• The top attacker country was China with 134839 unique attackers (46.00%).
  • The top Trojan C&C server detected was Heodo with 26 instances detected.

Top Attackers By Country

Country Occurences Percentage
China 134839 46.00%
Australia 70288 24.00%
South Africa 19376 6.00%
Chile 18140 6.00%
United Kingdom 9991 3.00%
United States 6378 2.00%
France 5018 1.00%
Russia 3824 1.00%
India 2160 0%
South Korea 1954 0%
Italy 1667 0%
Netherlands 1643 0%
Indonesia 1509 0%
Paraguay 1332 0%
Brazil 1292 0%
Vietnam 1067 0%
Mexico 1010 0%
Argentina 833 0%
Pakistan 352 0%


Threat Geo-location

Top Attacking Hosts

Host Occurrences 15651 14050 9414 4363 3395 2654 2406 2072 2065 1967 1852 1845 1819 1717 1686

Top Network Attackers

ASN Country Name
6471 Chile ENTEL CHILE S.A., CL
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
16276 Italy OVH, FR
23650 China CHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone, CN

Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Azorult 3 , ,
DiamondFox 2 ,
Heodo 26 , , , , , , , , , , , , , , , , , , , , , , , , ,
ISRStealer 1
KeyBase 1
Lokibot 16 , , , , , , , , , , , , , , ,
RansomBuyDecrypt 1
TrickBot 2 ,
Zloader 1

Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
88cbadec77cf90357f46a3629b6737e6 FlashHelperServices.exe FlashHelperServices PUA.Win.File.2144flashplayer::tpd
8c80dd97c37525927c1e549cb59bcbf3 eternalblue-2.2.0.exe N/A
be52a2a3074a014b163096055df127a0 xme64-553.exe N/A Win.Trojan.Coinminer::tpd
799b30f47060ca05d80ece53866e01cc mf2016341595.exe N/A W32.Generic:Gen.22fz.1201
e2ea315d9a83e7577053f52c974f6a5a c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f N/A

CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v2 Base Score Date Created Date Updated


Microsoft Active Directory Privilege Escalation Vulnerability


The vulnerability exists in Active Directory Forest trust due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. The vulnerability allows a remote user to escalate privileges on the system. A remote user can gain elevated privileges on the target system. 9.0(AV:N/AC:L/Au:S/C:C/I:C/A:C) 02/11/2020 02/13/2020


Microsoft Scripting Engine Memory Corruption Vulnerability


A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. An attacker could then install programs view, change, or delete data or create new accounts with full user rights. 7.6(AV:N/AC:H/Au:N/C:C/I:C/A:C) 02/11/2020 02/12/2020


Microsoft Excel Remote Code Execution Vulnerability


A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. A 6.8(AV:N/AC:M/Au:N/C:P/I:P/A:P) 02/11/2020 02/14/2020


CORSAIR iCUE Driver Local Privilege Escalation Vulnerability


The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE allows local non privileged users to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITYSYSTEM privileges, via a function call such as MmMapIoSpace. 7.2(AV:L/AC:L/Au:N/C:C/I:C/A:C) 02/07/2020 02/12/2020


Atlassian Jira Information Disclosure Vulnerability


The /rest/api/latest/groupuserpicker resource in Jira allows remote attackers to enumerate usernames through an information disclosure vulnerability. 5.0(AV:N/AC:L/Au:N/C:P/I:N/A:N) 09/11/2019 02/03/2020


Sudo pwfeedback Buffer Overflow Vulnerability


A potential security issue exists in sudo when the pwfeedback option is enabled in sudoers that can lead to a buffer overflow. If pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. 4.6(AV:L/AC:L/Au:N/C:P/I:P/A:P) 01/29/2020 02/07/2020


Tinywall Controller Privilege Escalation Vulnerability


In Tinywall, unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITYSYSTEM for a local attacker. An attacker who has already compromised the local system could use TinyWall Controller to gain additional privileges by attaching a debugger to the running process and modifying the code in memory. 7.2(AV:L/AC:L/Au:N/C:C/I:C/A:C) 12/30/2019 01/13/2020