Check an IP Address, Domain Name, Subnet, or ASN

52.165.80.115 was found in our database!

Confidence Level

86%

Very High?

Geolocation

🇺🇸

United StatesDes Moines

ISPMicrosoft Corporation

ASNAS8075

Activity Timeline

First seenJan 21, 2026, 10:11 AM

Last seen1h ago

First reportedMar 5, 2026, 11:41 PM

Last reported4d ago

106Sessions

162Events

1Reports

Protocol Breakdown

HTTPS

45 / 74

SMTP

10 / 15

DOCKER

7 / 13

HTTP

4 / 10

IMAP

10 / 10

SIP

4 / 8

FTP

4 / 7

SSH

6 / 7

ELASTICSEARCH

6 / 6

SMB

4 / 5

POSTGRES

2 / 3

MSSQL

2 / 2

REDIS

2 / 2

52.165.80.115 has a very high threat confidence level of 86%, originating from Des Moines, United States, on the Microsoft Corporation network (8075). It has been observed across 106 sessions targeting HTTPS, SMTP, DOCKER, HTTP, IMAP and 8 other protocols, First observed on January 21, 2026, most recently active March 10, 2026.

Behaviors

Classified behavioral patterns observed

Redis Mglndd Campaign Activity

medium1x

Authenticated Redis sessions where the source issues a command containing the MGLNDD_[ip]_6379 pattern. The value is transmitted as part of the executed command rather than connection metadata and appears programmatically generated. This behavior groups activity where the previously defined primitive detects the MGLNDD command pattern, reflecting automated Redis interaction observed through honeypot telemetry. No assumptions are made about operator intent beyond the execution of this specific command string.

Docker Invalid Protocol Probe

info3x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Http Root Path Request

info2x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Https Root Path Request

info2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Primitives

Individual actions observed

Docker Get Method11 Elastic Http Get Request7 Smtp Ehlo Greeting5 Docker Bad Request Uri5 Http Method Get2 Https Path Root2 Elastic Root Path Probe1 Redis Mglndd Client Identifier Tag1 Elastic Http Bad Request Path Probe1

User Reports

1 report from 1 contributor

Date	Category	Protocol	Comment
Mar 5, 2026	Brute Force	SSH	SikkerGuard: 2 blocked packets

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
20.65.194.25	70%	124
20.163.27.102	74%	144
20.163.15.177	81%	113
20.29.49.244	61%	96
4.145.113.4	91%	78

IP Address	Confidence	Events
130.12.180.39	91%	11,545
130.12.180.92	91%	10,907
91.92.243.24	91%	11,221
130.12.180.57	91%	11,528
130.12.180.66	91%	11,577