Critical Alert
IP 194.180.49.176 is a maximum-threat-risk address originating from Bulgaria that has been extensively linked to web application probing activity, accumulating 202 total abuse reports from automated honeypot sensors with a dominant focus on Web App Attack patterns. The IP operates within the MEVSPACE sp. z o.o. autonomous system (AS201814), and despite having a recorded activity frequency score of 0 out of 10, the sheer volume of cumulative reports and a 74% confidence score firmly establish this address as a credible and dangerous threat actor in the threat-intelligence landscape. The IP was first and last reported in November 2025, placing all observed malicious activity within a concentrated timeframe that indicates deliberate, sustained targeting.
Analysis of the 202 submitted reports reveals that all 20 of the most recent reports specifically classify the observed activity under the Web App Attack category, with honeypot detection systems flagging the address for ElasticPot web application probing behaviour. This pattern of activity suggests the threat actor is systematically scanning for vulnerabilities in web-facing applications, including potential weaknesses within the OWASP Top 10 classification such as file inclusion, injection flaws, and misconfiguration exploitation. The exclusive use of automated honeypot sensors for detection indicates this IP is actively fingerprinting and probing web application layers rather than engaging in broad network scanning or credential-based attacks.
Web application attacks represent a severe risk vector because they directly target the software layer where sensitive business logic, user authentication, and data processing occur. An IP conducting sustained web app probing is essentially performing reconnaissance to identify exploitable entry points that could later be weaponised for data exfiltration, service disruption, or lateral movement within a network. Even failed probing attempts indicate that the target infrastructure is under active reconnaissance, which itself signals an elevated security exposure requiring immediate defensive response.
Site operators with publicly accessible web applications should treat any traffic from 194.180.49.176 as hostile and implement immediate blocking at the firewall or network perimeter level. Deploying a Web Application Firewall with rule sets tuned to OWASP Top 10 threats will provide an active defence layer against the probing patterns observed from this address. Regular security audits and prompt patching of web application frameworks eliminate the vulnerabilities such actors attempt to exploit. Additionally, implementing rate-limiting on authentication and form-submission endpoints, and leveraging defensive tools such as fail2ban to automatically ban repeat offenders, will significantly reduce the attack surface exposed to this and similar threat IPs.
PL 
AZ 
UA 
RO 
SE 
HK 
FR