Threat Intel Banner


  • The top attacker country was China with 115353 unique attackers (62.15%).
  • The top Trojan C&C server detected was CobaltStrike with 42 instances detected.
  • The top phishing campaign detected was against Facebook with 11 instances detected.

   Top Attackers By Country

Country Occurences Percentage
China 115353 62.15%
United States 42824 62.15%
Brazil 5894 23.07%
Russia 4206 3.18%
South Korea 2554 2.27%
Vietnam 2264 1.38%
Liberia 2055 1.22%
Germany 1945 1.11%
Hong Kong 1782 1.05%
India 1607 0.96%
Malaysia 1296 0.87%
Argentina 956 0.70%
Colombia 774 0.52%
Croatia 643 0.42%
Seychelles 401 0.35%
Ecuador 356 0.22%
Ghana 346 0.19%
Paraguay 344 0.19%
Top Attackers by CountryChinaUnited StatesBrazilRussiaOther9.3%23.1%62.2%
Country Percentage of Attacks
China 115,353
United States 42,824
Brazil 5,894
Russia 4,206
South Korea 2,554
Vietnam 2,264
Liberia 2,055
Germany 1,945
Hong Kong 1,782
India 1,607
Malaysia 1,296
Argentina 956
Colombia 774
Croatia 643
Seychelles 401
Ecuador 356
Ghana 346
Paraguay 344

   Threat Geo-location


   Top Attacking Hosts

Host Occurrences 34721 30790 9248 5051 3055 2861 2826 2055 1977 1960 1475 1126 720 668

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Amadey 1
Azorult 1
Cobalt 1
CobaltStrike 42,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
KeitaroTDS 1
LokiBot 26,,,,,,,,,,,,,,,,,,,,,,,,,
Oski 1
Redline 7,,,,,,
SmokeLoader 1
Trojan C&C Servers DetectedCobaltStrikeLokiBotRedlineOther7.4%8.6%32.1%51.9%
Name Number Discovered
Amadey 1
Azorult 1
Cobalt 1
CobaltStrike 42
KeitaroTDS 1
LokiBot 26
Oski 1
Redline 7
SmokeLoader 1

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
6be10a13c17391218704dc24b34cf736 smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
84452e3633c40030e72c9375c8a3cacb sqhost.exe N/A W32.Auto:f0a5b257f1.in03.Talos
34560233e751b7e95f155b6f61e7419a SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
39e14b83d48ab362c9a5e03f885f5669 SqlServerWorks.Runner.exe SqlServerWorks.Runner W32.302F58DA59-95.SBX.TG

   Top Phishing Campaigns

Phishing Target Count
Other 312
Facebook 11
RuneScape 2
PayPal 1
Vodafone 1
Steam 3

    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated


Remote Code Execution Vulnerability in Microsoft SMB


A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 03/12/2020 07/21/2021


Malicious File Upload Vulnerability in Apache Commons


Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 03/13/2020 07/21/2021


Weak Authentication Vulnerability in SAP Solution Manager


SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H) 11/10/2020 07/21/2021


Remote Code Execution Vulnerability in SolarWind’s Serv-U


Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability. 9.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) 07/14/2021 07/26/2021


Code Execution Vulnerability in Shader Functionality – AMD Radeon Directx Driver


An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). 9.9(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 07/20/2020 07/21/2021
Date Published
August 09, 2021