Severe Risk
IP 185.91.127.85 is a critical-risk address operated by Tube-Hosting on the AS49581 autonomous system in Germany, generating 883 abuse reports across automated honeypot sensors over a four-month active window from March through June 2026, with a dominant pattern of SOCKS5 brute-force authentication attacks alongside broader hacking activity.
Threat-intelligence telemetry recorded 883 total reports from 20 separate automated honeypot sensors, reflecting an extremely high volume of malicious traffic originating from this single endpoint at an activity frequency rated 8 out of 10, placing it among the most persistently abusive addresses observed in this period; the breakdown shows 18 hacking-category reports and 2 brute-force reports, with the honeypot data specifically flagging connection attempts and SOCKS5 brute-force patterns as the primary vectors. The German network allocation via AS49581 (Tube-Hosting) indicates a commercial hosting or proxy infrastructure commonly associated with threat actors seeking to obfuscate origination points, and the sustained four-month reporting window demonstrates persistent, deliberate targeting rather than opportunistic scanning.
The SOCKS5 brute-force activity detected from this address represents a systematic credential-guessing campaign targeting authentication mechanisms on exposed SOCKS proxy services, which threat actors frequently abuse to route further attacks or anonymize malicious traffic; when combined with generalized hacking activity indicating broader intrusion attempts, this IP poses a dual-vector threat capable of compromising poorly secured proxy infrastructure or enabling follow-on abuse chains, with the 96% confidence score and maximum 10/10 threat rating confirming this assessment is strongly corroborated across multiple independent detection sensors.
Site operators should immediately block or restrict traffic from 185.91.127.85 at the network edge, implement strict rate-limiting on authentication endpoints to impede credential-guessing campaigns, enforce strong password policies alongside multi-factor authentication on any exposed management interfaces, and consider deploying automated mitigation tools such as fail2ban to dynamically ban repeated offenders; continuous monitoring for inbound connection attempts from this address and related infrastructure within the AS49581 allocation is strongly recommended given the sustained threat pattern observed.
GB