Back to Threat Intelligence

Threat Intelligence Report March 2026

30 days of threat data. 15 critical CVEs. 75,000+ threat events from 76 countries. This is what our sensors picked up across enterprise infrastructure worldwide.

75,227 threat events
2,307 unique attacker IPs
415 confirmed exploit attempts
76 countries
33,816 credential stuffing attacks

What we observed

  • Exploitation of Fortinet FortiGate, Ivanti Connect Secure, Citrix NetScaler, and React/Next.js platforms
  • Targeted CVEs: CVE-2025-64446, CVE-2024-55591, CVE-2024-21762, CVE-2026-24858, CVE-2025-24472, CVE-2025-22457, CVE-2025-0282, CVE-2026-0778, CVE-2026-0779, CVE-2023-3519, CVE-2025-5777, CVE-2025-7775, CVE-2026-3055, CVE-2026-4368, CVE-2025-55182
  • High-confidence TTPs: Iranian Go Bot credential stuffing and login brute force, command injection, SAML exploitation, unauthorized user creation attempts
  • 3 botnets identified including two Iranian State-Sponsored campaigns (suspected APT35/Charming Kitten)
  • Significant geographic concentration: France accounts for 48% of all attack traffic, with Contabo GmbH as top threat source
  • 153 adversary IPs targeted multiple vulnerability classes (cross-platform threat activity)
  • 100 ransomware victims across 20 groups, with Qilin leading (15 victims)
  • TLS fingerprint intelligence: Monitoring 97 known malware signatures including Tofsee (45 variants)
  • React2Shell honeypot detected active worm propagation (apache.selfrep) with C2 infrastructure
Loading PDF viewer...