IOC Radar
IPMediumSignal 23/100

91.216.190.80

Location
United StatesUnited States
Los Angeles, California
ASN
AS967
Hostker LLC
First Seen
Mar 15, 2025
Last Seen
Jun 6, 2026
Mar 15
First Seen
453d ago
Jun 6
Last Seen
5d ago
6
Reports
source reports
23%
Confidence
medium
Found in 6 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
23%
Signal Score
23 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

60 techniques

Network Information

CountryUSUnited States
RegionLos Angeles, California
ASNAS967
OrganizationHostker LLC

Feed Intelligence Summary

6 reports23% confidence
6
Source reports
23%
Confidence score
Category tags
accessactive scanningactorsandroidbackdoorbackdoor installationblack lotusbodyboombotnetbotnet activitybrute forcebusiness email compromisebuttonc2 communicationcanadachinacmdcodecode executioncode injectioncommand and controlcommand executioncommand injectioncommunication protocolconnectcovid19coyotecredential accesscredential harvestingcredential stuffingcritical infrastructurecsscvecyber espionagecyber securitydata breachdata encryptiondata exfiltrationdata theftdatabase securityddosddos attacksdenial of servicedirectory traversaldistributed attacksdosdroppereducationemailexploitexploit kit usagefilefilesfinfinchformftpftp brute forcegdrivegithubglobalgroupshigher educationhttphttp brute forcehttp scannerhttpsindicatorinfoinformation technologyinfrastructure acquisitionreconnaissanceinitial accessinjection attacksinternet of thingsintrusion detectioniociocsiotiot botnetiot/ics attacklabslateral movementlinkmalicious softwaremalwaremanualmedia & entertainmentmetadata analysismirai botnetmsinetnetworknetwork attacksnetwork compromisenetwork intrusionnetwork probingnetwork protocolnetwork scanningnetwork securityngroknorth americanosediveonepassword sprayingphishingphishing attackphishing campaignprivilege escalationprocess injectionransomware threatraptor trainreconnaissancereloadremote accessremote code executionremote servicesresearchedroutersscannerscanning activityscriptscripting attacksslugsocial engineeringsocial media securitysohospansparrowssh attackstarstealersummitsupportsurface websynsystem compromiset1016t1018t1021t1021.001t1021.002t1040t1047t1053t1055t1059t1059.003t1059.004t1059.005t1059.007t1068t1071t1071.001t1076t1077t1078t1083t1110t1110.001t1110.002t1110.003t1133t1189t1190t1203t1204t1210t1486t1490t1496t1499.001t1499.002t1499.003t1547t1563t1565t1566t1566.001t1566.002t1566.003t1587.001t1589t1589.002t1590t1590.001t1590.002t1590.003t1590.004t1592t1592.001t1592.002t1592.003t1595t1595.001t1595.002t1595.003tcp protocoltelecommunicationsthreat intelligencetiertopunauthorized accessunauthorized access attemptunited statesunixurlusvulnerabilityweb attackweb exploitationweb loginweb trafficwebsitewindowsxmasxssyara

Activity Timeline

1 total obs
Jun 6Jun 6

Threat Activity Heatmap

· Peak: 2026-06-06
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
23
SIGNAL
Signal Score
23%
Confidence
6
Reports
First seenMar 15, 2025
Last seenJun 6, 2026
GeolocationUS
CountryUnited States
LocationLos Angeles, California
ASNAS967
OrgHostker LLC
Coords43.6319, -79.3716

VirusTotal

Not checked

WHOIS

description
CC=US ASN=AS967 VMISS
raw
NetRange: 91.0.0.0 - 91.255.255.255 CIDR: 91.0.0.0/8 NetName: 91-RIPE NetHandle: NET-91-0-0-0-1 Parent: () NetType: Allocated to RIPE NCC OriginAS: Organization: RIPE Network Coordination Centre (RIPE) RegDate: 2005-06-30 Updated: 2025-02-10 Comment: These addresses have been further assigned to users in the RIPE NCC region. Please note that the organization and point of contact details listed below are those of the RIPE NCC not the current address holder. ** You can find user contact information for the current address holder in the RIPE database at http://www.ripe.net/whois. Ref: https://rdap.arin.net/registry/ip/91.0.0.0 ResourceLink: https://apps.db.ripe.net/db-web-ui/query ResourceLink: whois.ripe.net OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: https://rdap.arin.net/registry/entity/RIPE ReferralServer: whois.ripe.net ResourceLink: https://apps.db.ripe.net/db-web-ui/query OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN
references
https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF, https://blog.lumen.com/derailing-the-raptor-train, https://blog.lumen.com/derailing-the-raptor-train/, https://github.com/blacklotuslabs/IOCs/blob/main/Raptor_Train_IOCs.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 5 days ago
Appeared in 6 threat reports