In April 2025, we observed a new wave of highly organized attacks originating from IP addresses registered in Turkey. This wave stands out not only due to its scale but also because of a specific pattern suggesting a planned identity swap while maintaining the same physical or virtual infrastructure.

Key IP Ranges and Attack Volume

The attacks were traced to:

• 92.119.197.*
• 94.156.167.*
• 92.119.196.*
• 87.120.127.*
• 87.120.126.*

Each IP address generated around 100 sophisticated attack attempts on average, resulting in over 9,000 security alerts in total. The attacks were distributed evenly across the addresses, maintaining a consistent load to complicate detection and response efforts.

All activities abruptly stopped on April 26th around 13:00, a clear indicator of a coordinated campaign likely operated by an organized threat group.

Provider Analysis: A Suspicious Identity Swap

A notable change this month was the provider shift. While previous attacks heavily relied on RailNet, this wave prominently featured VSVK Onderhound B.V. as the listed provider.

Investigation revealed atypical registration patterns:

• WHOIS data linked to a nonexistent domain.
• A company with the same name exists in the Netherlands, operating in transportation with no connection to Turkey or hosting infrastructure.
• The autonomous system (ASN) tied to these IPs was created in January 2025 and updated just days before the malicious activities began.
• All malicious activities from these IP ranges started on March 31st, with no prior history.

These findings strongly suggest a fake company registration designed to mask the true operators.

Open Ports: A Controlled Visibility Strategy

A scan using Censys.io revealed no open ports on any of these IP addresses. This could indicate that the ports are genuinely closed, but it is more likely that Censys ranges are blocked at the firewall level. This tactic is commonly used to obscure the real attack surface of servers used in malicious operations.

Such controlled visibility aligns with advanced threat actor practices:

• Blocking public scanners to avoid mapping.
• Maintaining an operational infrastructure while evading detection.
• Preserving stealth to prolong the campaign.

Preliminary Attribution and Threat Actor Assessment

Available technical and registration data point toward the use of a fraudulently registered company, intentionally mimicking the name of a legitimate Dutch firm to obscure the attacker’s identity.

Moreover:

• The infrastructure is physically located in Turkey, consistent with previous attack waves.
• Instead of relocating infrastructure, the operators appear to have executed a “silent swap” of ownership, replacing WHOIS data and ASN registration while continuing operations with “fresh” IPs that carry no prior reputation issues.