ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 15.204.234.74:23.
Database Entry
| IOC ID: | 1838473 |
|---|---|
| IOC: | 15.204.234.74:23 |
| IOC Type : | ip:port |
| Threat Type : | payload_delivery |
| Malware: | Mirai |
| Malware alias: | Katana |
| Confidence Level : | Confidence level is elevated (75%) |
| Is compromised? : | False |
| ASN: | AS16276 OVH |
| Country: |  FR |
| First seen: | 2026-06-27 06:24:35 UTC |
| Last seen: | never |
| UUID: | dfaec272-71b7-11f1-97fa-42010aa4000a |
| Reporter |  Speculus |
| Reward | 5 credits from ThreatFox |
| Tags: | IoT Mirai telnet |
| Reference: | https://speculus.co/search?ip=15.204.234.74 |
Speculus
Activity Timestamp : 2026-06-26T23:11:25ZSummary: Inbound Telnet session from this host executed the Mirai loader's BusyBox applet-verification probe (/bin/busybox UNSTABLE), the shell check Mirai runs immediately after a successful Telnet credential brute-force to confirm a working BusyBox shell before staging its ELF payload. The "UNSTABLE" token identifies this as a Mirai variant; the source is acting as a Mirai loader/scanner.
Hueristic Detection:
* Target Vector: T1110.001 (Brute Force: Password Guessing) / T1059.004 (Command and Scripting Interpreter: Unix Shell)
* IP Address: 15.204[.]234[.]74
* Target Port: 23 (Telnet)
* Execution Footprint: `/bin/busybox UNSTABLE`
Reference: https://speculus.co/search?ip=15.204.234.74