Threat Intel Banner


  • The top attacker country was Russia with 1370127 unique attackers (72.50%).
  • The top Trojan C&C server detected was Redline with 2 instances detected.

   Top Attackers By Country

Country Occurences Percentage
Russia 1370127 72.50%
Australia 225237 11.90%
United States 87130 4.60%
China 62442 3.30%
India 55555 2.90%
United Kingdom 21461 1.00%
Canada 15941 0%
Singapore 13616 0%
Germany 8024 0%
Indonesia 6938 0%
Belize 5239 0%
Vietnam 3383 0%
Isle of Man 2768 0%
Turkey 2046 0%
Thailand 2042 0%
Philippines 2040 0%
Netherlands 1838 0%
Serbia 1513 0%
Croatia 1214 0%
Top Attackers by CountryRussiaAustraliaUnited StatesChinaIndiaOther11.9%72.5%
Country Percentage of Attacks
Russia 1,370,127
Australia 225,237
United States 87,130
China 62,442
India 55,555
United Kingdom 21,461
Canada 15,941
Singapore 13,616
Germany 8,024
Indonesia 6,938
Belize 5,239
Vietnam 3,383
Isle of Man 2,768
Turkey 2,046
Thailand 2,042
Philippines 2,040
Netherlands 1,838
Serbia 1,513
Croatia 1,214

   Threat Geo-location


   Top Attacking Hosts

Host Occurrences 1179476 45412 37331 22904 11829 11424

   Top Network Attackers

ASN Country Name
44446 Netherlands SIBIRINVEST, NL
49671 Russia SAYDA-AS, RU
49505 Russia SELECTEL, RU

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
DarkVNC 1
Redline 2 ,
Sh1zo1der 1
Vidar 1
Trojan C&C Servers DetectedDarkVNCRedlineSh1zo1derVidar20%20%20%40%
Name Number Discovered
DarkVNC 1
Redline 2
Sh1zo1der 1
Vidar 1

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd SAService.exe SAService
d0c3e85195fb2782cff3de09de5003f37d9bdd351e7094a22dbf205966cc8c43 iRiNpQaAxCcNxPdKyG Segurazo Antivirus PUA.Win.File.Segurazo::222360.in02
85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5 Eternalblue-2.2.0.exe N/A

    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score
ID: CVE-2020-26829 Title: Weak Authentication Vulnerability in SAP NetWeaver Vendor: SAP SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely. CVSS v3.1 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2017-5645 Title: Deserialization Vulnerability in Apache Log4j Vendor: Apache, NetApp and Multiple Other Vendors In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. CVSS v3.0 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-5413 Title: Deserialization Vulnerability in Spring Framework Vendor: VMWare Description: Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code. CVSS v3.1 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-33564 Title: Code Injection Vulnerability in Dragonfly Gem Vendor: DragonFly Project Description: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. CVSS v3.1 9.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-33790 Title: Remote Code Execution Vulnerability in RebornCore Library Vendor: Tech Reborn Description: The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed. CVSS v3.1 9.8 (AV AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-23017 Title: Buffer Overflow Vulnerability in Ngnix Resolver Vendor: Nginx Description: A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. CVSS v3.1 9.8 (AV: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Date Published
July 08, 2021