Critical Threat
IP 190.119.147.50, registered to America Movil Peru S.A.C. in Peru (AS12252), is a critical-risk address that generated 204 distinct abuse reports through automated honeypot sensors over a compressed three-month window between February and April 2026, with all recent reports categorizing the activity as general hacking intrusion attempts and network reconnaissance. The IP carries a threat severity score of 10/10, reflecting the concentrated volume and nature of detected malicious traffic despite a current activity frequency rating of zero, indicating the host may be temporarily dormant after an intensive campaign.
The report corpus stems exclusively from 20 automated honeypot sensors, yielding an average of roughly 10 incident reports per participating sensor node over an eight-week reporting span. The detection signatures include Suricata alerts flagging malformed TCP streams characterized by broken acknowledgment packets, a pattern consistent with active network scanning or vulnerability probing against exposed services. With a 65 percent confidence score, analysts assess that roughly two-thirds of observed behaviour aligns with confirmed malicious patterns, leaving moderate uncertainty regarding the full scope of the operator's intentions or infrastructure co-option status. The geographic and network context — a Peruvian mobile carrier ASN — suggests the source may represent compromised endpoint infrastructure rather than purpose-built attack infrastructure.
Broken ACK packet anomalies in network streams frequently precede exploitation attempts, as threat actors use malformed TCP handshake signals to evade detection or fingerprint target system responses before launching more targeted attacks. Combined with general hacking categorization, this IP appears to have conducted systematic unauthorized access attempts against exposed services, probing for vulnerabilities or attempting to establish persistent connections for follow-on compromise. The concentrated burst of activity over a short period suggests either automated scanning sweeps or coordinated credential-based attacks against specific target ranges that happened to intersect with honeypot detection systems.
Defensive operators should treat any connection attempt from 190.119.147.50 as inherently suspicious and apply immediate blocking at the network perimeter, supplemented by stateful inspection rules that flag and drop malformed TCP segments. Implementing strong authentication controls on exposed services, enforcing principle-of-least-privilege access policies, and deploying defensive tools such as fail2ban or equivalent connection-throttling mechanisms will substantially reduce the practical impact of any resumed activity. Continuous monitoring for inbound reconnaissance from this address space and integration of the associated Suricata signatures into local intrusion detection pipelines will ensure rapid detection if the source reactivates against production infrastructure.
TM 
VN 
UA 
BE 
DZ