Notable Threat
IP 167.94.146.50 is a high-risk address operating from the United States within AS398705 (CENSYS-ARIN-02) that has generated 451 abuse reports with a 94% confidence score, indicating with near certainty that this host is engaged in persistent malicious activity across hacking, web application exploitation, and Internet of Things targeting. The IP earned an 8/10 threat level and 8/10 activity frequency rating, reflecting sustained offensive operations over an eleven-month period from August 2025 through June 2026, with recent reporting showing hacking activity dominating at 19 of 21 categorized incidents. Threat intelligence sensors detected this actor attempting unauthorized connections, probing web applications via honeypot interactions, and executing IoT-specific reconnaissance patterns that suggest systematic network vulnerability mapping.
The volume and consistency of reports spanning nearly a year demonstrate that 167.94.146.50 is not a transient or opportunistic scanner but rather a persistent threat infrastructure component actively maintaining its attack campaign. Automated honeypot sensors across twenty distinct detection points recorded these interactions, with alert data confirming ElasticPot web application probing and Suricata protocol-detection signatures characteristic of reconnaissance preceding exploitation. The geographic assignment to the United States and association with a known autonomous system operator does not indicate legitimate or authorized scanning activity given the confirmed malicious patterns observed; rather, this suggests either compromised infrastructure being abused or deliberate hostile operations conducted from this network block. The concentration of hacking-category reports signals that the primary mission involves unauthorized access attempts against exposed services rather than opportunistic data gathering alone.
The dominant hacking activity represents a concrete, immediate threat to any exposed service accepting connections from this address, as intrusion attempts and vulnerability exploitation can result in unauthorized system access, data exfiltration, or complete host compromise depending on exposed entry points. The web application attack component indicates the actor is specifically targeting web-facing software using techniques that exploit application-layer weaknesses, which can bypass perimeter defenses that only monitor network-level traffic. The IoT targeting behavior signals interest in exploiting poorly secured connected devices, which often lack robust update mechanisms and default credentials, making them attractive pivot points for deeper network penetration. Each attack category carries distinct risk profiles, but combined they indicate a versatile adversary capable of adapting tactics to available targets.
FR 
VN