🛡 RAPORT — AST

Client: AST  |  Period: 2026-03-04 — 2026-03-04  |  Generated: 2026-03-11 15:16
1.894 alerts  |  95 attackers
Executive Overview — 2026-03-04 – 2026-03-04

Executive Summary: AST Honeypot Security Report

Reporting Period: March 4, 2026

Overview

During the 24-hour monitoring period, AST's honeypot detected 1,894 alerts from 95 unique attackers across 10 countries, indicating a sustained and multi-faceted reconnaissance and exploitation campaign. The attack volume concentrated sharply during hours 11–12 (UTC), with 1,285 alerts (68% of daily total) occurring within a two-hour window, suggesting coordinated or wave-based activity. The geographic distribution reveals predominant origination from Greece (66% of alerts) and Germany (21%), though infrastructure is primarily US-hosted, indicating attackers are using compromised or rented cloud and ISP resources for campaign execution.

Threat Actors and Attack Infrastructure

Two primary high-sophistication threat actors emerged:

The most active attacker, IP 5.203.140.88 (Cosmote Mobile Telecommunications), generated 1,226 alerts through systematic exploitation attempts targeting enterprise platforms including WebLogic, Nacos, Apache OFBiz, and Jupyter. This actor demonstrates human oversight, employing IP spoofing techniques (X-Forwarded-For: 8.8.8.8), injecting Java ProcessBuilder payloads and XSS code within credential fields, and leveraging multiple out-of-band callback domains (oast.me, oast.fun, interact.sh). A secondary Cosmote IP (5.203.230.72) shares overlapping credential choices and tokens, indicating coordinated or shared tooling between both hosts.

IP 185.139.230.187 (Kamatera Inc) conducted 383 alerts with high operational sophistication, executing 36 command injection callbacks to a dedicated callback infrastructure (d6jludo3aohnv30d48k0*.oast.fun) via curl, wget, RMI, and LDAP protocols. Human operator signals—detected through variable response timing (61–128 second intervals)—coupled with novel LLM API probing (testing Cohere's command-nightly model), indicate this actor is actively researching emerging infrastructure vulnerabilities. Credentials targeted include WebLogic, Versa Networks, and IBM HSC, consistent with known CVE exploitation patterns.

Distributed clustering patterns across Akamai Connected Cloud, Nubes LLC, and Contabo suggest organized scanning infrastructure, with 4–5 IPs per ISP targeting identical honeypot endpoints using synchronized fuzzing and parameter injection techniques. Multiple independent novel attack wave detections (tokens: ?iiak3, ?raip8) within 120-minute windows indicate either multiple concurrent campaigns or rapid tool evolution.

Attack Patterns and Techniques

Three dominant attack methodologies accounted for 79% of alerts:

  • Fuzzing attacks (519 alerts, 27%): Systematic parameter pollution and randomized input testing across query strings and authentication fields, predominantly from Cosmote, Nubes, and Contabo infrastructure.
  • Country-specific targeted attacks (494 alerts, 26%): Geographically-focused reconnaissance specifically targeting US infrastructure, indicating deliberate geographic scoping rather than opportunistic scanning.
  • Credential compromise attempts (489 alerts, 26%): High-volume credential stuffing using default and leaked credential pairs, with payloads embedding injection vectors (Java ProcessBuilder, XSS, XML External Entity references) within username and password fields.

Secondary techniques include out-of-band injection callbacks (199 alerts), baithive reconnaissance (53 alerts), and emerging threats such as LLM endpoint scanning and Fastly CDN IP spoofing. Cross-ISP domain reuse (oast.fun, IBM WSDL references, WordPress CDN) indicates shared scanning toolkits, consistent with public frameworks like Nuclei being deployed independently across multiple threat actors.

Critical Risk Indicators

  • Unrecognized AWS infrastructure (Amazon.com ISP): Five distinct AWS IPs flagged as unknown to third-party threat intelligence, each conducting 4 alerts with zero payload capture, strongly suggesting newly rotated or provisioned reconnaissance nodes designed to evade blocklists.
  • Human-in-the-loop operations: 17 "Probably Human Attacker" detections across multiple ISPs, with timing patterns (standard deviations of 61–413 milliseconds) indicating manual operator review cycles between automated bursts.
  • Novel attack waves: Two independent wave signatures detected, suggesting either multiple campaigns converging on the same target or rapid toolkit evolution.

Immediate containment is recommended for the primary threat actor (5.203.140.88) and secondary actor (185.139.230.187), including ISP notification and coordination with threat intelligence platforms to flag newly identified AWS reconnaissance nodes.

Threat Landscape — 2026-03-04 – 2026-03-04
1.894
Total Alerts
95
Unique Attackers
10
Tracked IPs
10
Attacker Countries
Top Attack Types
Fuzzing attack 519
Country specific targeted attack 494
Credential Compromise Detected 489
Injected Out-of-Band Callback Domain Detected 157
Attacker with IP unknown to integrated 3rd party threat Intelligence 97
Top Countries
GR 1.252
DE 406
US 154
SG 18
FI 6
Attack Origin Map
ISP Analysis

👉 Click a slice to explore that ISP’s details below

Domestic Threats — US
Total domestic alerts: 154

👉 Click a slice to explore that attacker’s details below

Attack Timeline
Advanced Analysis

Honeypot Attack Analysis

🔴 Most Active Threat Actor: Cosmote Mobile Telecommunications — 5.203.140.88

Profile: Highly sophisticated, likely human-operated scanner/exploitation framework.

  • This IP generated 1,220+ combined events across credential stuffing (30 unique credential pairs), fuzzing, OOB injection, command injection, and novel baithive probes — making it the highest-volume attacker in the dataset.
  • Credential attempts span a wide range of default/known credentials targeting Nacos, WebLogic, Apache OFBiz, Guacamole, Jupyter, artemis, odmAdmin, Seeyon, StreamPark, InLong — indicating systematic targeting of known enterprise and open-source platforms.
  • One password attempt contained a Java ProcessBuilder injection (%{#a=(new java.lang.ProcessBuilder...)), and another included an XSS payload ("><script>alert(document.domain)</script>), indicating multi-class payload delivery within credential fields.
  • The Probably Human Attacker detection and the use of X-Forwarded-For: 8.8.8.8 (IP spoofing) alongside OOB callback domains including oast.me, oast.fun, and interact.sh confirm this is an active, manually guided reconnaissance and exploitation campaign targeting US infrastructure.

🔴 High-Sophistication Actor: Kamatera Inc — 185.139.230.187

Profile: Automated exploitation framework with human oversight and OOB verification infrastructure.

  • This IP conducted 36 injected command callbacks exclusively to a single unique OOB domain prefix (d6jludo3aohnv30d48k0*.oast.fun) via curl, wget, RMI (rmi://), and LDAP (ldap://) protocols, indicating a purpose-built exploitation campaign with dedicated callback infrastructure.
  • The 10 separate "Probably Human Attacker" detections with standard deviations ranging from ~61K to ~128K ms suggest a human operator is actively managing and reviewing results between automated bursts.
  • A notable LLMProbe request using model command-nightly with prompt Hello, how are you? indicates experimental probing for exposed LLM API endpoints — an emerging and novel attack vector.
  • Credential attempts target WebLogic (multiple passwords including Oracle@123), Versa Networks (versa123), IBM HSC (hscroot/abc123), and generic defaults, demonstrating broad enterprise platform targeting aligned with known CVE exploitation patterns.

🟠 Coordinated Campaign: Cosmote — [5.203.140.88 + 5.203.230.72]

Profile: Coordinated dual-IP attack wave.

  • Both IPs share the same ISP (Cosmote) and were jointly flagged in a New Attack Wave detection involving token ?iiak3 in 100 requests within 120 minutes, strongly suggesting coordinated or shared tooling between the two hosts.
  • 5.203.230.72 is a lower-intensity secondary actor (10 fuzzing, 8 credential attempts) with overlapping credential choices (admin/admin, user/user, shipper/shipper) matching 5.203.140.88, reinforcing the coordinated hypothesis.
  • The use of 3ATl4* OOB-style tokens as usernames/passwords across both Cosmote IPs and Kamatera suggests shared tooling or a common attack framework (possibly Interactsh-based).

🟠 Novel Probe Pattern: Akamai Connected Cloud — 173.255.230.37, 172.232.181.29, 172.235.138.70, 173.230.153.228

Profile: Distributed parameter fuzzing campaign using Fastly egress nodes.

  • Multiple Akamai-hosted IPs are systematically injecting randomized query parameter pairs (?<token>=<token> and ?<token>=test<token>) matching a consistent structural pattern, suggesting automated parameter pollution or cache-poisoning probe across different egress nodes.
  • The Fastly-Client-Ip: 127.0.0.1 header leak across both 173.255.230.37 and 172.232.181.29 indicates the attacker is routing through Fastly's CDN infrastructure, deliberately obscuring origin via loopback spoofing in Fastly headers.
  • The Probably Human Attacker signal on both 173.255.230.37 (std dev: 81K–413K ms) and 172.232.181.29 (std dev: 176K ms) suggests semi-manual operation or slow throttled automation designed to evade rate-limiting detection.
  • The consistent 2-unseen-token baithive pattern across 4 distinct IPs within the same ISP strongly indicates distributed tooling with a shared probe generation algorithm, potentially scanning for undisclosed parameter injection vulnerabilities.

🟡 Nubes LLC — Coordinated Fuzzing Cluster with Novel Attack Wave

Profile: Multi-IP fuzzing cluster, US-targeted.

  • Five IPs from Nubes LLC (94.72.122.x subnet and 217.216.65.94, 194.238.28.128) all fuzz the same target 3.230.225.206, consistent with a VPS-based scanning cluster using a shared /24 range.
  • 217.216.65.94 triggered a New Attack Wave with token ?raip8 in 100 requests over 120 minutes — a separate novel burst from the Cosmote wave, suggesting independently operating actors or different toolkits targeting the same honeypot.
  • Multiple IPs from this ISP carry the Country Specific Targeted Attack flag (US-focused), indicating deliberate geographic targeting rather than opportunistic scanning.

🟡 Contabo GmbH — Distributed Fuzzing with Human Signal

Profile: Multi-IP fuzzing, partially human-operated.

  • Four IPs from Contabo fuzz the same target with US-specific targeting flags, consistent with the rented VPS abuse pattern common on this provider.
  • 161.97.151.101 exhibits a Probably Human Attacker signal (std dev: ~96K ms), distinguishing it from fully automated peers within the same ISP.
  • 185.202.236.73 used a distinct OOB domain on oast.live (vs. oast.fun/oast.me used by others), suggesting a different tool or operator within the same hosting provider.

🟡 Deutsche Telekom AG — Residential/Consumer Network Abuse

Profile: Likely compromised consumer endpoints used as attack proxies.

  • Two IPs from the same /23 range (46.250.232.83, 46.250.232.234) conduct fuzzing and US-targeted attacks from Deutsche Telekom residential IP space, suggesting compromised home/office routers or botnet nodes.
  • 46.250.232.234 carries a human attacker signal (std dev: ~184K ms), and 46.250.232.83 attempted a unique credential (admin/dcxvfdor) not seen across other actors, hinting at distinct tooling or manual intervention.

🟡 OOB Domain Reuse Pattern: Cross-ISP Shared Tooling Indicator

Profile: Common scanning tools used across multiple ISPs.

  • The domains http://schemas.xmlsoap.org, http://docs.oasis-open.org, http://www.ibm.com, https://rfi.nessus.org, https://downloads.wordpress.org, and http://oast.fun appear across Cosmote, Kamatera, Akamai, GSL Networks, and Base IP — strongly indicating shared scanning toolkits (e.g., Nuclei templates) being run independently by different actors.
  • Base IP / 45.38.18.136 exclusively used http://www.ibm.com as an OOB probe domain, which is consistent with legacy XXE or SSRF template probes that reference IBM's WSDL/schema URLs as blind callback canaries.

🟡 Amazon.com — Unrecognized High-Risk IPs (Likely Scanner Infrastructure)

Profile: AWS-hosted reconnaissance endpoints evading threat intelligence.

  • Five distinct AWS IPs are all flagged as unknown to third-party threat intelligence, with no attack payload data recorded — suggesting these are newly provisioned or rotated scanning nodes used specifically to avoid blocklists.
  • The uniform count of 4 alerts per IP and absence of any other attack type strongly suggests these IPs are performing low-and-slow reconnaissance or acting as infrastructure probes ahead of more aggressive follow-up activity.

🔵 Emerging/Novel Indicators

Indicator Source Significance
LLM probe (command-nightly) Kamatera 185.139.230.187 Scanning for exposed Cohere/LLM API endpoints
3ATl4* tokens as credentials Cosmote + Kamatera Shared Interactsh-style OOB verification in auth fields
Fastly-Client-Ip: 127.0.0.1 spoofing Akamai cluster CDN-layer IP origin obfuscation
Java ProcessBuilder in password field Cosmote 5.203.140.88 SSTI/RCE via authentication endpoints
Novel attack wave tokens (?iiak3, ?raip8) Cosmote + Nubes Unclassified probe patterns requiring rule creation