Extreme Threat
IP 149.86.227.60, registered to MEVSPACE sp. z o.o. in Poland and operating within AS201814, is classified as a critical-risk address with a maximum threat level of 10/10, supported by 167 total abuse reports and 20 recent Web App Attack detections from automated honeypot sensors between March and April 2026. Despite a low current activity frequency rating of 0/10, the cumulative evidence establishes a persistent threat actor with a 76% confidence score, indicating substantial corroboration across detection sources.
The detection profile for 149.86.227.60 is entirely grounded in automated honeypot infrastructure, with all 20 recent Web App Attack reports originating from sensor-based detection. The substantial volume of 167 total reports accumulated over a compressed two-month timeframe (March to April 2026) suggests sustained hostile reconnaissance and exploitation activity rather than opportunistic scanning. The geographic assignment to Poland and the AS201814 Autonomous System under MEVSPACE sp. z o.o. provides network-level context, though threat actors frequently operate through compromised infrastructure or spoofed source addresses to obscure attribution.
Web App Attack activity represents one of the most concrete operational risks in the threat landscape, targeting vulnerabilities enumerated in the OWASP Top 10 such as cross-site scripting, cross-site request forgery, and file inclusion flaws. Automated honeypot sensors detect these attempts as structured probes seeking entry points into web-facing applications. For an organization running exposed web services, such an IP engaging in application-layer attacks poses direct risks of data exfiltration, service compromise, or foothold establishment within internal networks. The probe pattern implies systematic enumeration of application-layer weaknesses rather than random exploitation.
Organizations with web-facing assets should treat 149.86.227.60 as a confirmed malicious source and implement immediate defensive controls. Deploying a Web Application Firewall with rule sets tuned to OWASP Top 10 attack signatures will intercept the observed application-layer probing patterns. Blocking or rate-limiting traffic from this IP at the network edge perimeter prevents any further reconnaissance. Maintaining strict patch management cycles for all web applications closes the vulnerability classes that Web App Attacks exploit. Additionally, monitoring authentication logs for brute-force patterns and enforcing strong credential policies provides layered defense against credential-based follow-on activity associated with this threat actor's methodology. Tools like fail2ban can automate the blocking response for repeated probing attempts.
BG 
AZ 
MX 
CA 
UA 
UZ 
RO 
GB 
BD