| Alert Category | Count | Share |
|---|---|---|
| Baithive URL — never seen before | 4,946 | |
| Baithive Payload — never seen before | 4,178 | |
| Aggressive Attack Against Trap | 2,938 | |
| Baithive payload — never seen before | 2,720 | |
| Attacker IP unknown to 3rd-party TI | 1,583 | |
| Fuzzing attack | 101 | |
| Country-specific targeted attack | 74 | |
| Hidden Client IP Detected | 16 | |
| Injected OOB Callback Domain | 6 | |
| Other | 2 |
| Country | Alerts | Share |
|---|---|---|
| 🇩🇪 Germany | 8,101 | |
| 🇰🇪 Kenya | 3,302 | |
| 🇸🇷 Serbia | 1,235 | |
| 🇨🇳 China | 282 | |
| 🇺🇸 United States | 197 | |
| 🇿🇦 South Africa | 123 | |
| 🇨🇿 Czech Republic | 84 | |
| 🇬🇧 United Kingdom | 63 | |
| 🇯🇵 Japan | 37 | |
| Other (5 countries) | 78 |
176.46.158.x) using a shared static CSRF token (516cfbe7ebdc7b1aeb85c07863b5fc34e9ec7672) as a unifying operational signature. Credential complexity escalated systematically from trivial sequences through policy-compliant variants, reflecting a structured multi-pass spraying methodology. Late October saw a sustained surge from 50 to 544 daily alerts, signaling deliberate campaign intensification. By November, the same Farahoosh Dena infrastructure generated approximately 4,696 combined alerts, while a parallel FortiGate credential-stuffing campaign emerged from Romanian-attributed FEO PREST SRL infrastructure (62.60.135.x), deploying harvested South African corporate credentials—indicating active breach-data marketization and multi-vendor VPN targeting.
62.60.135.x) evolved to deploy credentials referencing named individuals at specific organizations—SQM mining conglomerate, Altus-branded entities, GPS-coded employer accounts—signalling a shift from opportunistic dictionary attacks to precision targeting using harvested breach data. Simultaneously, a distributed Iranian domestic scanning tier expanded across six state-linked ISPs, introducing CDN-laundering techniques via the Noyan Abr Arvan Iranian cloud provider to conceal true origin IPs traced to MTN Irancell. Novel capabilities included cloud/DevOps secrets harvesting (.env, AWS credentials, Laravel logs), HP LaserJet MFP management interface targeting, and country-specific fuzzing of Chinese infrastructure.
62.60.131.73) pivoted to exclusive Kenya-focused targeting, while the Iranian domestic cluster sustained broad geographic opportunism across Serbia, China, Japan, and the Middle East. Episodic burst activity—peaks on January 4–5, 16, and 25–28—separated by multi-day dormancy indicated coordinated campaign phases rather than continuous scanning. A novel baithive request containing structured JSON-like fragments from CGI GLOBAL LIMITED (94.183.188.135) suggested active experimentation with new payload vectors. The 42.5% prevalence of unknown-to-threat-intel IPs confirmed sustained infrastructure rotation discipline, consistent with a deliberate operational pause or reconfiguration period.
produce.seetong.com across two FEO PREST nodes confirmed active exploitation maturity beyond reconnaissance, validating server-side RCE and SSRF chains. A shared PHPUnit CVE-2017-9841 exploit framework was distributed across 12+ distinct ISPs with near-identical URL sequences, demonstrating coordinated playbook distribution within an affiliate network. A compromised academic resource—Tehran University of Medical Science (194.225.213.122)—appeared as an attack source. Peak activity concentrated on February 21–22 (205 combined alerts within 48 hours)—the highest two-day intensity across the entire observation period.
213.176.18.65, E-Large HongKong) exclusively targeting Chinese infrastructure via PHPUnit CVE-2017-9841 path enumeration. While operationally distinct from the Iran-nexus cluster in infrastructure and volume, the China-exclusive geographic focus and shared PHPUnit exploit framework echo techniques observed across multiple prior months. The sharp contrast with February's intensity may indicate a deliberate operational pause, detection-driven withdrawal, or transition to a new infrastructure generation cycle consistent with the rotation discipline documented throughout the campaign.
| Month | Alerts | Unique Attackers | MoM Change | Dominant Origin | Key Event |
|---|---|---|---|---|---|
| Oct 2025 | 3,359 | 297 | — | IR (majority) | Farahoosh Dena VPN credential stuffing surges late month |
| Nov 2025 | 7,483 | 314 | ↑ +122.8% | IR (majority) | FortiGate targeting added; harvested South African credentials deployed |
| Dec 2025 | 4,955 | 281 | ↓ -33.8% | IR (majority) | Named-individual credentials, CDN laundering, DevOps secrets harvesting |
| Jan 2026 | 160 | 73 | ↓ -96.8% | IR (majority) | Reduced tempo; Kenya-exclusive Feo Prest targeting; novel JSON vector |
| Feb 2026 | 605 | 178 | ↑ +278.1% | IR (majority) | Volume quadruples; OOB RCE; China primary target; PHPUnit kit distributed |
| Mar 2026 | 2 | 1 | ↓ -99.7% | HK (100%) | Minimal activity; single HK IP targets China via PHPUnit CVE-2017-9841 |
| TOTAL | 16,564 | — | — | 6-month cumulative observation period | |
| IP / Infrastructure | Active Period | Est. Alerts | Primary Vector | Classification |
|---|---|---|---|---|
176.46.158.x /24 (6 IPs)Farahoosh Dena |
Oct – Nov 2025 | ~6,000+ | Cisco ASA SSL-VPN credential stuffing with shared static CSRF token; structured multi-IP load-balancing | High-Volume Credential Ops |
62.60.135.x /24 (FEO PREST SRL) |
Nov 2025 – Feb 2026 | ~5,500+ | FortiGate SSL-VPN credential stuffing with harvested breach data; OOB RCE callbacks; secrets harvesting | Precision Credential Ops |
62.60.131.73 (FEO PREST) |
Jan – Feb 2026 | ~106 | Country-specific fuzzing (Kenya, China); .env/AWS harvesting; OOB exploitation via produce.seetong.com |
Active Exploitation |
62.60.131.x /24 (FEO PREST SRL) |
Dec 2025 – Feb 2026 | ~1,500+ | Volumetric aggressive trap engagement; parallel layer to precision credential nodes | Volumetric Probe Layer |
185.164.254.28Atrin ICT |
Feb 2026 | ~90 | Sustained automated trap hammering; high-frequency brute-force persistence | Persistent Trap Actor |
185.129.202.216Pishgaman |
Jan – Feb 2026 | ~42 | Aggressive trap attacks; sustained honeypot engagement across two months | Recurring Scanner |
80.191.240.34 / 80.191.92.193Telecom Infrastructure Co. |
Oct 2025 – Feb 2026 | ~65+ | Aggressive probing across honeypot infrastructure; state-linked ISP sourcing | State-Linked Probe Node |
37.255.224.137 (TCE) |
Oct – Nov 2025 | ~35+ | Aggressive trap engagement; highest single-IP trap volume in October dataset | Scanning Node |
194.225.213.122Tehran Univ. of Medical Science |
Feb 2026 | ~5 | Compromised academic institutional pivot point used as attack source | Compromised Institution |
213.176.18.65E-Large HongKong |
Mar 2026 | ~2 | PHPUnit CVE-2017-9841 path enumeration exclusively targeting Chinese infrastructure | Low-Profile Probe |
/+webvpn+/index.html, /+CSCOE+/logon.html) and Fortinet FortiGate (POST /logincheck). Credential complexity escalated month-over-month: generic defaults in October → leet-substitution variants in November → named-individual harvested credentials referencing specific organizations (SQM, Altus, GPS-coded accounts) by December → timestamped variants (fortigate2025, ranj@2026, sqm2025!) confirming real-time corpus maintenance by February. The shared static CSRF token (516cfbe7...e7672) served as a stable operational fingerprint across all IP rotations.
/vendor/phpunit/, /lib/phpunit/, /phpunit/, /zend/vendor/) across all nodes confirm shared playbook distribution within a coordinated affiliate network. Persisted into March 2026 via E-Large HongKong infrastructure. Enables unauthenticated RCE on production PHP environments shipping PHPUnit as a dev dependency.
.env variants (including path-traversal encoded /%2e%2e%2f.env), /.aws/credentials, /storage/laravel.log, /helm/.env, /s3.js, /s3_config.json, /settings.py, /application.properties. Kubernetes/Helm path targeting demonstrates familiarity with containerized infrastructure attack surfaces and supply chain exposure points. Mission set consistent with initial access brokering or cloud account takeover.
produce.seetong.com across two FEO PREST nodes (62.60.131.73 and 62.60.131.43). This technique validates server-side code execution for SSRF, RCE, and injection chain exploitation, representing a qualitative escalation from credential harvesting to confirmed active exploitation with exfiltration confirmation infrastructure. Shared OOB domain across two distinct IPs confirms operator-level infrastructure centralization.
94.101.182.11, 37.32.19.4, 94.101.182.13) routed attack traffic concealing true origin addresses behind X-Forwarded-For manipulation and Akamai egress nodes. True origin IP 5.122.196.21 traced to MTN Irancell. Absent from October–November activity—represents deliberate evasion capability uplift, indicating the actor monitors IP reputation systems and deploys countermeasures in response.
178.173.218.62 (Shiraz Hamyar Co.) exploited Netgear router RCE (setup.cgi?todo=syscmd) to deploy Mozi botnet malware. November–December: systematic HP LaserJet MFP management interface targeting (/set_config_netIdentification.html, /cgi-bin/netset.cgi), with DNS hijacking payload (hardcoded 95.x.x.x DNS server) submitted against printer administration endpoints. HP LaserJet M426D model-specific awareness indicates dedicated IoT exploitation module use.
composer --no-dev build pipelines and deploy WAF rules blocking eval-stdin.php path variants..env, /.aws/credentials, /helm/.env, /storage/laravel.log paths conducted by FEO PREST and CGI GLOBAL LIMITED nodes from November 2025 through February 2026.produce.seetong.com and deploy SSRF protection on all server-side HTTP request handlerscomposer --no-dev requirements and automated SAST/DAST scanning for exposed development tools.