VISIONHEIGHT INVESTIGATION VH-2026-003
March 2026 · Adversary Infrastructure Research
On December 29, 2025, a threat actor conducted a destructive attack against Polish energy infrastructure. The attack included VPN credential theft, lateral movement via SMB, Microsoft 365 data exfiltration, and deployment of a custom wiper targeting operational technology systems. CERT.pl published a detailed incident report identifying 9 indicators of compromise.
VisionHeight's proprietary telemetry had identified risky activity on the attack infrastructure before and during the attack. Organizations using this risk intelligence to enforce network policy could have blocked this traffic before it reached their environment.
Our subsequent investigation expanded the 9 published IOCs to 38 infrastructure nodes, 24 of which remain operational today.
Starting from the Public IOCs
CERT.pl's report identified 9 IP addresses used in the attack. These IOCs are the starting point for any investigation. But IOCs describe what happened. The question we wanted to answer is: what infrastructure is the attacker still operating that nobody has published yet?
VisionHeight's Pulse Telemetry - our proprietary data layer that provides real-time observability into internet infrastructure usage - identified connections between the published IOCs and previously unknown infrastructure through operator activity patterns that are invisible to traditional threat intelligence sources.
Discovering the Cluster
Our Pulse Telemetry identified operators moving between a confirmed CERT.pl IOC and a hub node (5.180.114[.]171), then from the hub to a cluster of 29 additional IP addresses. These connections were established through proprietary signals unique to VisionHeight's data - not through publicly available scanning or passive DNS.
The cluster identification was further reinforced by infrastructure fingerprinting: all 29 nodes share an identical deployment template consisting of the same server software (restify), the same TLS certificate pattern (self-signed, 100-year validity), and the same SSH fingerprint. This uniformity confirms a single team managing them as a coordinated fleet, distributed across multiple hosting providers in Europe.
Early Risk Detection
Our Pulse Telemetry observed activity on the attack server (185.200.177[.]10) before and during the attack. This activity was consistent with attack preparation and active operations against a target environment. VisionHeight's platform flagged this IP as high-risk based on these signals.
Organizations consuming this risk intelligence would have seen this IP - and the broader cluster we identified - flagged before the attack was publicly reported. This traffic could have been blocked at the network perimeter.
By the time a CERT publishes an IOC, the damage is done. Continuous telemetry that identifies risky infrastructure as operators prepare for attacks provides a fundamentally different defensive capability than post-incident IOC sharing.
The Infrastructure Is Still Active
As of March 2026, 24 of the 29 cluster nodes continue to respond with the same deployment template. The infrastructure has not been decommissioned. Operator activity was observed on cluster nodes through February and March 2026, including post-attack activity on the attack server itself in January 2026.
The threat actor is maintaining this infrastructure. The 9 published IOCs represent a fraction of the operational footprint.
What This Means for Defenders
Published IOCs are necessary but insufficient. In this case, 9 published IOCs led to 29 undisclosed nodes - a 3x expansion of known attacker infrastructure. Defenders relying solely on published IOC feeds have visibility into only a portion of this threat actor's operational capacity.
The challenge the security community faces is not attribution after the fact. It is real-time visibility into adversary infrastructure while attacks are being prepared. This requires data sources that go beyond post-incident reporting and community sharing.
VisionHeight's Pulse Telemetry provides continuous, real-time observability into how internet infrastructure is being used - enriched with infrastructure fingerprinting, certificate intelligence, and network scanning to build a complete picture of adversary operations. In this investigation, that capability allowed us to:
- Flag attack infrastructure as high-risk before the attack was publicly reported
- Expand from 9 known IOCs to 29 undisclosed nodes through proprietary telemetry
- Identify operators managing the cluster through signals unique to our platform
- Observe activity on the attack server during the attack preparation window
- Confirm that the majority of the cluster remains operational months after the attack
Indicators of Compromise
CERT.PL PUBLISHED IOCS (9)
185.200.177[.]10
159.69.50[.]242
193.200.17[.]163
31.172.71[.]5
185.82.127[.]20
41.111.178[.]225
72.62.35[.]76
89.116.111[.]143
194.61.121[.]178
VISIONHEIGHT DISCOVERED - HUB NODE (1)
5.180.114[.]171
VISIONHEIGHT DISCOVERED - FIRST-HOP NODES (5)
45.131.66[.]235
89.46.235[.]204
95.81.64[.]110
83.97.79[.]30
185.193.49[.]181
VISIONHEIGHT DISCOVERED - CLUSTER NODES (29)
113.30.151[.]199
149.154.152[.]104
149.154.152[.]196
149.154.153[.]86
151.236.2[.]13
151.236.7[.]51
158.255.212[.]121
185.163.124[.]7
185.168.194[.]214
185.189.56[.]84
185.195.65[.]66
185.44.67[.]219
188.190.10[.]125
188.190.11[.]15
188.190.11[.]94
188.190.15[.]158
188.190.3[.]248
188.190.8[.]138
188.214.39[.]132
188.214.39[.]45
192.121.170[.]91
45.151.75[.]135
46.246.90[.]78
87.121.162[.]188
93.113.98[.]236
93.113.98[.]98
95.81.104[.]11
95.81.108[.]241
95.81.82[.]164