Cisco NVM - Suspicious Network Connection to IP Lookup Service API

This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services, such as `ipinfo.io`, `icanhazip.com`, `ip-api.com`, and others. These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate network reconnaissance, virtual machine detection, or staging by malware. This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns. The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser processes to reduce noise.