• The top attacker country was China with 71942 unique attackers (37.00%).
  • The top Trojan C&C server detected was TrickBot with 16 instances detected.

Top Attackers By Country

Country Occurences Percentage
China 71942 37.00%
United States 24091 12.00%
Australia 19431 10.00%
Canada 16193 8.00%
India 8003 4.00%
France 6974 3.00%
Fiji 4759 2.00%
Brazil 3798 1.00%
Russia 3432 1.00%
Thailand 3190 1.00%
South Korea 2767 1.00%
South Africa 2645 1.00%
Indonesia 2427 1.00%
Germany 1802 0%
United Kingdom 1767 0%
Hong Kong 1454 0%
Bulgaria 1411 0%
Mexico 748 0%
Macao 619 0%

Top Attackers by CountryChinaUnited_StatesAustraliaCanadaIndiaFranceFijiBrazilOther40.5%12.5%9.1%10.9%13.6%
Country Percentage of Attacks
China 71,942
United_States 24,091
Australia 19,431
Canada 16,193
India 8,003
France 6,974
Fiji 4,759
Brazil 3,798
Russia 3,432
Thailand 3,190
South_Korea 2,767
South_Africa 2,645
Indonesia 2,427
Germany 1,802
United_Kingdom 1,767
Hong_Kong 1,454
Bulgaria 1,411
Mexico 748
Macao 619

Threat Geo-location


Top Attacking Hosts

Host Occurrences 6531 6135 5211 5061 4759 2495 1661 1156 1126 1007 951 863
Top Attackers112.8…49.88.…203.2…112.8…112.8…210.7.…203.1…45.14…51.15.…51.15…218.9…185.1…79.12…52.18…02,5005,0007,500
Host Occurences 6,531 6,135 5,791 5,211 5,061 4,759 2,495 1,661 1,156 1,126 1,007 951 863 856

Top Network Attackers

ASN Country Name
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
4638 Fiji IS-FJ-AS Telecom Fiji Limited, FJ
4618 Thailand INET-TH-AS Internet Thailand Company Limited, TH
50340 Russia SELECTEL-MSK, RU
12876 France Online SAS, FR
55720 Iran GIGABIT-MY Gigabit Hosting Sdn Bhd, MY
207812 Bulgaria DM_AUTO, BG

Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Azorult 2 ,
Heodo 5 , , , ,
TrickBot 16 , , , , , , , , , , , , , , ,
Trojan C&C Servers DetectedAzorultHeodoTrickBot8.7%21.7%69.6%
Name Number Discovered
Azorult 2
Heodo 5
TrickBot 16

Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
179c09b866c9063254083216b55693e6 SAService.exe SAService
34560233e751b7e95f155b6f61e7419a SAService.exe SAService PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3 FlashHelperServices.exe FlashHelperServices
a10a6d9dfc0328a391a3fdb1a9fb18db FlashHelperServices.exe FlashHelperService PUA.Win.Adware.Flashserv::100.sbx.vioc
8193b63313019b614d5be721c538486b SAntivirusService.exe SAService

Top Phishing Campaigns

Phishing Target Count
Other 530
Facebook 20
RuneScape 8
Google 7 2
Yahoo 2
Twitter 1
Steam 1
Microsoft 1
Mastercard 1

CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated


SAP NetWeaver Application Server JAVA Multiple Vulnerabilities


SAP NetWeaver AS JAVA (LM Configuration Wizard) does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 07/14/2020 07/16/2020


Microsoft Windows DNS Server Remote Code Execution Vulnerability


A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 07/14/2020 07/20/2020


Oracle Java SE Critical Vulnerability


A vulnerability exists in the Java SE product of Oracle Java SE. In order to exploit the vulnerability, it allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. CVSSv3BaseScore:8.3(AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) 07/15/2020 07/20/2020


F5 BIG-IP Remote Code Execution Vulnerability


F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 07/01/2020 07/21/2020


Citrix Application Delivery Controller and Gateway Directory Traversal Vulnerability


A vulnerability exists in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. This vulnerability exploits a directory traversal to execute an arbitrary command payload. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 12/27/2019 01/08/2020


Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Palo Alto Networks

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 06/29/2020 07/06/2020


Microsoft LNK Remote Code Execution Vulnerability


A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker's choice, on the target system. CVSSv3BaseScore:7.5(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) 07/14/2020 07/15/2020
Date Published
July 22, 2020