Severe Risk
IP 186.159.162.4 is a high-risk address originating from Costa Rica that has been linked to VNC brute-force intrusion attempts, accumulating 401 abuse reports from automated honeypot sensors over a six-month period. With a maximum threat score of 10/10, this IP represents a clear and persistent automated attack source targeting remote authentication services across the internet.
The IP resides within AS52228, operated by Cable Tica, a Costa Rican ISP, and was first flagged in October 2025 with continued activity through March 2026. All 20 report sources originated from automated honeypot infrastructure, indicating the address has been systematically engaged in outbound intrusion scanning rather than generating isolated false positives. The total report volume of 401 far exceeds typical background noise, confirming sustained malicious intent. Suricata intrusion-detection sensors logged repeated protocol anomalies consistent with VNC brute-force campaigns, including unexpected state transitions in the RFB (Remote Framebuffer) protocol parser and broken TCP acknowledgment patterns that indicate automated credential-guessing tools in use.
VNC brute-force activity targets the RFB protocol used by remote desktop software, systematically iterating through username and password combinations to gain unauthorized graphical desktop access. Successful authentication grants an attacker equivalent control to physical keyboard and mouse access, enabling data theft, lateral movement within networks, and deployment of follow-up malware. The attack-pattern logs demonstrate that this IP specifically probes for exposed VNC services, exploiting configurations where remote access is left accessible without VPN gating or strong credential requirements.
Site operators should immediately block this IP at the network perimeter firewall and implement geo-based access restrictions if remote administration is not required from Costa Rica. Enforcing multi-factor authentication on all VNC and remote-access services dramatically raises the bar for credential-guessing attacks. Deploying adaptive authentication tools such as fail2ban can automatically temp-block repeated failed-login sources. Regularly auditing exposed services, closing unnecessary remote-access ports, and implementing strict account lockout thresholds will reduce the attack surface this threat actor targets.
BG 
TR 
CO 
UA 
VN 
CA 
RO 
TH 
GB