← Back to feed
HASSH af8223ac9914… — SSH-2.0-libssh_0.12.0 (50 IPs, 19 countries)
HASSH Active highWhy this campaign was detected
50 IPs are running an identical SSH client (HASSH fingerprint af8223ac9914…). Top network: Microsoft Corporation (AS8075). Geographic and ASN spread across distinct /16 subnets indicates a single operator running shared tooling on rented infrastructure — exactly the disguise that subnet/ASN clustering misses.
Primary ASN
AS8075 · Microsoft Corporation
Subnet
—
HASSH Fingerprint
Country
🇨🇳 CN
Cloud Provider
Azure
Member Count
50 IPs
Below average
Total Events
20418
Below average by volume
Started / Ended
2026-02-28 09:17 — ongoing
Attack Types
MITRE ATT&CK Techniques
Initial Access
Command and Control
Member Actors
| IP Address | Behavior | Confidence | Flags | Events | Agents | Attack Types | Hostname | Last Seen | |
|---|---|---|---|---|---|---|---|---|---|
| 103.187.165.26 | credential_harvester | 77% | 1x OSINT | 1673 | 3 | ssh:bruteforce | host-103-187-165-26.taranet.id | 2026-06-13 10:18 | evidence → |
| 203.116.129.55 | credential_harvester | 75% | 1x OSINT | 1817 | 3 | ssh:bruteforce | d129055.ppp129.cyberway.com.sg | 2026-06-12 14:01 | evidence → |
| 209.99.189.174 | credential_harvester | 75% | DROP1x OSINT | 1076 | 3 | ssh:bruteforce | — | 2026-06-12 03:53 | evidence → |
| 14.63.198.239 | credential_harvester | 72% | 1x OSINT | 702 | 3 | ssh:bruteforce | — | 2026-06-10 20:12 | evidence → |
| 212.115.54.84 | credential_harvester | 71% | DROP1x OSINT | 2365 | 3 | ssh:bruteforce | — | 2026-06-06 21:29 | evidence → |
| 52.177.169.196 | credential_harvester | 71% | 1x OSINT | 1403 | 3 | ssh:bruteforce | — | 2026-05-31 01:00 | evidence → |
| 109.91.4.177 | credential_harvester | 71% | 1x OSINT | 1353 | 3 | ssh:bruteforce | ip-109-091-004-177.um37.pools.vodafone-ip.de | 2026-06-08 13:30 | evidence → |
| 202.51.214.98 | credential_harvester | 71% | 1x OSINT | 1298 | 3 | ssh:bruteforce | — | 2026-05-31 02:05 | evidence → |
| 20.49.0.100 | credential_harvester | 71% | 1x OSINT | 1291 | 3 | ssh:bruteforce | — | 2026-05-25 07:58 | evidence → |
| 107.180.88.176 | credential_harvester | 71% | 1x OSINT | 1061 | 3 | ssh:bruteforce | — | 2026-05-26 22:18 | evidence → |
| 103.176.20.115 | credential_harvester | 71% | 1x OSINT | 1009 | 3 | ssh:bruteforce | — | 2026-05-25 10:38 | evidence → |
| 78.83.249.54 | credential_harvester | 71% | 1x OSINT | 970 | 3 | ssh:bruteforce | — | 2026-05-30 15:55 | evidence → |
| 4.221.162.168 | credential_harvester | 71% | 1x OSINT | 846 | 3 | ssh:bruteforce | — | 2026-06-07 17:17 | evidence → |
| 160.174.129.232 | credential_harvester | 71% | 1x OSINT | 771 | 3 | ssh:bruteforce | — | 2026-06-04 15:24 | evidence → |
| 125.21.53.232 | credential_harvester | 70% | 1x OSINT | 558 | 3 | ssh:bruteforce | — | 2026-05-31 15:16 | evidence → |
| 112.120.171.95 | credential_harvester | 70% | 1x OSINT | 539 | 3 | ssh:bruteforce | — | 2026-06-01 07:01 | evidence → |
| 102.210.149.236 | credential_harvester | 70% | 1x OSINT | 499 | 3 | ssh:bruteforce | — | 2026-06-04 05:07 | evidence → |
| 45.78.194.242 | credential_harvester | 70% | 1x OSINT | 386 | 3 | ssh:bruteforce | — | 2026-05-29 00:39 | evidence → |
| 52.187.9.8 | credential_harvester | 68% | 942 | 3 | ssh:bruteforce | — | 2026-06-11 03:52 | evidence → | |
| 183.94.33.245 | scanner | 67% | 1x OSINT | 94 | 3 | ssh:bruteforce | — | 2026-06-07 15:59 | evidence → |
| 46.6.125.137 | credential_harvester | 64% | 312 | 3 | ssh:bruteforce | — | 2026-05-25 13:11 | evidence → | |
| 95.165.77.31 | credential_harvester | 64% | 294 | 3 | ssh:bruteforce | 95-165-77-31.dynamic.spd-mgts.ru | 2026-05-31 06:04 | evidence → | |
| 120.48.33.21 | scanner | 62% | 91 | 3 | ssh:bruteforce | — | 2026-06-09 19:04 | evidence → | |
| 197.153.57.103 | credential_harvester | 58% | 1x OSINT | 1762 | 2 | ssh:bruteforce | — | 2026-06-11 04:06 | evidence → |
| 172.174.5.146 | credential_harvester | 56% | 1x OSINT | 934 | 2 | ssh:bruteforce | — | 2026-05-28 13:51 | evidence → |
| 151.80.141.196 | credential_harvester | 56% | 1x OSINT | 846 | 2 | ssh:bruteforce | 196.ip-151-80-141.eu | 2026-05-27 05:22 | evidence → |
| 161.35.205.74 | credential_harvester | 56% | 1x OSINT | 789 | 2 | ssh:bruteforce | — | 2026-06-07 18:51 | evidence → |
| 196.0.242.54 | credential_harvester | 55% | 1x OSINT | 406 | 2 | ssh:bruteforce | — | 2026-06-10 07:21 | evidence → |
| 163.7.1.218 | credential_harvester | 54% | 1x OSINT | 296 | 2 | ssh:bruteforce | — | 2026-05-31 02:48 | evidence → |
| 42.51.40.180 | credential_harvester | 54% | 1x OSINT | 263 | 2 | ssh:bruteforce | — | 2026-06-07 16:21 | evidence → |
| 14.103.103.211 | credential_harvester | 52% | 1x OSINT | 106 | 2 | ssh:bruteforce | — | 2026-06-08 06:25 | evidence → |
| 14.103.112.116 | scanner | 51% | 1x OSINT | 37 | 2 | ssh:bruteforce | — | 2026-06-05 21:45 | evidence → |
| 203.83.231.93 | scanner | 49% | 247 | 2 | ssh:bruteforce | — | 2026-06-08 11:39 | evidence → | |
| 180.243.253.189 | credential_harvester | 49% | 188 | 2 | ssh:bruteforce | — | 2026-05-30 16:46 | evidence → | |
| 61.76.136.25 | credential_harvester | 48% | 133 | 2 | ssh:bruteforce | — | 2026-06-09 22:55 | evidence → | |
| 123.121.210.115 | scanner | 45% | 23 | 2 | ssh:bruteforce | — | 2026-05-27 10:27 | evidence → | |
| 106.13.239.146 | scanner | 44% | 1x OSINT | 177 | 1 | ssh:bruteforce | — | 2026-06-05 18:27 | evidence → |
| 118.145.111.33 | scanner | 41% | 1x OSINT | 19 | 1 | ssh:bruteforce | — | 2026-06-09 04:23 | evidence → |
| 171.244.185.149 | credential_harvester | 40% | 203 | 1 | ssh:bruteforce | — | 2026-05-25 07:22 | evidence → | |
| 152.89.239.64 | credential_harvester | 39% | 170 | 1 | ssh:bruteforce | — | 2026-05-28 06:44 | evidence → | |
| 122.51.73.24 | credential_harvester | 39% | 145 | 1 | ssh:bruteforce | — | 2026-05-27 22:31 | evidence → | |
| 151.19.142.7 | credential_harvester | 38% | 84 | 1 | ssh:bruteforce | — | 2026-05-27 18:17 | evidence → | |
| 203.195.64.232 | scanner | 38% | 72 | 1 | ssh:bruteforce | — | 2026-05-31 12:39 | evidence → | |
| 151.47.89.53 | opportunistic_bruter | 36% | 23 | 1 | ssh:bruteforce | — | 2026-05-27 18:39 | evidence → | |
| 182.253.31.67 | malware_dropper | 36% | 23 | 1 | ssh:bruteforce | — | 2026-05-25 07:41 | evidence → | |
| 151.46.213.168 | malware_dropper | 36% | 18 | 1 | ssh:bruteforce | — | 2026-05-30 07:01 | evidence → | |
| 14.103.95.175 | scanner | 31% | 1x OSINT | 35 | 2 | ssh:bruteforce | — | 2026-05-29 22:36 | evidence → |
| 14.103.127.75 | scanner | 21% | 1x OSINT | 33 | 1 | ssh:bruteforce | — | 2026-06-10 02:40 | evidence → |
| 14.103.200.237 | credential_probe | 15% | 51 | 1 | ssh:bruteforce | — | 2026-05-28 21:09 | evidence → | |
| 151.43.101.231 | credential_probe | 14% | 38 | 1 | ssh:bruteforce | — | 2026-05-27 18:35 | evidence → |
VPN Known VPN or proxy provider
DROP ASN on Spamhaus DROP list
Nx OSINT Corroborated by N external threat feeds