Threat Intelligence Report – October 2025

31 days of threat data. 6 critical CVEs. 11,000+ botnet-driven attacks. This is what our sensors picked up across enterprise infrastructure worldwide.

122,051 threat events

2,162 unique attacker IPs

174 confirmed exploit attempts

43 countries

11,817 credential stuffing attacks

What we observed

Exploitation of Fortinet FortiGate, Ivanti Connect Secure, and Citrix NetScaler
Targeted CVEs: CVE-2024-55591, CVE-2025-22457, CVE-2025-5777 and more
High-confidence TTPs: .env access, IPv6 payloads, credential brute force
Botnet identified: DarkStorm / GoLogin
Threat infrastructure primarily from US-based ASNs with limited attribution
MITRE ATT&CK mapping confirms exploit tactics aligned with real-world attacker playbooks
Organisations relying on these platforms remain exposed to low-friction exploitation, often before patch cycles catch up. Our report captures activity as it happens, not months later.