Critical Threat
IP 148.135.80.117 is a high-risk address associated with sustained hacking activity, representing a significant threat to any exposed network services. This IP earned a maximum threat score of 10 out of 10 based on 194 total abuse reports submitted through automated honeypot sensors, with an exceptionally high confidence rating of 94 percent indicating reliable threat attribution. The address demonstrated consistent malicious behavior across an approximately three-month observation window from March 2026 through May 2026, reflecting persistent rather than opportunistic intrusion attempts.
The 194 reports linked to this IP originate exclusively from automated honeypot detection systems, lending statistical weight to the assessment that the activity represents automated scanning and exploitation attempts rather than isolated manual probing. All 20 most recent threat reports categorize the activity as general hacking, encompassing various intrusion techniques and unauthorized access attempts. Network routing data places the origin within the United States, specifically associated with AS35916 operated by MULTACOM CORPORATION, a commercial hosting and network services provider. The observed attack patterns included Suricata detection signatures flagging spurious TCP stream retransmissions, a technique frequently employed to evade intrusion detection systems or manipulate network session state during reconnaissance and exploitation phases.
TCP stream manipulation through spurious retransmission allows threat actors to test firewall and IDS/IPS response behaviors, potentially identify vulnerable stateful inspection implementations, or inject malicious payloads fragmented across abnormal packet sequences. When combined with sustained scanning activity and multiple intrusion attempt categories, this pattern indicates an actor engaged in systematic vulnerability enumeration rather than casual probing. The persistent nature of the activity over several months suggests either automated infrastructure maintained for ongoing campaigns or a compromised host being leveraged as a stepping stone for broader network intrusion operations.
Organizations with exposed services should implement immediate blocking of this IP at the network perimeter firewall level given its confirmed malicious status. Deploying or enhancing fail2ban rules or equivalent dynamic blocking utilities that automatically respond to repeated authentication failures and suspicious connection patterns provides adaptive protection against similar automated threats. Keeping all systems patched and running current intrusion detection signatures helps mitigate vulnerabilities such threat actors actively exploit. Regular review of honeypot and abuse feed data, combined with correlation of reported IP patterns against local firewall logs, enables proactive identification of coordinated scanning campaigns before successful exploitation occurs.
CA 
RO 
FR 
SE 
TR