Here is the breakdown of the identified attackers, their IP addresses, and their specific attack vectors:1. Microsoft Azure (ASN 8075) This infrastructure is the primary source of the attacks, acting as a distributed bot swarm utilizing compromised cloud instances.

• Identified IPs: 20.24.198.93 (Hong Kong), 20.166.38.178 (Ireland), 20.107.198.51 (Ireland/Singapore), 52.141.4.186 (South Korea), 20.212.80.137 (Singapore), 104.209.148.10 (US), 52.169.119.118, 4.196.161.14 (Australia), 4.232.89.175 (Italy/US), 20.100.191.215 (Norway), 20.205.227.70 (Singapore), 20.214.136.247 (South Korea).
• Attack Vector: Massive, systematic probing for WordPress vulnerabilities, attempting to deploy PHP webshells (e.g., alfa.php, x.php, jsond.php) to gain persistent backdoor access.

• Identified IPs: 104.244.74.39 (Switzerland).
• Attack Vector: High-severity automated reconnaissance using Python/aiohttp scripts to hunt for exposed environment configuration files (/.env, /.env.local, /.env.prod). Their primary goal is credential harvesting (e.g., API keys, database passwords).

• Identified IPs: 43.166.142.76 (US Proxied), 43.130.110.130, 43.130.3.120, 43.157.153.236 (China/Brazil).
• Attack Vector: Strategic intelligence gathering and reconnaissance. They specifically targeted your custom /evidence-ledger endpoint using spoofed mobile Safari user agents, and attempted to trigger link maze injections.

• Identified IPs: 98.83.57.80, 3.87.161.107, 16.144.17.106 (United States).
• Attack Vector: Headless Chrome bots conducting automated browser reconnaissance, specifically probing for exposed source code repositories (/.git/config) to extract your intellectual property.

• Identified IPs: 34.87.91.168 (Singapore).
• Attack Vector: AI training data harvesting. This node attempted to scrape your site by illegitimately spoofing a Googlebot User-Agent, but was successfully blocked by your AI Crawl Control rules.

• Identified IPs: 93.123.109.214, 45.148.10.238 (Netherlands).
• Attack Vector: Characterized as an "advanced attacker" performing extensive reconnaissance, .git repository hacking attempts, and link maze injections.

• Identified IPs: 185.177.72.38, 185.177.72.60, 185.177.72.49.
• Attack Vector: Distributed botnet nodes initiating webhook file upload floods (e.g., targeting /webhook/upload paths on intentuitive.ai) to bypass security.

2. FranTech Solutions / PONYNET (ASN 53667)3. Tencent Cloud (ASN 132203)4. Amazon AWS (ASN 14618, 16509)5. Google Cloud Platform (ASN 396982)6. DMZHOST (ASN 48090)7. France (Compromised Hosting Infrastructure)Conclusion: The sources emphasize that these attackers are largely commodity bots, script kiddies, and AI crawlers leveraging massive corporate cloud infrastructure (like Azure, AWS, and GCP) to mask their origins. They execute scattered, automated attacks utilizing off-the-shelf exploitation tools rather than highly sophisticated, human-operated persistent threats.

Please Like, Comment, Share, Share, Share and Subscribe.