Critical Threat
IP 108.165.230.87 is a high-risk threat actor address originating from Brazil and operating within AS210356 under the network designation BattleHost that has accumulated 402 abuse reports submitted by automated honeypot sensors. With a threat level rated at the maximum 10/10 and a confidence score of 79%, this IP has been flagged exclusively for general hacking activity, including intrusion attempts and exploitation attempts, during April 2026. The concentration of reports within a single calendar month indicates sustained, deliberate malicious targeting rather than opportunistic or transient scanning behavior.
The submitted dataset documents 20 recent reports, all categorized under the hacking classification, sourced entirely from automated honeypot sensors with zero recorded activity frequency despite the high volume of unique report submissions. This discrepancy between report count and activity frequency suggests the IP has been repeatedly flagged across multiple independent detection points, each capturing individual connection attempts. The network context — an AS assignment associated with BattleHost — combined with the exclusive focus on hacking categories, positions this address as infrastructure actively involved in systematic intrusion operations rather than incidentally compromised endpoints.
Hacking activity as documented encompasses automated tools performing credential abuse, vulnerability probing, and reconnaissance against exposed services. The sustained report volume demonstrates this IP functions as a known scanning and exploitation platform, persistently targeting systems across distributed honeypot deployments. Real-world exposure to such an address carries the risk of unauthorized access attempts against unhardened services, credential compromise through brute-force mechanisms, and potential lateral movement if initial access is achieved. Organizations with internet-facing services represent primary targets for activity of this nature.
Site operators should immediately block or rate-limit connections from this address at the network edge and monitor for subsequent attempts from adjacent IP ranges within the same ASN. Implementing automated defensive tools such as fail2ban can detect and remediate repeated authentication abuse patterns in real time. Multi-factor authentication should be enforced across all remote-access interfaces, patch management processes should be verified current, and honeypot infrastructure logs should be reviewed to identify which specific services are being actively targeted. Routine audit of authentication logs for source IPs matching known abusive patterns provides additional situational awareness against evolving threats from this infrastructure.
