Threat Intel Banner


  • The top attacker country was China with 206495 unique attackers (54.3%).
  • The top Trojan C&C server detected was Collector with 3 instances detected.
  • The top phishing campaign detected was against Facebook with 48 instances detected.

   Top Attackers By Country

Country Occurences Percentage
China 206495 54.26%
United States 91355 24.01%
India 16650 4.38%
Russia 14989 3.94%
Indonesia 9225 2.42%
Brazil 8329 2.19%
Singapore 6697 1.76%
Vietnam 5738 1.51%
Pakistan 4308 1.13%
Colombia 3496 0.92%
South Korea 3049 0.80%
Bulgaria 2359 0.62%
Thailand 2196 0.58%
Mexico 1871 0.49%
France 1593 0.42%
Belize 1484 0.39%
Bangladesh 698 0.18%
Top Attackers by CountryChinaUnited StatesIndiaRussiaIndonesiaBrazilOther8.8%24%54.3%
Country Percentage of Attacks
China 206,495
United States 91,355
India 16,650
Russia 14,989
Indonesia 9,225
Brazil 8,329
Singapore 6,697
Vietnam 5,738
Pakistan 4,308
Colombia 3,496
South Korea 3,049
Bulgaria 2,359
Thailand 2,196
Mexico 1,871
France 1,593
Belize 1,484
Bangladesh 698

   Threat Geo-location


   Top Attacking Hosts

Host Occurrences 40733 35364 18684 18301 16399 13086 8783 8384 7643 6708 6240 6064 5332 4719 4115 2619 2350 2347 2189 2081 2048 2046

   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
24444 China CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
5607 United Kingdom BSKYB-BROADBAND-AS, GB
7545 Australia TPG-INTERNET-AP TPG Telecom Limited, AU
14061 United States DIGITALOCEAN-ASN, US
213371 Netherlands SQUITTER-NETWORKS, NL
49877 Moldova RMINJINERING, RU
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
63612 China XIAONIAOYUN Shenzhen Qianhai bird cloud computing Co. Ltd., CN
24560 India AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN
23700 Indonesia FASTNET-AS-ID Linknet-Fastnet ASN, ID
8220 Italy COLT COLT Technology Services Group Limited, GB
7552 Vietnam VIETEL-AS-AP Viettel Group, VN
17557 Pakistan PKTELECOM-AS-PK Pakistan Telecommunication Company Limited, PK

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 1
Amadey 1
Collector 3 , ,
DiamondFox 1
Lokibot 1
Trojan C&C Servers DetectedAgentTeslaAmadeyCollectorDiamondFoxDiamondFox14.3%14.3%14.3%14.3%42.9%
Name Number Discovered
AgentTesla 1
Amadey 1
Collector 3
DiamondFox 1
DiamondFox 1

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
8193b63313019b614d5be721c538486b SAService.exe SAService
f2c1aa209e185ed50bf9ae8161914954 webnavigatorbrowser.exe WebNavigatorBrowser
6be10a13c17391218704dc24b34cf736 smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
34560233e751b7e95f155b6f61e7419a SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd

   Top Phishing Campaigns

Phishing Target Count
PayPal 6
Other 1360
Adobe 6
Facebook 48
Microsoft 8
Accurint 1
Google 3
Steam 23
DHL 3 5
Hermes 2
Visa 2
Allegro 2
Rakuten 1
Orange 1
MyEtherWallet 1
Nets 1
Caixa 1

    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated


Code Injection Vulnerability in SAP Solution Manager


SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 10/14/2020 06/17/2021


Authentication Bypass Vulnerability in Authelia


Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this patch is relatively straightforward we can back port this to any version upon request. Alternatively we are supplying a git patch to 4.25.1 which should be relatively straightforward to apply to any version, the git patches for specific versions can be found in the references. The most relevant workaround is upgrading. You can also add a block which fails requests that contains a malformed URI in the internal location block. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 05/28/2021 06/09/2021


Server Side Request Forgery Vulnerability in Apache Solr Core


The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 04/13/2021 06/11/2021


Buffer Overflow Vulnerability in GNU


The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/25/2021 06/13/2021


Remote Code Execution Vulnerability in VoIP Monitor

Voip Monitor

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/29/2021 06/09/2021


Deserialization Vulnerability in Apache Dubbo Server


Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/10/2021


SQL Injection Vulnerability in Synology Media Server


Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/01/2021 06/08/2021
Date Published
June 24, 2021