Threat Intel Banner


  • The top attacker country was China with 172304 unique attackers (43.8%).
  • The top Trojan C&C server detected was Oski with 32 instances detected.
  • The top phishing campaign detected was against Facebook with 35 instances detected.

   Top Attackers By Country

Country Occurences Percentage
China 172304 43.8%
United States 88408 22.73%
Russia 74668 19.20%
India 14028 3.61%
Brazil 9967 2.56%
Germany 5631 1.45%
Iran 5256 1.35%
Bangladesh 4019 1.03%
Spain 3646 0.94%
Thailand 3187 0.82%
Indonesia 2706 0.70%
Vietnam 2667 0.69%
Singapore 2414 0.62%
Luxembourg 2029 0.52%
Pakistan 1101 0.28%
Ukraine 1083 0.28%
Top Attackers by CountryChinaUnited StatesRussiaIndiaBrazilOther43.8%8.6%19%22.5%
Country Percentage of Attacks
China 172,304
United States 88,408
Russia 74,668
India 14,028
Brazil 9,967
Germany 5,631
Iran 5,256
Bangladesh 4,019
Spain 3,646
Thailand 3,187
Indonesia 2,706
Vietnam 2,667
Singapore 2,414
Luxembourg 2,029
Pakistan 1,101
Ukraine 1,083

   Threat Geo-location


   Top Attacking Hosts

Host Occurrences 55678 45437 34746 25058 20275 12094 7800 6988 6409 6374 5261 4976 3902 3898 3842 3829 2970 2881 2743 2559 2366

   Top Network Attackers

ASN Country Name
44446 Ukraine SIBIRINVEST, NL
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
32329 United States MONKEYBRAINS, US
14061 United States DIGITALOCEAN-ASN, US
212283 Bulgaria ROZA-AS, BG
213371 Netherlands SQUITTER-NETWORKS, NL
51167 Germany CONTABO, DE
58224 Iran TCI, IR
8220 Italy COLT COLT Technology Services Group Limited, GB
12338 Spain EUSKALTEL, ES

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 1
Amadey 3 , ,
Anubis 1
Azorult 1
BlackNet 2 ,
Collector 5 , , , ,
Cypress 2 ,
EvilBear 1
GrimAgent 1
LiteHTTP 2 ,
LokiBot 3 , ,
Oski 32 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Redline 3 , ,
Zeus 1
Trojan C&C Servers DetectedAmadeyBlackNetCollectorCypressLiteHTTPLokibotOskiRedlineOther8.6%5.2%10.3%55.2%
Name Number Discovered
AgentTesla 1
Amadey 3
Anubis 1
Azorult 1
BlackNet 2
Collector 5
Cypress 2
EvilBear 1
GrimAgent 1
LiteHTTP 2
Lokibot 3
Oski 32
Redline 3
Redline 1

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b SAService.exe SAService
f2c1aa209e185ed50bf9ae8161914954 webnavigatorbrowser.exe WebNavigatorBrowser
6be10a13c17391218704dc24b34cf736 smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
34560233e751b7e95f155b6f61e7419a SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd

   Top Phishing Campaigns

Phishing Target Count
Other 1381
Facebook 35
Microsoft 9
Allegro 3
Apple 3
PayPal 4
Special 3
Virustotal 3
Google 3
Yahoo 1 8
Rakuten 4
Caixa 1
Steam 5
Adobe 2
Optus 2
MyEtherWallet 1

    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated


Code Injection Vulnerability in SAP Solution Manager


SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 10/14/2020 06/17/2021


Authentication Bypass Vulnerability in Authelia


Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 05/28/2021 06/09/2021


Server Side Request Forgery Vulnerability in Apache Solr Core


The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/13/2021 06/11/2021


Buffer Overflow Vulnerability in GNU


The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/25/2021 06/13/2021


Remote Code Execution Vulnerability in VoIP Monitor

Voip Monitor

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/29/2021 06/09/2021


Deserialization Vulnerability in Apache Dubbo Server


Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/10/2021


SQL Injection Vulnerability in Synology Media Server


Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/08/2021