• The top attacker country was United States with 171766 unique attackers (24.73%).

  • The top Trojan C&C server detected was Lokibot with 17 instances detected.

  • The top phishing campaign detected was against Facebook accounts with 32 instances detected.

    Cybercriminal gangs are now utilising outsourced call centres operations to apply additional pressure on their victims to pay their ransom demands. Our Crystal Eye Security Operations Centre has noted a trend appearing over the last few months, where victims who try and restore their compromised data from backups are targeted.


   Top Attackers By Country

Country Occurences Percentage
United States 171766 24.73%
Russia 161605 23.27%
China 159111 22.91%
India 113316 16.32%
Germany 36066 5.19%
Netherlands 21868 3.14%
Hong Kong 9708 1.39%
Canada 6517 0.93%
Belize 6054 0.87%
France 1989 0.28%
Italy 1716 0.24%
Jordan 1146 0.16%
Goergia 975 0.14%
Bulgaria 864 0.12%
Palestinian Territory 837 0.12%
Croatia 780 0.11%

   Top Attackers By Country

  •  United States
  •  Russia
  •  China
  •  India
  •  Germany
  •  Netherlands
  •  Other

   Threat Geo-location


   Top Attacking Hosts

Host Occurrences 86478 62777 34100 26358 26339 26299 17854 16259 10815 7666 6912 6054 5919

Top Attackers


   Top Network Attackers

ASN Country Name
49505 Russia SELECTEL, RU
32329 United States MONKEYBRAINS, US
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
204655 Ukraine NOVOGARA-AS, NL
213371 Netherlands SQUITTER-NETWORKS, NL
133398 Hong Kong SAR China TELE-AS Tele Asia Limited, HK

   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Anubis 1
Azorult 4 , , ,
BlackNet 1
Kpot 1
Loader 1
Lokibot 17 , , , , , , , , , , , , , , , ,
Predator 3 , ,
Stealer 1
SupremeMiner 1
TrickBot 2 ,
Uadmin 1
Zloader 1

Trojan C&C Servers Detected

  •  Anubis
  •  Azorult
  •  Blacknet
  •  Kpot
  •  Loader
  •  Lokibot
  •  Predator
  •  Stealer
  •  Supreme Miner
  •  Trickbot
  •  Uadmin
  •  Zloader

   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
2915b3f8b703eb744fc54c81f4a9c67f id001.exe N/A Win.Worm.Coinminer::1201
7e0bc1c01f44c7a663d82e4aff71ee6c fsvc.exe N/A Auto.586D6B.232349.in02
920823d1c5cb5ce57a7c69c42b60959c FlashHelperService.exe FlashHelperService W32.Variant.23mj.1201
920823d1c5cb5ce57a7c69c42b60959c ttps:// SAntivirusService.exe AntivirusService PUA.Win.Dropper.Segurazo::tpd
8c80dd97c37525927c1e549cb59bcbf3 Eternalblue-2.2.0.exe N/A

   Top Phishing Campaigns

Phishing Target Count
Other 1606
Virustotal 6
Facebook 32 15
Itau 3
Adobe 7
Vodafone 2
Google 2
WhatsApp 1
Steam 3
Rakuten 6
UniCredit 2
PayPal 8
Caixa 3
Microsoft 5
Halifax 3
WeTransfer 1

   CVEs with Recently Discovered Exploits

     This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated


Fortinet FortiOS Directory Traversal Vulnerability


Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 06/04/2019 11/19/2020


Oracle WebLogic Server Remote Code Execution Vulnerability


Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 10/21/2020 11/19/2020


MobileIron Core and Connector Remote Code Execution Vulnerability


A remote code execution vulnerability exists in MobileIron Core and Connector, and Sentry, that allows remote attackers to execute arbitrary code via unspecified vectors. The manipulation with an unknown input leads to a privilege escalation vulnerability. The UK's National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability to compromise the networks. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 07/06/2020 11/10/2020


F5 BIG-IP Remote Code Execution Vulnerability


F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access. CVSSv3BaseScore:9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 07/01/2020 08/07/2020


MacOS Catalina Memory Corruption Vulnerability


A double free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory. CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6/09/2020 10/16/2020


Adobe Experience Manager Server-Side Request Forgery Vulnerability


Adobe Experience Manager is exposed to server-side request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure. CVSSv3BaseScore:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 07/20/2018 09/17/2018


Microsoft Netlogon Elevation of Privilege Vulnerability


An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. CVSSv3BaseScore:10.0(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 08/17/2020 11/23/2020
Date Published
December 10, 2020