IOC Radar
IPMediumSignal 65/100

91.196.152.29

Location
FranceFrance
Roubaix, -
ASN
AS213412
ONYPHE
First Seen
Feb 18, 2025
Last Seen
Jun 8, 2026
Feb 18
First Seen
479d ago
Jun 8
Last Seen
5d ago
25
Reports
source reports
65%
Confidence
medium
Found in 25 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
65%
Signal Score
65 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

101 techniques

Network Information

CountryFRFrance
RegionRoubaix, -
ASNAS213412
OrganizationONYPHE

IP Category

Proxy
Proxy server

Feed Intelligence Summary

25 reports65% confidence
25
Source reports
65%
Confidence score
Category tags
abuseaccessaccount compromiseactive scanactive scanningadbhoney attackadbhoney attacksadbhoney honeypotadbhoney interactionsadvertising campaignadvertising spamapplication layer protocolaptasiaattackattack attemptattacker ipattacker-ipaustraliaauthentication abuseauthentication attackauthentication attemptsauthentication-attemptsautomated attackautomated attack activityautomated attacksautomated enumerationautomated reconnaissance activityautomated threatautomated-attackbad reputationbad web botbeningbening scannerblog spambotnetbotnet activitybotnet-activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute-force-ftpbrute-force-sshbrute-force-webbrute_forcebulk messagingc2c2 communicationc2 servercisco attackcisco devicecisco device attackcisco device targetingcisco exploit attemptcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco network devicescisco targetedclosecloud infrastructurecloud infrastructure attackcloud servicescode executioncode injectioncode-injectioncommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommand-injectioncommon vulnerabilitiescommunication protocolcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised hostsconpot activityconpot attackconpot attacksconpot honeypotconpot interactioncontainer securitycowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie datacowrie detectedcowrie honeypotcowrie interactioncowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh interactioncredential accesscredential attackcredential attackscredential brute forcecredential brute-forcingcredential guessingcredential harvestingcredential stuffingcredential theftcredential-stuffingcredential_accessctacurlcvedata encryptiondata exfiltrationdata exfiltration attemptdata harvesting attemptsdata scrapingdata store exposuredata theftdatabase access attemptdatabase attackdatabase attacksdatabase brute forcedatabase exploitation attemptdatabase intrusion attemptdatabase login attemptdatabase securitydatabase-serverdcerpcddosddos attackddos attack indicatorsddos attemptddos probeddospotdecoy systemdelhidenial of servicedevice managementdictionary attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detecteddionaea exploit attemptsdionaea exploitsdionaea honeypotdionaea interactionsdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory traversal attemptdirectory-bruteforcedistributed attacksdnsdns attackdockerelasticpot detectedelasticpot honeypotelasticsearchelasticsearch monitoringemailencryptionenterprise networkingenumerationeuropeeurope/asiaexfiltrationexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal access attemptsexternal threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinancefinlandfrfrancefraudftpftp attackftp attacksftp brute forceftp brute-forcegalahgeckogermanygithubgluttongopotgroupshackinghellohellpotheralding activityheralding protocol activityhoneynet connecthoneytrap activityhoneytrap attackhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/shttpshttps scanningicmpics securityics/scada attackidentity & access exploitationillegal service advertisingimapindiaindia phone numbersindia spamindicatorindicators of compromiseindustrial control systemsinformation gatheringinitial accessinitial access activityinitial access attemptsinitial-accessinitial_accessinjection activityinjection attacksintel macinternet background noiseinternet facinginternet-facinginternet-facing assetsinternet-facing serviceinternet-facing servicesintrusion detectioniociocsiot attackiot securityiot targetediot/ics attackip-address-iocipp honeyipphoney dataipphoney honeypotipv4ipv4 traffickhtmlkibanaknown malicious iplajpat nagarlamplamp attacklamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability exploitationlateral movementlateral movement techniqueslcialinux malwarelinux serverslinux systemslinux x8664linux-server-attacklinux-server-attackslinux-systemlinux_server_attackslog4potlogin attemptmail protocol abusemail service attackmailoney activitymailoney attackmailoney eventsmailoney honeypotmailoney interactionsmalaysiamalicious activitymalicious activity detectedmalicious campaignmalicious code detectionmalicious emailmalicious file transfermalicious ip addressesmalicious loginmalicious login attemptsmalicious network activitymalicious payloadmalicious payload detectionmalicious script executionmalicious sftp activitymalicious softwaremalicious sshmalicious ssh activitymalicious trafficmalicious-activitymalicious-ipmalicious-login-attemptsmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware downloadmalware download attemptsmalware propagationmalware stagingmalware_activitymedpotmobilemobile securitymssqlmssql brute forcemysql brute forcenetworknetwork attacksnetwork devicesnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service exploitationnetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-devicenetwork-servicenetwork_scannorth americaoceaniaonyphe-benignopenctios fingerprintingos xp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword sprayingpassword-guessingperimeter securityphishingphishing attackphishing trapphone number spamphone spamphp exploitphp injection attemptspolandport-scanport-scanningportscanpossible botnet activitypossible exploit attemptpossible exploit attemptspossible exploit probingpossible malicious activitypossible malware distributionpossible malware dropperpossible malware hostingpossible malware propagationpossible mirai variantpotential exploit activitypotential exploit attemptspotential intrusionpotential malware distributionpotential malware uploadprocess injectionprotocol exploitationprotocol-abuseproxyproxy accesspythonransomwareransomware activityrdp attacksreconnaissanceredis honeypotredishoneypot activityredishoneypot attackremote accessremote access attackremote access attemptsremote service exploitationremote servicesremote_serviceresearchedresource hijackingrussiarussian federationsansscamscams & fraudscannerscanner detectionscannersscanning activityscriptscripting attackssecurity operationssensor-taggedsentrypeer activitysentrypeer attacksentrypeer botnetsentrypeer connectionssentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationserver securityservice discoveryservice scanservice scanningsex services advertisementsex worksftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp probingsftp-attackshell accesssip attackssip brute forcesip probingsip scanningsip vulnerability scansippslugsmb brute forcesmssms spamsms spam campaignsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scanningsnaresocial engineeringsocradar honeypotsoftware exploitationspamspam advertisementspam campaignsql injectionsql injection attemptsql injection attemptssql-injectionsshssh attackssh attacksssh brute-forcessh monitoringssh-brute-forcesurface websuricata alertsuricata alertssystem reconnaissancet-pott1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1053t1053.005t1055t1059t1059.001t1059.003t1059.004t1059.007t1064t1068t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1192t1195t1199t1203t1204t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1505t1505.002t1547t1550t1550.002t1550.003t1552.001t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1572t1573t1573.001t1583t1583.006t1584t1588t1588.002t1588.006t1589t1590t1590.001t1590.004t1590.005t1590.006t1591t1592t1592.002t1595t1595.001t1595.002t1595.003t1598t1598.003tannertanner activitytanner attacktanner attackstanner detectedtanner eventstanner exploit detectiontanner interactionstargeting databasetcp protocoltcp scantelecommunicationstelephone harassmenttelnet attackstelnet threattelnet-brute-forcethreat actorthreat detectionthreat intelligencethreat intelligence feedthreat-intel-feedtor nodetpottpotcettpsubuntuudp port scanudp scanukraineunauthorized accessunauthorized access attemptunauthorized loginunauthorized login attemptunauthorized-access-attemptunited statesunknown threat actorunsolicited communicationunsolicited contactunusual network trafficverified-benignvnc protocolvoidtrapvoipvoip attackvulnerability scanvultrweak credentialsweb app attackweb application attackweb application attacksweb application scanningweb attackweb attacksweb crawling detectionweb exploitationweb exploitsweb login attemptweb scannerweb server attacksweb serversweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-attackweb-serverweb_attackwgetwindows malwarewindows ntwordpot

Activity Timeline

1 total obs
Jun 8Jun 8

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
65
SIGNAL
Signal Score
65%
Confidence
25
Reports
First seenFeb 18, 2025
Last seenJun 8, 2026
GeolocationFR
CountryFrance
LocationRoubaix, -
ASNAS213412
OrgONYPHE
Coords50.6925, 3.1783
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Tokyo (Japan) honeypot
raw
inetnum: 91.196.152.0 - 91.196.152.255 geofeed: https://www.onyphe.io/geofeed.csv descr: -----BEGIN TOKEN-----a98a05ac40ade1d4135ddd523e9353074e373301e28e7d88a7e6349edb03e450ee409b1aaa323d36638426dbd62e6793ac822688db8516dac3225ddbf3e04be5-----END TOKEN----- remarks: We are conducting Internet-scale network scanning to provide information remarks: for cyber defense purposes. We scan the full IPv4 address space and part remarks: of IPv6 address space. We are in no way targeting you specifically, you remarks: are just part of what is connected on the Internet. Our complete list remarks: of our IP ranges is available here: https://www.onyphe.io/ip-ranges.txt remarks: Opt-out by sending your IP ranges at: abuse at onyphe dot io netname: FR-ONYPHE-20221220 country: FR org: ORG-OS381-RIPE admin-c: AA44525-RIPE tech-c: AA44525-RIPE status: ALLOCATED PA mnt-by: lir-fr-onyphe-1-MNT mnt-by: RIPE-NCC-HM-MNT created: 2025-02-13T11:06:31Z last-modified: 2025-03-09T09:40:40Z source: RIPE organisation: ORG-OS381-RIPE org-name: ONYPHE SAS country: FR org-type: LIR address: 1 bis rue d'Ouessant - BP 96241 address: 35762 address: SAINT GREGOIRE address: FRANCE phone: +33 (0) 972 66 1884 admin-c: AA44525-RIPE tech-c: AA44525-RIPE abuse-c: AR77640-RIPE mnt-ref: lir-fr-onyphe-1-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: lir-fr-onyphe-1-MNT created: 2025-02-05T16:10:26Z last-modified: 2025-02-06T10:40:19Z source: RIPE # Filtered role: Admin address: FRANCE address: SAINT GREGOIRE address: 35762 address: 1 bis rue d'Ouessant - BP 96241 phone: +33 (0) 972 66 1884 nic-hdl: AA44525-RIPE mnt-by: lir-fr-onyphe-1-MNT created: 2025-02-05T16:10:25Z last-modified: 2025-02-14T13:05:35Z source: RIPE # Filtered route: 91.196.152.0/24 origin: AS213412 mnt-by: lir-fr-onyphe-1-MNT created: 2025-02-14T13:01:03Z last-modified: 2025-02-14T13:01:03Z source: RIPE
references
https://github.com/telekom-security/tpotce, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://chiraba.com:8443/hourly, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 5 days ago
Appeared in 25 threat reports