitationweb trafficwebshellwhoami

Activity Timeline

1 total obs
Jun 19Jun 19

Threat Activity Heatmap

· Peak: 2026-06-19
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
56
SIGNAL
Signal Score
56%
Confidence
21
Reports
First seenApr 1, 2022
Last seenJun 19, 2026
GeolocationBG
CountryBulgaria
LocationSofia, Sofia-Capital
ASNAS57509
OrgL&L Investment Ltd
Coords42.6960, 23.3320

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Paris (France) honeypot
raw
inetnum: 91.191.209.0 - 91.191.209.127 netname: CLOUDVDS-NET descr: VDS and Hosting country: EU org: ORG-LIL16-RIPE admin-c: CCR38-RIPE tech-c: CCR38-RIPE status: ASSIGNED PA mnt-by: MNT-LIR-BG mnt-by: TAMATYA-MNT mnt-by: CLOUDBS-MNT mnt-lower: MNT-LIR-BG mnt-routes: MNT-LIR-BG created: 2022-04-19T15:08:48Z last-modified: 2022-04-19T15:08:48Z source: RIPE organisation: ORG-LIL16-RIPE org-name: L&L Investment Ltd. country: BG org-type: OTHER address: Emiliyan Stanev str., Building 6, Entr.2, Flat 4 address: Bulgaria, Dimitrovgrad abuse-c: ACRO8505-RIPE mnt-ref: MNT-LIR-BG mnt-by: AZ39139-MNT mnt-by: MNT-LIR-BG mnt-by: MNT-TELEHOUSE-BG created: 2017-07-28T07:03:35Z last-modified: 2022-12-01T17:18:00Z source: RIPE # Filtered role: CloudBS Contact role address: National Cultural Centre 861 P.O. Box 1494, Victoria Mahe, Seychelles address: Seychelles abuse-mailbox: [email protected] nic-hdl: CCR38-RIPE mnt-by: CLOUDBS-MNT created: 2018-02-18T10:05:21Z last-modified: 2024-09-16T04:39:30Z source: RIPE # Filtered route: 91.191.209.0/24 origin: AS57509 mnt-by: Tamatiya mnt-by: TAMATYA-MNT created: 2021-01-26T16:46:58Z last-modified: 2021-01-26T16:46:58Z source: RIPE
references
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware, https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/, https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#initial-access, https://x.com/TheDFIRReport/status/1923359803847344442

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 4 days ago
Appeared in 21 threat reports